CCT 289: Practice CISSP Questions - Role Based, Mandatory, Discretionary and ABAC (Domain 5)

Show Notes

Quantum isn’t a distant sci‑fi threat—it's shaping security decisions right now. We open with what NIST’s new post‑quantum FIPS 203/204/205 actually mean for your crypto roadmap, why “harvest now, decrypt later” raises the stakes for long‑lived data, and how the 2035 federal mandate will ripple through contractors, audits, and CMMC. Then we get practical, translating policy pressure into the access decisions you make every day and the concepts you’ll see on the CISSP exam.

We break down mandatory access control (labels, clearance, strict need‑to‑know), discretionary access control (owner grants, permission creep), role‑based access control (job functions, least privilege at scale), attribute‑based access control (context, dynamic conditions), and rule‑based control (fine‑grained logic and exceptions). Along the way, we highlight the keywords that unlock tricky multiple‑choice items—“classification,” “owner,” “job role,” “attributes,” “rules”—so you can map questions to the correct model fast. More importantly, we explain how to combine models without creating chaos: use RBAC for baseline entitlements, layer ABAC for context and risk signals, lean on rule-based policies for surgical exceptions, and reserve MAC for highly classified domains where enforcement must be absolute.

If attackers are stockpiling ciphertext for a quantum tomorrow, the answer is a two‑track plan: crypto agility to adopt quantum‑resistant algorithms and disciplined access governance to limit blast radius today. We share actionable cues for exam success, practical design tips for avoiding privilege escalation, and a reminder that good security is repeatable security—clear roles, auditable policies, and continuous review.

Subscribe for weekly CISSP prep you can use on the job, share this with a teammate who’s wrangling access models, and leave a review to help others find the show. Your support also fuels our charity‑funded training that gives back while you level up.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome and Weekly Format
• 0:55: Quantum Computing and New FIPS Standards
• 3:10: Harvest-Now Decrypt-Later Risk
• 4:23: Government Mandates and CMMC Impact
• 5:34: How to Access Practice Questions
• 6:12: CISSP Access Control Q&A Begins
• 14:20: Acronyms: RBAC, DAC, MAC, ABAC
• 16:40: Learning Approach and Exam Mindset
• 18:02: Charity-Funded Training and Closing

Transcript

SPEAKER_00: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerbert, and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

