In which of the following mechanisms does an authority, within limitations, specify what objects can
be accessed by a subject?
A.
Role-Based Access Control
B.
Discretionary Access Control
C.
Task-based Access Control
D.
Mandatory Access Control
Explanation:
In the discretionary access control, an authority, within limitations, specifies what objects can be
accessed by a subject.
Answer option D is incorrect. In the mandatory access control, a subject’s access to an object is
dependent on labels.
Answer option A is incorrect. In the role-based access control, a central authority determines what
individuals can have access to which objects based on the individual’s role or title in the
organization.
Answer option C is incorrect. The task-based access control is similar to role-based access control,
but the controls are based on the subject’s responsibilities and duties.
CISM Review Manual 2010, Contents. “Information Security Governance”