5.2 Protecting Applications and Data: Managerial Controls and Access Controls

Unit 5 — Securing Applications and Data  |  Topic 5.2

Protecting Applications and Data: Managerial Controls and Access Controls

Data states, regulatory classification (PII/PHI/PCI), access control models (RBAC/RuBAC/DAC/MAC), Bell-LaPadula, and Linux chmod.

Lesson 2 of 6 ~50 min LO 5.2.A – 5.2.D Skills: Mitigate Risk
★ AP Exam Focus — Topic 5.2

• Match each data type to its governing law: PII → Privacy Act of 1974 (COPPA for under-13); PHI → HIPAA 1996; PCI → PCI-DSS

• Distinguish the three data states and what each requires: at rest (encryption + physical security), in transit (encryption), in use (must be decrypted; use access controls)

• Identify the correct access control model from a scenario: RBAC (role assignment), RuBAC (rule on top of another model), DAC (owner sets permissions), MAC/Bell-LaPadula (external administrator + clearance levels)

• Apply Bell-LaPadula WURD: Write Up, Read Down. Know both properties: Simple Security = no read up; *-Property = no write down

• Calculate chmod numeric values: 4=read, 2=write, 1=execute. Decode permission strings like -rwxr-x---. Write symbolic chmod commands using u/g/o/a and +/-

• Apply principle of least privilege: entities get exactly what their function requires — nothing more

College Board Essential Knowledge Coverage

Topic 5.2 — What Is Testable

CED Ref Essential Knowledge Covered In
5.2.A.1 Organizations implement security controls based on the legal requirements for data they collect, store, process, and transmit Section 2 — Regulatory Framework
5.2.A.2 Data states: at rest (stored, protect drive + encrypt), in transit (transmitted, encrypt + protect media), in use (being processed, must be decrypted, use access controls) Section 2 — Data States
5.2.A.3 Organizations categorize data by sensitivity and apply stronger security to more sensitive data Section 2 — Classification
5.2.A.4 Laws require specific rules for storing, transmitting, and handling regulated data types (PII/Privacy Act; PHI/HIPAA; PCI/PCI-DSS; children under 13/COPPA) Section 2 — Regulated Types
5.2.A.5 Organizations label regulated data and have policies to comply with legal requirements Section 2 — Labeling
5.2.B.1 Cryptography policy: approved algorithms, key lengths, key generation/storage requirements Section 3 — Managerial Controls
5.2.B.2 Web application security policy: assessment parameters, remediation timelines, assessment frameworks/tools Section 3 — Managerial Controls
5.2.C.1 Access control: which subjects (users/apps) can perform which operations (read/write/execute/delete) on which objects (files/apps) Section 4 — Access Control Models
5.2.C.2 RBAC: subjects assigned to roles; roles define access to objects Section 4 — RBAC
5.2.C.3 RuBAC: rule set checks each access request; typically layered on top of another model Section 4 — RuBAC
5.2.C.4 DAC: object owner controls access permissions; admins can override Section 4 — DAC
5.2.C.5 MAC: external administrator assigns subject and object levels; strict rules govern cross-level access Section 4 — MAC
5.2.C.6 Bell-LaPadula MAC: Simple Security = no read up; *-Property = no write down. WURD = Write Up Read Down Section 4 — Bell-LaPadula
5.2.C.7 Principle of least privilege: entities get exactly the access needed for their function and no more Section 4 — Least Privilege
5.2.D.1–7 Linux permissions: rwx for owner/group/others; chmod numeric (4=r,2=w,1=x) and symbolic (u/g/o/a, +/-); ls -l to view; getfacl for extended ACLs Section 5 — Linux Permissions
♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. A hospital stores patient test results and treatment records. What data type is this, and which law governs it? What data state is it in when a doctor is currently viewing and editing a record?
  2. An organization assigns employees to roles: "Accountant" (access to payroll system), "Developer" (access to code repository), "HR Manager" (access to personnel files). No individual employee sets their own permissions. What access control model is this, and what is the key characteristic that identifies it?
  3. A Linux administrator runs chmod 640 salary.csv. What permissions does the owner have? What can the group do? What can others do?

