Ace the 2025 Certified Governance Risk & Compliance (CGRC) Challenge – Navigate the Governance Maze with Confidence!

The correct choice reflects the principles of Mandatory Access Control (MAC), which is characterized by a strict regulatory framework. In MAC, access to resources is governed by a system of predefined access privileges determined by a central authority, often based on the classification of information and the clearance level of users. This model does not allow users to alter access permissions; instead, users are granted access based on predefined policies that ensure sensitive information is protected according to a rigid set of security criteria.

In contrast, other models such as Discretionary Access Control (DAC) allow users the discretion to set their own access controls, which offers more flexibility but can also introduce vulnerabilities. Role-Based Access Control (RBAC), while having predefined roles, allows user permissions to be associated with roles rather than being strictly predefined for the entirety of the system's objects. Policy Access Control is not a standard access control model and does not pertain to established definitions in the field of information security and access control.

Understanding the nuances of these access control models is essential, as they inform how organizations can effectively secure their data and systems while managing access to sensitive information.