SPEAKER_01: 0:25

Hey I'll Sean Gerbert with CISSP Cyber Training, and hope you all are having a blessed day today. Today is the awesome day that we follow up every single Thursday from the Mondays. And then what is that? Yes, it's CISSP Question Thursday. So today we're gonna be getting into CISSP questions related to the podcast that occurred on Monday, which is discretionary access controls, attributed access controls, mandatory access controls. So yes, set your Tesla on autopilot and let's go. But before we do, before we do, we wanted to get into I saw an article that just came out that's relatable to what you deal with the CISSP, and that's something that you should know as it relates to the quantum computing capabilities that are on the precipice. They're there, they're almost there, and they're not, but they're not quite. And so the uh US government came out with a NIST standard for encryption standards that are specifically going to be focused on quantum computing. And these are the FIPS standards of 203, 204, and 205. Now, if you go to Tech Republic, there's a really good article in there about what are the new standards that are coming out. Now, if you've talked about encryption with the CISSP, you know that the FIPS standards for 140 and so forth deal with great encryption as it relates to what you're using with mobile devices and any sort of hardware type activities. But as the FIPS 140-1, 2, and 3, uh they give you different standards around encryption. But as we all know, the quantum is coming, it is actually going to be really quickly blow that out of the water once that does come to a head at that point. So the NISC, working with various other agencies in the United States government, came up with a standard to deal with quantum computing. And this is the FIPS 203, 204, and 205. Now, the purpose of this is the fact is that today's RSA isn't actually going to be able to compete, right, with what's going to happen with the quantum computing. And we know that. We've been talking about this for years, and I know it's been slowly coming to a head, but we all also understand that within the next five years, quantum computing is going to be much more attainable for businesses to be able to utilize it in a way that's helpful. Well, if it's going to be available for businesses, it will also be available for the bad guys and girls to help themselves with our data. And so the standard was to come out to kind of one, get ahead of that. So it gives you time to be able to get in place. And I know the U.S. government has already said that they have are going to require all US government agencies to be at these standards by 2035. So what's that roughly about nine years, I guess? Yeah, about nine years, that they're going to have to be in that position where they'll be qualified, they'll be audible to make the move to the new FIB standards. The other part that is interesting is this design to help offset this what they call harvest now decrypt later capability, where they would go in, attackers would go in and they would just hoover, they would take the vacuum cleaner and suck up all of these wonderful passwords and all this encrypted data, and then decrypt it later once they have the ability to throw it through the quantum machine. Now, that I will tell you that people have said, wow, yeah, that's not going to happen. I've heard people say, yes, it's definitely going to happen. I'll give you an example of where you can kind of think about that as I know the NSA has developed, uh, they've got big, humongous warehouses that have got gobs and gobs of computing power that are more or less storage capabilities out east or out west. And that's that's the everybody knows about it. They all know it exists. I don't actually know where they are out west, but they have done it. Well, you can assume that if the US government is doing something like this, well, what are what is Russia doing? What is China doing? What are other countries doing? So, yes, the the harvest now crack later is definitely a factor. Um, it'd be interesting just to see how much of an input that, how much of a change or factor that's going to add into these different countries' plans in the future. So, again, the US federal government has mandated adoption of these standards by 2035 for federal entities, business working with the government, and they'll need to know and they'll need to follow suit. Now, so if you are uh working on your CISSP, obviously you are in a position where you are one, have to do it because you want to, or two, you might be, I got a lot of people that listen to this podcast that are folks that know they they have to do it, they're mandatory mandatory, that they have to have it done. Uh so therefore, just to kind of help keep their skills up, if you work with the government, you're gonna be dealing with CMMC. Now, CMMC is that is the cybersecurity maturity maturation certification, something like that. But basically, if you work with the federal government, you have to meet a CMMC standard. Well, it's gonna be forcing you to do this crypto for this specific standard to meet this by 2035. So if you're a business working with the federal government, yeah, you're gonna have to deal with it. So if you're looking listen to the CISSP, you got this something you're gonna have to focus on. You got nine years, giddy up, you got time. But the ultimate goal is that they want to make these systems much more secure for the event that there's going to be uh individuals trying to steal this data. Okay, so let's get started. Let's roll into the questions for this week. Okay, you can get all these questions at CISSP Cybertraining.com. Uh, again, you sign up for my program and you'll be able to get access to all of these questions, ones that I've had that we've been creating over the years, as well as the ones that are the most current. So again, go to CISSP Cybertraining.com, sign up with me. You can actually get a lot of my free questions, but these questions are part of the paid product that we have. But again, like I've mentioned multiple times on the podcast, the paid