Q1: PHI (Protected Health Information). Governed by HIPAA (1996). When the doctor is viewing and editing, the record is data in use — it must be decrypted to be processed, and access controls determine who can read/edit it.

Q2: Role-Based Access Control (RBAC). The key identifier: access flows from role assignment by an administrator, not from individual permission-setting or ownership. No employee controls their own access.

Q3: Owner: 6=4+2=read+write. Group: 4=read only. Others: 0=no permissions. The file is readable and writable by the owner, readable by the group, and completely inaccessible to others.

In This Lesson

  1. 5.2.1 — Learning Objectives
  2. 5.2.2 — Data States and Classification (5.2.A)
  3. 5.2.3 — Managerial Controls (5.2.B)
  4. 5.2.4 — Access Control Models (5.2.C)
  5. 5.2.5 — Linux File Permissions (5.2.D)
  6. 5.2.6 — Check for Understanding (10 Questions)
  7. 5.2.7 — Common AP Exam Mistakes
  8. 5.2.8 — Key Terms & FAQ

1 5.2.1 — Learning Objectives

  • Explain how data state (at rest, in transit, in use) and classification (PII/PHI/PCI) determine the type and degree of security required (5.2.A)
  • Identify the two managerial controls that govern application and data security: cryptography policy and web application security policy (5.2.B)
  • Select the appropriate access control model for a given scenario: RBAC, RuBAC, DAC, or MAC (5.2.C)
  • Apply Bell-LaPadula properties (WURD) and the principle of least privilege (5.2.C)
  • Read, write, and interpret Linux file permission strings and chmod commands in both numeric and symbolic forms (5.2.D)
Key Terms
Data at rest
Data stored on a drive or device. Encrypted at rest so theft alone cannot expose it.
Data in transit
Data being transmitted between devices. Encrypted in transit to prevent interception.
Data in use
Data being actively processed. Must be unencrypted; protected by access controls.
PII
Personally Identifiable Information. Governed by the Privacy Act of 1974; COPPA for under-13.
PHI
Protected Health Information. Governed by HIPAA (1996).
PCI
Payment Card Industry data (card numbers, CVV, expiration). Governed by PCI-DSS.
RBAC
Role-Based Access Control. Access flows from role assignment; subjects get the permissions of their role.
RuBAC
Rule-Based Access Control. A rule set evaluates each request; typically layered on top of RBAC or MAC.
DAC
Discretionary Access Control. Object owner sets permissions; admins can override.
MAC
Mandatory Access Control. External administrator assigns clearance levels; subjects cannot change access rules.
Bell-LaPadula
MAC model for government/military: WURD — Write Up, Read Down. No reading above your level; no writing below.
Least privilege
Entities receive exactly the access needed for their function — nothing more.

2 5.2.2 — Data States and Classification (5.2.A)

Security controls must be calibrated to where data is in its lifecycle. The same data needs different protections depending on whether it is sitting on a drive, being sent over a network, or being actively processed.

State Description Primary Threats Primary Controls
At Rest Stored on a drive, server, or device Physical theft of the device/drive; unauthorized local access Encryption of the stored data; physical security of the drive
In Transit Being transmitted across a network or via physical media Interception by a network adversary; physical interception of cables/drives Encryption during transmission (TLS, VPN); physical cable security
In Use Being actively processed by software or a person Unauthorized access to the application or the user's session Access controls (who can read/edit); must be decrypted first
AP Exam Tip: Data in Use

Data in use CANNOT be encrypted while being processed — encryption must be reversed first. This means the protection for data in use is access controls, not encryption. The exam tests this distinction explicitly.

Regulated Data Classifications and Governing Laws

Organizations that handle certain categories of data are legally required to protect them according to specific rules. Knowing the three main regulated types and their laws is high-frequency AP Cybersecurity exam content.

Type What It Includes Governing Law Special Rule
PII Name, SSN, address, DOB, email, phone, biometrics, signature Privacy Act of 1974 COPPA for children under 13
PHI Test results, treatment records, hospital records, doctor notes, health payment records HIPAA (1996) Covers any health information at any time
PCI Card number, cardholder name, expiration date, address, CVV code PCI-DSS standard Applies to any organization processing card payments

3 5.2.3 — Managerial Controls (5.2.B)

Managerial controls are documented policies that define how an organization handles security decisions. Two types are tested on the AP exam.

