Question 8 of 529
Asset SecuritymediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is Mandatory Access Control (MAC). This model is defined by the system’s use of security labels—such as Top Secret, Secret, and Confidential—assigned to objects, and corresponding clearances assigned to subjects, with the operating system or security kernel enforcing all access decisions based on predefined rules; critically, users cannot override or modify these controls, which is the core technical distinction of MAC. On the CISSP exam, this concept tests your understanding of how access control models differ in policy enforcement, and a common trap is confusing MAC with Discretionary Access Control (DAC), where users do have the ability to set permissions. Remember that MAC is “mandatory” because the system, not the user, dictates access—think of it as the “label-based enforcer” where clearance levels and classification labels are non-negotiable. A useful memory tip is to associate MAC with “Military Access Control,” as it mirrors the rigid, hierarchical clearance structures used in government and defense environments.

CISSP Asset Security Practice Question

This CISSP practice question tests your understanding of asset security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Access to classified data is granted based on user's clearance level and need-to-know. The following policy excerpt: 'Classified data shall be stored in approved containers. Access requires signed NDA and manager approval.'

Refer to the exhibit. Which access control model is described?

Question 1mediummultiple choice
Full question →

Exhibit

Access to classified data is granted based on user's clearance level and need-to-know. The following policy excerpt: 'Classified data shall be stored in approved containers. Access requires signed NDA and manager approval.'

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Mandatory Access Control (MAC)

The exhibit describes a system where access decisions are based on security labels (e.g., classification levels like Top Secret, Secret, Confidential) and clearances assigned to subjects, with the system enforcing the policy. This is the defining characteristic of Mandatory Access Control (MAC), where the operating system or security kernel centrally controls access based on predefined rules, and users cannot override these controls. The reference to labels and clearances without user discretion confirms MAC as the correct model.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Mandatory Access Control (MAC)

    Why this is correct

    MAC enforces clearance and need-to-know, as described.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Discretionary Access Control (DAC)

    Why it's wrong here

    DAC allows data owners to set permissions, not clearance-based.

  • Role-Based Access Control (RBAC)

    Why it's wrong here

    RBAC assigns permissions based on job roles, not clearance levels.

  • Attribute-Based Access Control (ABAC)

    Why it's wrong here

    ABAC evaluates multiple attributes but doesn't specifically use clearance levels.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse MAC with RBAC because both involve centralized policy, but MAC is uniquely defined by the use of security labels and clearances, not roles, and the exhibit's mention of 'labels' is the key differentiator that eliminates RBAC.

Detailed technical explanation

How to think about this question

Under the hood, MAC implementations like SELinux or Trusted Solaris use a security kernel to enforce the Bell-LaPadula model, where subjects have a clearance level and objects have a classification label; the system checks the 'no read up, no write down' rule at every access attempt. A subtle behavior is that even if a user has Top Secret clearance, they cannot downgrade a Top Secret document to Secret, as this would violate mandatory integrity controls. In real-world scenarios, MAC is critical in military or government systems where data confidentiality must be enforced regardless of user intent, such as in Multi-Level Security (MLS) databases.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CISSP practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CISSP practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CISSP question test?

Asset Security — This question tests Asset Security — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Mandatory Access Control (MAC) — The exhibit describes a system where access decisions are based on security labels (e.g., classification levels like Top Secret, Secret, Confidential) and clearances assigned to subjects, with the system enforcing the policy. This is the defining characteristic of Mandatory Access Control (MAC), where the operating system or security kernel centrally controls access based on predefined rules, and users cannot override these controls. The reference to labels and clearances without user discretion confirms MAC as the correct model.

What should I do if I get this CISSP question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CISSP practice question is part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CISSP exam.