product is all going to charity. None of this is coming back to me, and so therefore, hey, you have a reason to spend the money. There's definitely a reason to spend the money. Help people, right? That's what you want. Okay, question one. Which access control model is primarily based on need to know principle and is often used in government and military environments? Now, as we go through these questions, you're gonna go, Why you said that once before in a different way. You're right. The ultimate goal is we're focusing on the different types of controls, and we want to get it through your head to kind of understand so that when you see this on the exam, it makes more sense. Now, again, these questions, as I'm kind of backtracking backtracking just a little bit, these questions are not questions that are being pulled specifically from the CISSP. Now, could you see some of these in a different form? It's possible, yeah. But these are questions that kind of help get your brain juices thinking as so that when you do see the question that comes up on the exam, you're like, ah, I've heard of that before. May not be exactly the same, but I've heard of it. So, question one, again, which access control model is primarily based on a need-to-know principle and is often used in government and military environments? A rule-based access controls. B, role-based access controls, C, discretionary access controls, or D mandatory access controls. Okay, we talked about the US government, one to remember about, and that is mandatory access controls. It is D. Mandatory access controls are characterized by the need-to-know principle. You'll need to know that. Haha. Quotes, pun, whatever you want to call it. You'll need to know that. And this is where access is determined by security labels assigned to subjects and to objects. Okay, this is mostly used in very highly secure environments. But it can be used outside of the US government. It's just that's typically where it is being used. Question two. A security administrator wants to implement an access control model that is dynamically assigns permissions based on the user's attributes, such as job title, department, location, etc. Which model would be chosen? A discretionary access controls, B attribute attribute access controls, C role-based access controls, or D rule-based access controls. Okay, so if you listen to the question and it comes back to a key topic, attribute, such as job title, it would be B. Attribute attribute, see, I can't say ten dollar words. Attribute-based access controls. And then these are designed specifically to grant or deny access based on the various attributes associated with the user, the resources, and the environment. Question three, which access control model is most susceptible to the propagation of excessive permissions due to the ability of the user to grant access to others. So this is granting access to other people, and we're talking excessive permissions, the propagation of excessive permissions. A rule-based access. C or B role-based access controls. C discretionary access controls or D mandatory access controls. Users granting access, and that would be discretionary access controls. We talked about it as one of the pros and the or one of the cons around it is the fact that somebody can actually grant access to others, leading to potential permission creep and security, additional security risks. Question four. A company wants to implement an access control model that defines access based on job function and responsibilities. Which model would be most suitable? Okay, a company wants to implement an access control model that defines access based on job function and responsibilities. A rule-based. B role-based. C discretionary access or D mandatory access controls. Again, this is defining it based on job functions and responsibilities. And the answer is B, role-based, right? Role-based access controls, this aligns with the job roles, making it more efficient and managing access to your organization. Question five, which access control model is typically enforced by the operating system and is least flexible in terms of granting exceptions? Again, operating system and least flexible in granting exceptions. A mandatory access controls. B discretionary access controls. D or C role-based access controls, and D rule-based access controls. And the answer is A. Mandatory access controls. Because these are strictly enforced by the system and do not allow for easy overrides or exceptions. Because again, that's it comes down to the mandatory piece of this. Similar to what we use in the government, but it's very strict, it's very specific, very to the point. Question six A security policy states that access to sensitive data should be granted based on classification level and the data and of the data, classification and level of the data and the clearance level of the user. Which access control model is most appropriate? Okay, clearance levels and classification levels. Okay, what does that sound like? Hmm, ding, ding, ding. Military maybe. A discretionary access control. B mandatory access control. C, role-based access control, or D rule-based access controls? And the answer is B. Right. You are correct. Mandatory access controls. This aligns with classification clearance levels. So again, you hear those keywords, that would be what it is. Question seven: a company wants to implement access control model that allows for fine-grained controls over accesses access based on specific conditions and rules. Which model would be the most suitable in this situation? Okay, so rules, specific fine-grained, hmm, key terms. A attribute-based controls. Best discretionary access controls. C Rule-based access controls, or D rule-based access controls. And you got it right. You know, conditions, rules, ah, it's D rule-based access controls. They provide granular control through definition of specific rules and conditions for access. Question eight. Which access control model is best suited for dynamic environments where permissions need to be adjusted frequently based on the changing conditions?