Cryptography Policy (5.2.B.1)
  • A list of approved encryption algorithms for specific use cases
  • Minimum and maximum key lengths for each algorithm
  • Key generation parameters and storage requirements
  • Key rotation and revocation procedures
Web Application Security Policy (5.2.B.2)
  • Criteria for when an application requires a security assessment before deployment
  • Timelines for remediating discovered vulnerabilities based on risk level (e.g., critical = 24 hours, high = 72 hours)
  • Specification of which tools or frameworks to use for security assessments
AP Exam Tip

If an exam question asks about organizational policies that govern encryption algorithm selection or vulnerability remediation timelines, that's 5.2.B. If it asks about individual file permissions or user clearance levels, that's 5.2.C or 5.2.D.

4 5.2.4 — Access Control Models (5.2.C)

Access control determines which subjects (users, applications) can perform which operations (read, write, execute, delete) on which objects (files, applications, data). Four models appear on the AP exam.

Model Who Controls Access Key Identifier CED Example
RBAC Administrator assigns roles; roles define permissions Access flows from role, not from individual or ownership Only "Accountants" can access payroll software
RuBAC Automated rule set evaluates each request Layered on top of another model; adds conditional rules No one can access the database between 10 PM and 6 AM, even authorized users
DAC Object owner sets permissions for other subjects Owner-controlled; admin can override Bob creates a file and gives Alice read/write, Frank read-only, blocks everyone else
MAC External administrator assigns clearance levels Neither owner nor user controls access; external authority only Government database with Unclassified/Confidential/Secret/Top Secret levels

Bell-LaPadula Model

Bell-LaPadula is a specific MAC model used by governments and military organizations to prevent classified information from leaking to lower-clearance personnel. It has two core properties:

Bell-LaPadula Properties

Simple Security Property (no read up): Subjects may NOT read objects classified above their clearance level. A SECRET-cleared analyst cannot read a TOP SECRET document.

*-Property (Star Property — no write down): Subjects may NOT write to objects below their clearance level. A SECRET-cleared analyst cannot write notes to an UNCLASSIFIED folder. This prevents covert channels where high-clearance users leak information to lower levels.

Memory device: WURD — Write Up, Read Down. You CAN write to higher levels. You CAN read from lower levels. You CANNOT do the reverse.

Principle of Least Privilege (5.2.C.7)

Every entity — user, application, or service — should receive exactly the permissions required for their function and no more. This limits the damage when any account is compromised: the adversary only inherits the minimal permissions that account held.

A developer needs to read configuration files but not modify them. Giving them read-only access applies least privilege. Giving them write access "just in case" violates it.

5 5.2.5 — Linux File Permissions (5.2.D)

Linux controls file access for three entity categories in this fixed order: (1) owner, (2) group, (3) others. For each, three permissions can be set: read (r), write (w), execute (x).

The command ls -l displays permissions as a 9-character string: three groups of rwx. The dash (-) indicates a permission is absent. Example: -rwxr-x---

Characters Entity Permissions
rwx Owner Read + Write + Execute (full)
r-x Group Read + Execute (no write)
--- Others No permissions at all

chmod: Numeric Method (5.2.D.6)

Each permission has a numeric value: 4 = read, 2 = write, 1 = execute. Sum the values for each entity to get its digit.

Sum Permissions Why
7 rwx 4+2+1
6 rw- 4+2
5 r-x 4+1
4 r-- 4 only
3 -wx 2+1
1 --x 1 only
0 --- none
chmod Numeric Examples (5.2.D.6 CED) 
chmod 750 test     # owner=7(rwx), group=5(r-x), others=0(---)
chmod 543 test     # owner=5(r-x), group=4(r--), others=3(-wx)
chmod 777 test     # owner=7(rwx), group=7(rwx), others=7(rwx)  [full for all]
chmod 640 data.csv # owner=6(rw-), group=4(r--), others=0(---)

chmod: Symbolic Method (5.2.D.7)

