The most visual, interactive guide to CISSP security models. Understand the rules, spot the signals, and never confuse these models on exam day.
Security models are formal frameworks that define rules for how subjects (users/processes) interact with objects (data/resources). They underpin OS and system design and are heavily tested on the CISSP exam as scenario-based questions.
Protects confidentiality. Information can only flow upward or stay level β never down. Built for US military classification systems.
Protects integrity. Low-integrity data cannot contaminate high-integrity data. The exact inverse of Bell-LaPadula.
Protects integrity through well-formed transactions and separation of duties. Designed for commercial environments.
Prevents conflict of interest. Access is dynamically restricted based on what data the user has already accessed.
| Model | Protects | Read Rule | Write Rule | Access Type |
|---|---|---|---|---|
| Bell-LaPadula | Confidentiality | β No Read Up | β No Write Down | Static (labels) |
| Biba | Integrity | β No Read Down | β No Write Up | Static (levels) |
| Clark-Wilson | Integrity | Via IVP only | Via TP + SoD only | Procedural |
| Brewer-Nash | Conf. + Integrity | Based on history | Based on history | Dynamic (wall) |
Select a model to see exactly how its rules work β with visual level towers and flow diagrams.
Developed by the US DoD in 1973. Enforces confidentiality by ensuring classified information can only flow upward β never down to lower-clearance systems.
Developed by Kenneth Biba in 1977. Enforces integrity by preventing low-integrity data from contaminating high-integrity systems. The direct inverse of Bell-LaPadula.
Developed in 1987 for commercial use. Protects integrity through controlled transactions and separation of duties β not level-based rules like Biba.
Developed in 1989. Prevents conflict of interest by dynamically restricting access based on what the user has already accessed. The wall grows as access history builds.
Filter by category to focus your study. Hover any row for highlighting.
| Criteria | π΄ Bell-LaPadula | π΅ Biba | π’ Clark-Wilson | π£ Brewer-Nash |
|---|---|---|---|---|
| Primary goal | Confidentiality | Integrity | Integrity | Conflict of interest prevention |
| Read rule | β No Read Up Can't read above clearance | β No Read Down Can't read lower integrity | Via IVP only Verification before access | Based on access history Wall grows dynamically |
| Write rule | β No Write Down Can't leak to lower level | β No Write Up Can't corrupt higher level | Via TP only Approved procedures only | Based on conflict class No cross-competitor writes |
| Access type | Static (lattice-based) | Static (lattice-based) | Static (procedural) | β Dynamic (history-based) |
| Addresses CIA | Confidentiality only | Integrity only | Integrity (+ some C via SoD) | Both C and I |
| Designed for | Military / Government | Commercial integrity | Commercial / Business | Finance / Consulting / Legal |
| Real-world examples | NSA systems, JWICS, military classified networks | Air traffic control, financial ledgers, medical systems | Accounting software, ERP (SAP), hospital EMR workflows | Law firms, consulting (Deloitte, McKinsey), investment banks |
| Separation of duties | β Not required | β Not required | β Core requirement | β οΈ Implicit (via wall) |
| Can management override? | β No | β No | β οΈ Limited (must follow TP) | β No β wall is absolute |
| Often confused with | Biba (rules are inverse) | Bell-LaPadula (rules are inverse) | Biba (both = integrity) | RBAC (both restrict access) |
| Key differentiator | Stops secrets leaking DOWN | Stops contamination flowing UP | Integrity via PROCEDURES not levels | Access based on HISTORY not levels |
| CISSP signal words | "clearance," "classified," "no read up," "no write down" | "integrity level," "contamination," "no write up," "no read down" | "separation of duties," "TP," "CDI," "well-formed transaction" | "conflict of interest," "Chinese Wall," "previously accessed," "dynamic" |
Click any example to expand the full scenario, why it fits the model, and the CISSP exam takeaway.
A CIA analyst holds a SECRET clearance. On JWICS (the classified government network), they can read SECRET and CONFIDENTIAL documents freely. When they attempt to read a TOP SECRET intelligence report, the system denies access β they haven't been cleared to that level. Later, when drafting their analysis, the system prevents them from saving the document to an UNCLASSIFIED folder, even by accident. The analyst can only save to SECRET or above. This prevents classified information from ever reaching lower-clearance systems, even through human error.
