The destination CISSP book states you should stay away from non-discretionary, that is contradiction to the what I see out there. I see RBAC implemented more than anything.
Thank you for the very helpful videos! One thing that may be an error - at ~9:00 you mention RBAC, RuleBAC, and ABAC as discretionary access controls, however the official study guide and other materials I've seen all list these as non-discretionary.
Hi Alex, Thanks for pointing out something that has become very confusing in regards to the CISSP. It turns out that even the official guide is wrong and many of the other materials that have ‘copied’ the original ‘wrong’ description of ‘non-discretionary’ access control. Here’s the explanation. Discretionary access control is simply defined as ‘the owner decides who can access what they own of behalf of the organization.’ Any system that allows the owner to be accountable for deciding who can access their assets, is operating in discretionary mode. So, in role based access, even though we create ‘roles’ or ‘groups’ that a whole bunch of people may be part of, it is still up to the OWNER to decide what the role or group should have as far as permissions is concerned. That, by definition, is the definition of discretionary. And here is where the confusion usually appears. The owner may ‘delegate’ that RESPONSIBILITY to a system administrator to administer the role-based requirements, but the owner still remains ACCOUNTABLE. In Non-discretionary access control, an owner DOES NOT exists, and that why we leave it up to the next-best choice, the administrator. Non-discretionary should not exist, we don’t like it because there is no real ACCOUNTABILITY. There should always be an owner that is ACCOUNTABLE. In Role-based access control, there should always be an owner that is ACCOUNTABLE for who has access, and what permissions, the role or group has. Therefore, it is an example of discretionary. Hope that clears things up.
@@destcert I would really appreciate some source for those claims as this is the only place on the Internet I've found such classification. Thanks in advance!
@@destcert I think there is always an owner for the data. In Non-Discretionary there is a General somewhere that decides that this data should be Secret or Top Secret... :)
@@destcert I too am finding this EXTREMLY confusing considering both The Sybex Edition 8 Official Study Guide and the guys at IT Dojo questions of the day 5:50 (th-cam.com/video/WJWvcYv--OY/w-d-xo.html) contradicts this. The further detailed explanation you provided here makes it seem as if its possible to have both Role-Based and Rule-Based Access controls be Discretionary and Non-Discretionary. Even though 'THERE SHOULD' be an accountable owner, it sounds like its still possible to create roles with permissions that DON'T have an accountable owner. Its confusing because you mention that Accountability is a Service of AC but then mention an AC model that does not have Accountability and "should not exist". If its an access control model that doesn't meet the fundamental access control model requirements, wouldn't it just not be considered an access control?
One thing I wish you'd incorporate into these videos are the acronyms. Many times I am getting asked on Learnzapp questions that have a multitude of acronyms that aren't spelled out, and would have gotten them correct had I knew what they initially stood for before attempting the practice tests.
Thanks so much, really great videos!, Do have link for remaining domains ? 2 Asset Security 3 Security Architecture and Engineering 4 Communication and Network Security 7 Security Operations 8 Software Development Security ------------------Link already provided---------------------------------- 1 Security and Risk Management 5 Identity and Access Management (IAM) 6 Security Assessment and Testing
the Sybex book said that only DAC is discretionary control, and the others including role-based, rule-based, attribute-based, MAC all belongs to the nondiscretionary control. which one should be right?
Hey Rob, The videos are awesome, however I think the concept of Least Privilege and Need to know are opposite to what you have mentioned. Least Privilege = Mapped to user (subject). What minimum access is required to perform the job and Need to Know = mapped to object. Whether a particular object is accessible to a subject or not.
@@destcert Thanks Rob. I had my exam on the 31st and passed at a 100 questions. Your videos were helpful for getting me back into the flow of studying all the concepts
We wrote a CISSP guidebook! Check it out here: destcert.com/guidebook/
RBAC and RuBAC are types of Non-discretionary access control.
Yeah, I saw that. Only DAC is discretionary as far as I have seen in other sources. Everything else is non discretionary.
Finally, proof that this guy is human - I was starting to get an inferiority complex when comparing his quality of work. Loving the videos.
The destination CISSP book states you should stay away from non-discretionary, that is contradiction to the what I see out there. I see RBAC implemented more than anything.
I so appreciate the Videos...Such a Blessing. I really feel confident that I will PASS 2022!
Glad you find it helpful! All the best to your studies!
Your videos are gold mine..! thanks for all your efforts :)
Thank you for the very helpful videos! One thing that may be an error - at ~9:00 you mention RBAC, RuleBAC, and ABAC as discretionary access controls, however the official study guide and other materials I've seen all list these as non-discretionary.
Hi Alex, Thanks for pointing out something that has become very confusing in regards to the CISSP. It turns out that even the official guide is wrong and many of the other materials that have ‘copied’ the original ‘wrong’ description of ‘non-discretionary’ access control. Here’s the explanation. Discretionary access control is simply defined as ‘the owner decides who can access what they own of behalf of the organization.’ Any system that allows the owner to be accountable for deciding who can access their assets, is operating in discretionary mode. So, in role based access, even though we create ‘roles’ or ‘groups’ that a whole bunch of people may be part of, it is still up to the OWNER to decide what the role or group should have as far as permissions is concerned. That, by definition, is the definition of discretionary. And here is where the confusion usually appears. The owner may ‘delegate’ that RESPONSIBILITY to a system administrator to administer the role-based requirements, but the owner still remains ACCOUNTABLE. In Non-discretionary access control, an owner DOES NOT exists, and that why we leave it up to the next-best choice, the administrator. Non-discretionary should not exist, we don’t like it because there is no real ACCOUNTABILITY. There should always be an owner that is ACCOUNTABLE. In Role-based access control, there should always be an owner that is ACCOUNTABLE for who has access, and what permissions, the role or group has. Therefore, it is an example of discretionary.