Syntax: chmod entity+/-permission filename

Entities: u=owner, g=group, o=others, a=all
Operations: +=add, -=remove
Permissions: r=read, w=write, x=execute

chmod Symbolic Examples (5.2.D.7 CED) 
chmod ug+rx testfile    # Adds read and execute to owner and group
chmod o-w sensitive.txt # Removes write permission from others
chmod a-x script.sh     # Removes execute from everyone
chmod g+w,o-r file      # Adds write for group AND removes read from others
AP Exam Tip: chmod

The AP exam gives you a chmod command and asks what permissions result, OR gives you a permission string and asks which command produced it. Practice the numeric method: owner digit is first, group is second, others is third. 7=full, 6=rw, 5=rx, 4=r. If you can decode any three-digit number instantly, no chmod question will slow you down.

Check for Understanding — Topic 5.2

1. A bank is transmitting customer account balances between its core banking system and an external payment processor over an encrypted channel. What data state are the balances in, and what is the PRIMARY security concern for this state?

2. A healthcare organization is assessing what laws apply to its data holdings. Which of the following INCORRECTLY pairs a data type with its governing regulatory framework?

3. A military database uses the Bell-LaPadula model. A user with SECRET clearance attempts: (Operation I) reading a TOP SECRET document and (Operation II) writing notes to an UNCLASSIFIED folder. Which operations are permitted?

4. After running chmod 754 deploy.sh, a user in the file's group (but not the owner) attempts to edit the file. Is this permitted?

5. A developer creates a configuration file and explicitly grants a contractor read access to that file. The developer can revoke access at any time. Later, the IT department adds an organization-wide rule prohibiting access to configuration files outside business hours, which overrides the developer's grant during off-hours. Which models are demonstrated in this scenario?

6. Which of the following BEST describes the principle of least privilege, and why does it reduce the damage from a compromised account?

7. A file shows permissions -rw-r--r-- when listed with ls -l. An administrator runs chmod g-r,o-r config.ini. What are the resulting permissions?

8. An organization wants the file owner to have full permissions, group members to have read-only access, and all others to have no permissions on a patient records file. Which chmod command achieves this with LEAST privilege for the group?

9. A policy states that only the "Admin" role can create new user accounts, only the "Analyst" role can access the reporting database, and only the "Support" role can reset passwords. Individual employees have no control over their own access levels. Which access control model does this describe?

10. Which of the following correctly identifies the purpose of a web application security policy as defined in 5.2.B?

Score:

⚠ Common AP Exam Mistakes — Topic 5.2

Common Mistake Why It's Wrong Correct Thinking
Confusing RBAC with DAC In DAC, the object owner sets permissions. In RBAC, an administrator assigns roles and roles define permissions — individual subjects never set their own access. RBAC: administrator + roles. DAC: owner controls access. The key distinguishing question: who sets the permissions for an object?
Mixing up Bell-LaPadula properties Students reverse the rules: they write "no write up" or "no read down." The actual rules are the opposite — no read up, no write down. WURD: Write Up, Read Down. You CAN do these. You CANNOT read up or write down. The intuition: information flows up, never down.
Saying data in use should be encrypted Data in use must be decrypted to be processed. You cannot encrypt data while a CPU is computing with it. The protection for data in use is access controls, not encryption. Data in use = decrypted. Protect it with access controls (who can read/edit), not encryption.
Decoding chmod digits as write=4 Students mix up read and write values. The values are: read=4, write=2, execute=1. Many students assign 4 to write. 4=read, 2=write, 1=execute. A 6 means read+write (4+2). A 5 means read+execute (4+1). Memorize: RWX = 4-2-1.
Treating RuBAC as a standalone model RuBAC is described in the CED as typically layered on top of another model. It adds conditional rules to an existing access control framework. RuBAC adds rules; it does not replace RBAC or DAC. If a scenario has role-based access PLUS a time restriction, that's RBAC + RuBAC.

8 5.2.8 — Key Terms & FAQ

Frequently Asked Questions

Q: If Bell-LaPadula says "Write Up, Read Down," can a TOP SECRET user read UNCLASSIFIED documents?
A: Yes. Reading down (reading objects below your level) is permitted. A TOP SECRET user can read TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED documents. They cannot read documents above their level (there are none for TOP SECRET), and they cannot write to anything below their level.

