CompTIA CASP+ Practice Test

What security model can be deployed to prevent breaches similar to a past incident at a government agency?

• A. A DAC with user access controls
• B. A MAC enforcing no write-down and no read-up
• C. An RBAC with strict user roles
• D. A hybrid approach using MAC and DAC

The correct answer is: A MAC enforcing no write-down and no read-up

The chosen answer signifies the use of Mandatory Access Control (MAC) as an effective means of preventing unauthorized information flow, particularly the "no write down" and "no read up" principles. This model is designed to safeguard sensitive data by strictly regulating how information can be shared and accessed based on users' security clearances. With MAC, every user receives a specific label corresponding to their clearance level, and all data is also labeled with its sensitivity level. The "no write down" principle ensures that high-level users cannot inadvertently disclose confidential information to lower-level users, thereby protecting sensitive data from being exposed. Conversely, the "no read up" principle prevents users from accessing information categorized at a higher sensitivity level than their clearance allows. This dual approach reinforces the protection of critical data within the agency, mitigating the risk of breaches tied to insider threats or accidental information leaks. While other access control models, such as Discretionary Access Control (DAC) or Role-Based Access Control (RBAC), offer varying levels of user access management, they lack the stringent parameters of MAC that prevent unauthorized interactions with data across different clearance levels. Therefore, the implementation of MAC with its specific principles directly addresses vulnerabilities that may have led to past incidents, ensuring a robust framework for safeguarding