CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)       9  5.5  Privilege Management

5.5.4  Auditing 1 2 5.6  Computer Forensics

Discretionary Access Control (DAC)

DAC uses an access policy that restricts access based on the identity of users and/or groups. DAC is identity-based. Strict DAC does not allow ownership transfer. For example, Bob can create an object (say a spreadsheet). Bob grants access to Ted. Ted cannot grant access to Carol. Being discretionary means you can choose to implement access control, or not IE. Assign permissions and level of access (Read-Write-Execute) to someone else. Contrast this with Mandatory Access Control.

MAC is the most stringent of the security controls. Unlike DAC, you don't have a choice about whether or not to allow copying of information.

In a MAC, 'everything' and everybody gets a label. This label is called a sensitivity or classification label. This allows for multi-level security policies. That is the ability to handle different clearance levels on a single system.

Labels can be created for levels of trust such as:

• Administrator
  
  
• Power User
  
  
• User
  
  
• Guest

And, another set of labels such as:

• Accounting
  
  
• R&D
  
  
• Sales

These labels can be combined. For example a User and Sales may be allowed to access another label set such as specifications.

While higher authority exists with Accounting and Power User, these labels could be combined to only allow this Labeled Person with an Accounting Label to print to the Labeled Printer Secure Printer from the Labeled File Accounts Receivable. For more information refer to DOD 5200.28-STD⁴⁴⁷ (Orange Book)

5.5.4  Auditing 1 2 5.6  Computer Forensics