Q: What is the difference between RuBAC and MAC?
A: MAC assigns security levels to both subjects and objects and uses those levels to make access decisions. RuBAC applies a set of rules (e.g., time of day, location, IP address) to evaluate each access request. RuBAC is often layered on top of RBAC or MAC; MAC is a standalone model.

Q: Does ls -l show extended ACLs?
A: Standard ls -l shows the nine basic permission characters. If a + appears at the end of the permission string (e.g., -rwxr-x---+), it indicates extended ACLs have been set. Use getfacl to view those extended permissions.

Q: What's the difference between Privacy Act and COPPA?
A: The Privacy Act of 1974 governs PII broadly for U.S. federal agencies and establishes general data protection principles. COPPA (Children's Online Privacy Protection Act, 1998) specifically governs the online collection of data from children under 13 and requires parental consent for data collection targeting that age group.

📋 Exit Ticket — Topic 5.2 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Name all three data states and identify the primary security control recommended for each. Why can encryption NOT be the primary control for data in use? (AP Skill: Identify Controls)
  2. An analyst with CONFIDENTIAL clearance under Bell-LaPadula attempts to: (a) read a SECRET report, (b) write a memo to an UNCLASSIFIED folder, (c) read an UNCLASSIFIED briefing. For each, state whether it is permitted and which property applies. (AP Skill: Analyze Risk)
  3. A file currently has permissions -r--r--r--. Write TWO different chmod commands that would give the owner read and write access while keeping all other permissions unchanged: one using the numeric method and one using the symbolic method. (AP Skill: Implement Controls)
  4. A company stores customer credit card numbers in a database. Identify the data type, the governing regulation, and recommend whether data at rest and data in transit should be encrypted. Justify each recommendation. (AP Skill: Determine Controls)
  5. Give one specific scenario each where RBAC, DAC, and MAC are the most appropriate access control model. Explain what distinguishes each choice. (AP Skill: Determine Controls)

Q1: At rest: encryption (+ physical security). In transit: encryption. In use: access controls. Data in use cannot be encrypted because encryption must be reversed before a CPU can compute with it — the data must be in plaintext form during processing.

Q2: (a) Reading SECRET with CONFIDENTIAL clearance = NO. Violates Simple Security Property (no read up). (b) Writing to UNCLASSIFIED with CONFIDENTIAL clearance = NO. Violates *-Property (no write down). (c) Reading UNCLASSIFIED with CONFIDENTIAL clearance = YES. Reading down is permitted by WURD.

Q3: Numeric: chmod 644 file (owner=6=rw, group=4=r, others=4=r). Symbolic: chmod u+w file (adds write to owner only, all other permissions unchanged).

Q4: PCI (Payment Card Industry data). Governed by PCI-DSS. At rest: YES, encrypt — if the drive or database is stolen, encryption prevents immediate access to card numbers. In transit: YES, encrypt — card data sent over a network without encryption can be intercepted by a network adversary.

Q5: RBAC: A hospital assigns roles (Nurse, Doctor, Admin) with defined access to patient records. DAC: An employee creates a project folder and grants their team members read access while blocking everyone else. MAC: A military intelligence system assigns clearance levels to analysts and strict rules prevent cross-level access that no individual user can override.

Struggling with AP Cybersecurity access controls and Linux permissions?

Tanner Crow is an AP CS teacher with 11+ years of experience and a 5.0 Wyzant rating. Book a session and nail the exam.

Book a Session →

Tanner Crow

AP Computer Science Teacher — Blue Valley North High School, Overland Park KS

11+ years teaching AP CS courses. Built every lesson on this site from the College Board CED. Rated 5.0 on Wyzant with 2,067+ tutoring hours.

11+ Years Teaching AP CS2,067+ Tutoring Hours499+ Five-Star Reviews

Continue Learning

Next →
5.3: Protecting Stored Data with Cryptography
Review
5.1: Application Attack Types
Practice
AP Cybersecurity Practice Exam
← Lesson 5.1 QuizExercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]