Certified Information Systems Security Professional (CISSP) Practice Exam

Lattice-based access control is characterized by establishing upper and lower bounds for access rights, which is fundamental to its design. This method organizes permissions into a lattice structure where different levels of security clearances and classifications are defined. Each subject (like a user) in this system has an associated security clearance, while each object (like files or resources) has a specific classification level.

The bounds are essential because they dictate that a user can access a resource only if their clearance level meets or exceeds the classification of that resource (for upper bounds), and similarly, they can only access resources below their clearance (for lower bounds). This structure ensures a controlled and systematic approach to access, minimizing the risks of unauthorized data exposure.

Considering the other options, allowing unfettered access to all data does not fit within the principles of lattice-based access control, as the purpose is to enforce strict access boundaries. Likewise, while user modification of access rights can occur in some access control models, lattice-based systems are typically designed to minimize such flexibility to maintain security. Lastly, reliance on user discretion goes against the lattice principle, which is designed to enforce access rules automatically rather than allowing subjective judgment.