unknown: 12:04

A.

SPEAKER_01: 12:05

Attribute-based. B role-based. C. Rule-based or D mandatory. Again, access control model best suited for dynamic environments where permissions need to be adjusted frequently based on changing conditions. And that would be A. Attribute-based. These control adapt to changes in users' attributes or environmental conditions, making it much more flexible for dynamic environments. They are a little bit more challenging though to implement, so keep that in mind. Question 9. Which access control model is often used in conjunction with other models to provide additional layers of security? A. Attribute-based controls. B discretionary access controls. C rule-based. D. Role-based. Again, which access control model is often used in conjunction with other models to provide additional layers of security? And the answer is A. Attribute-based controls. These can complement other models by adding dynamic or context-aware access control mechanisms. Again, the attribute-based is a good addition to many of these controls. Question 10. Which administrative security administrator wants to implement an access control model that minimizes the risk of privilege escalation? So again, we talk about this is taking the privileges and escalating their ability to go beyond where they're at. So which access control model minimizes the risk of privilege escalation? And which model would be most effective in this? A. Rule. B role. C mandatory or D discretionary. Okay, again, which one is it? It is C, mandatory access controls. Again, these are based on labels reducing the likelihood of users gaining unauthorized privileges. Question 11. Which access control model is most susceptible to the propagation of excessive permissions due to the ability of users granting access to others? So now if you're watching this video or you are listening, I guess listening, but more of you're watching this, uh at CISSP Cyber Training, you will want to go into acronyms. So I'm just changing it up just a little bit. All right, so RBAC, which could be role-based. Um you'll have to see how that plays out. Could be rule, you gotta, but most cases RBAC, the R B A C is based on role-based. So RBAC, DAC, which is discretionary access controls, MAC, or ABAC, which is attribute-based access controls. And again, most susceptible to propagation of excessive permissions due to the ability of users to grant access to others, it is B DAC, right? Discretionary access controls is where they have the power to grant access to other individuals. Question 12. A company wants to implement access control model that provides a fine grain control over access based on specific conditions and rules. Which model would be most suitable? So a company wants to implement access control model that provides fine grain control over access based on specific conditions and rules. Okay, so this is where the RBAC can get out. Is it RBAC or is it rule based? What is it? Uh all right. Response A, RBAC, B, DAC, C, MAC, or D. RBAC. Which one is it? But if you spell it out rule-based, then it is rule-based access controls, right? So if you want to make sure that if you look through this, don't bite off on RBAC, make sure that you understand that it could it be rule or could it be RBAC, which is role-based. And that's rule-based, right? So rule-based controls, the correct answer around this is because they have specific rules and conditions to govern access. Question 13. Which access control model is typically enforced by the operating system and is flexible, least flexible in terms of granting exceptions? Okay, we talked about this a little bit ago, but now we've got an acronym. ABAC, MAC, DAC, or RBAC? What is it? Oh, it is B MAC, right? Mandatory access controls. Those are the ones that we talked about. They're strictly adhered to security labels, making it very difficult. Question 14 Which access control model is best suited for environments with high degree of dynamic changes in their users' roles and responsibilities. A, RBAC, B, ABAC, C, MAC, or D, DAC. Okay, so which one is it? Roles and responsibilities? It is RBAC, role-based access controls. Again, they're designed for permissions based on job functions. So that's the one to think about. Last question. The last melon. Last question 15. The company wants to implement an access control model that provides a strong foundation for protecting classified information and enforcing the principle of least privilege. Which model would be most appropriate? A, ABAC, B, MAC, C, DAC, and D RBAC. And the answer is MAC, right? Mandatory access controls is tied to the government, which allows you to have the enforcing of least privilege is the ultimate goal. Again, a lot of these you go over again. You're like, well, these are over and over and over again. That's the point. We want you to go over them over and over and over so that when you see them on the test, you understand or you at least feel much more confident in your answer for the quick for the test. Again, the ultimate goal of CISSP cyber training is to give you that leg up to help you with the exam. It's not to help you, not to help you pass the exam through just giving you the answers. No, it's to help you change your mindset and help you be able to understand the questions they're asking so that you can regurgitate them in a way that you are actually going to pass it and understand what you're actually putting down. And that's the goal, right? The ultimate goal of CISSP Cyber Training is to give you that leg up. It's also going to be the fact that you'll learn with the CISSP. I utilize this knowledge on a daily basis. And so you better learn it because you know what? You're going to deal with it on a daily basis. All right, enough about that. But you guys have a wonderful day. Go to CISSP Cyber Training again. See what I got out there for you. Again, all purchases are made, are going to charity. Nothing comes back to me. I'm kind of driving that home because the fact is, I want to grow our charity so that we can give out to adoptive families and be able to have money for them. All right, have a wonderful day, and we will catch you guys all on the flip side. See ya.