To implement an additional layer of access control based on geographic location and data classification, a company needs to use tagging and attribute-based access control (ABAC). Tagging labels data with its classification level, while ABAC grants access based on attributes like location.
Table of Contents
Question
A company implements the following access control methodology based on the following data classifications:
| Classification | Access control |
|---|---|
| Confidential | Mandatory |
| Internal | Discretionary |
| Public | Rule-based |
The Chief Information Security Officer (CISO) wants to implement an additional layer of access control based on the geographic location of the underlying system that processes and stores data. The additional layer will be added to the existing access control system. Which of the following components must be implemented to achieve these goals? (Choose two.)
A. Tagging
B. Attribute-based access control
C. Role-based access control
D. Groups
E. Tokenization
F. Digital rights management
Answer
A. Tagging
B. Attribute-based access control
Explanation
To implement the CISO’s desired additional layer of access control based on both data classification and the geographic location of the system processing/storing the data, two key components are needed:
- Tagging – This involves labeling or “tagging” data with metadata indicating its classification level (e.g. confidential, internal, public). Tagging allows the access control system to identify a piece of data’s classification in order to apply the appropriate access control methodology (mandatory for confidential, discretionary for internal, rule-based for public).
- Attribute-based access control (ABAC) – ABAC is an access control model that grants access rights based on attributes associated with the subject (user), object (resource), action, and environment. In this case, the environment attribute of geographic location could be used to restrict access based on where the system processing/storing the data is located. ABAC policies can be designed to combine multiple attributes like classification level and location.
The other options are not correct because:
- Role-based access control grants access based on user roles, not attributes like classification and location.
- Groups and tokenization do not address applying different access control based on classification and location.
- Digital rights management is used to control usage of copyrighted material, not implement layered access control within an organization.
So in summary, tagging classifies the data, while attribute-based access control consumes those classification tags plus geographic attributes to make granular access decisions based on the CISO’s requirements. The integration of these two components enables the desired layered approach.
CompTIA CAS-004 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the CompTIA CAS-004 exam and earn CompTIA CAS-004 certification.