Hope that clears things up.
@@destcert Is there an article where I can find this clarification?
@@destcert I would really appreciate some source for those claims as this is the only place on the Internet I've found such classification. Thanks in advance!
@@destcert I think there is always an owner for the data. In Non-Discretionary there is a General somewhere that decides that this data should be Secret or Top Secret... :)
@@destcert I too am finding this EXTREMLY confusing considering both The Sybex Edition 8 Official Study Guide and the guys at IT Dojo questions of the day 5:50 (th-cam.com/video/WJWvcYv--OY/w-d-xo.html) contradicts this.
The further detailed explanation you provided here makes it seem as if its possible to have both Role-Based and Rule-Based Access controls be Discretionary and Non-Discretionary. Even though 'THERE SHOULD' be an accountable owner, it sounds like its still possible to create roles with permissions that DON'T have an accountable owner. Its confusing because you mention that Accountability is a Service of AC but then mention an AC model that does not have Accountability and "should not exist". If its an access control model that doesn't meet the fundamental access control model requirements, wouldn't it just not be considered an access control?
One thing I wish you'd incorporate into these videos are the acronyms. Many times I am getting asked on Learnzapp questions that have a multitude of acronyms that aren't spelled out, and would have gotten them correct had I knew what they initially stood for before attempting the practice tests.
Thanks so much, really great videos!,
Do have link for remaining domains ?
2 Asset Security
3 Security Architecture and Engineering
4 Communication and Network Security
7 Security Operations
8 Software Development Security
------------------Link already provided----------------------------------
1 Security and Risk Management
5 Identity and Access Management (IAM)
6 Security Assessment and Testing
Glad you like the videos! I’m working my way through the other domains. Domain 7 is up next.
@@destcert Awesome!, thanks you!
Great Content and thanks a lot for your efforts.
Hi Rob, can you please confirm that ABAC and Rule BAC is also discretionary just like you explained that Role-BAC is?
This is a copy and paste from ISC2 official material: "RBACs are managed by the system owner and represent an implementation of DAC" pag 447
the Sybex book said that only DAC is discretionary control, and the others including role-based, rule-based, attribute-based, MAC all belongs to the nondiscretionary control. which one should be right?
he answered above
Hey, great video. Well organised. Thanks.
10k+ view but only 394 like... its not fair..
I know, right??? 😜
@@destcert 2nd rule from isc2 code of ethics canon: act honestly,justly etc. Give him a like :) 😂😂
Outstanding videos
Thank you so much 😀
You are awesome ❤
You're awesome, too! Thanks for watching! Explore more CISSP resources at destcert.com 🙌
Hi Rob, congratulations by videos, were excellents. Please advise when domain 4 will be available?
Writing domain 4 MindMaps now. Will record likely next week. Should be out before January.
@@destcert Thanks for the return and congratulations again for the materials provided with excellent quality.
Please can you upload Domain 3 and Domain4
I'm working on them now!
RBAC and RUBAC - aren't these NON-Discretionary?
thanks
You're welcome!
where is cissp mind map domain 3 and 4.Please upload as soon as. Thnkx
I am working on Domain 3 now, and domain 4 next.
Role based and rule based ACs are not DAC
I wish I could give a million likes for each of your videos...thanks a lot dear.
You’re welcome!
Question. I believe iris scanner is considered to be the most accurate and retina scanner comes second. can you confirm this please.
Is there a place to download the finished map for review?
Not yet. Working on that!
Awesome content and method of delivery
Just tossed a coin to your Witcher (or 2 coffees). Cheers for this.
Ha! Love the Witcher reference. Thanks so much for the coffees. Greatly appreciated! All the best in your studies!
Really helpful and Many thanks, If possible, Could you share for other domains also
Yup! I am working through the other domains. Domain 8 is up next, then 2, 3, and 4.
Many thanks and appreciated
Hey Rob, The videos are awesome, however I think the concept of Least Privilege and Need to know are opposite to what you have mentioned. Least Privilege = Mapped to user (subject). What minimum access is required to perform the job and Need to Know = mapped to object. Whether a particular object is accessible to a subject or not.
Absolutely the best and smooth explanations given for the CISSP domains. Thank you Rob and Team!
Attribute / Context or Content? I guess it's mistake, supposed to be Context
Great video
Thanks!
Do you have domain 4?
Just uploaded the first of 4 Domain 4 videos. The remainder will be up in the next 2-3 weeks. All the best in your studies!
@@destcert Thank you!!! I love your videos!
Hey Rob, am I correct that you don't have any mind map videos of domain 4?
Just uploaded the first of 4 Domain 4 videos. The remainder will be up in the next 2-3 weeks. All the best in your studies!
@@destcert Thanks Rob. I had my exam on the 31st and passed at a 100 questions. Your videos were helpful for getting me back into the flow of studying all the concepts