SELinux implements Bell-LaPadula principles through Multi-Level Security (MLS). Processes are assigned security levels and the kernel enforces read/write restrictions between levels. A web server process (LOW level) cannot read database credential files (HIGH level). Even root-level processes respect these labels. This is exactly BLP's Simple Security Property and *-property implemented in OS kernel code.
An air traffic control system assigns integrity levels to data sources. Certified radar feeds from certified transponders are HIGH integrity. Unverified position reports from pilots via radio are MEDIUM integrity. Anonymous ADS-B reports from unknown sources are LOW integrity. Controllers work at MEDIUM integrity and are blocked from reading LOW integrity reports directly into their decision-making system (No Read Down). More critically, a LOW-integrity report can never overwrite a HIGH-integrity radar track (No Write Up). Lives depend on the system not being contaminated by unverified data.
A bank's general ledger system implements Clark-Wilson throughout. Account balances (CDIs) cannot be edited directly β only via approved journal entry transactions (TPs). When a teller receives a cash deposit (UDI β unconstrained input), it must go through the validated deposit workflow (IVP converts UDI to CDI) before touching any account balance. Crucially, the teller who records the transaction cannot be the same person who authorizes it β separation of duties is enforced by the software itself. Every change is logged for audit (IVP runs continuously). The system's integrity verification (IVP) runs nightly to ensure all ledger balances are consistent.
A partner at a Big Four firm begins work on a cost-reduction engagement for Coca-Cola. Their document management system automatically places all Coca-Cola files and the entire "Beverages" conflict class in their accessible zone. When PepsiCo's account team requests the same partner for a strategy project, the system flags the conflict β the partner has Coca-Cola data in their access history. Even the managing director cannot override this wall to assign them to PepsiCo. The partner must first be "cleaned off" the Coca-Cola engagement and wait a defined period before the wall can be lowered. This protects both clients and the firm from legal liability.
A law firm's matter management system runs a conflict check before assigning any attorney to a new case. Attorney Rivera has worked on patent disputes for TechCorp. When the firm is asked to represent StartupAI β which TechCorp is actively suing β the system blocks Rivera from the matter entirely. Rivera's access history has built a permanent wall between them and any party opposing TechCorp. The system even tracks former clients from previous firms if Rivera disclosed them during onboarding. This is the Chinese Wall in legal practice, required by bar association ethics rules.
Each question is phrased the way the CISSP exam tests security models β scenario first, model identification second.
Answer 3 questions about the scenario and we'll identify the model β with a full explanation.
Click each card to flip and reveal the mnemonic. Built for rapid recall under exam pressure.
This is the single most-tested confusion point. Commit this table to memory.
| Rule | π΄ Bell-LaPadula | π΅ Biba |
|---|---|---|
| Read Rule | β No Read Up | β No Read Down |
| Write Rule | β No Write Down | β No Write Up |
| Protects | CONFIDENTIALITY | INTEGRITY |
| Info flow direction | Can only flow UP β¬οΈ | Can only flow DOWN β¬οΈ |
| If the question says⦠| Think⦠| Model |
|---|---|---|
| "clearance level" / "classified" / "no read up" / "no write down" / "secrets leaking down" | π΄ Military secrecy. Info flows UP only. BLP = Blocks Leaking to Public | Bell-LaPadula |
| "integrity level" / "contamination" / "no write up" / "no read down" / "unverified source" | π΅ Data purity. Dirty data stays dirty. Biba = Blocks Infections from Below | Biba |
| "separation of duties" / "approved procedure" / "TP" / "CDI" / "dual authorization" / "no direct edit" | π’ Accounting rules. Controlled workflow. C-W = Controlled Workflow | Clark-Wilson |
| "conflict of interest" / "Chinese Wall" / "previously accessed" / "dynamic restriction" / "consulting/law firm" | π£ History builds the wall. BN = Build a New wall based on history | Brewer-Nash |