---
title: "AP Cybersecurity 5.2: Access Control Models and Data Protection"
description: "Review data states, PII/PHI/PCI regulations, RBAC vs. MAC models, Bell-LaPadula, and Linux chmod commands for AP Cybersecurity topic 5.2."
canonical: "https://fiveable.me/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2"
type: "study-guide"
subject: "AP Cybersecurity"
unit: "Unit 5 – Securing Applications and Data"
lastUpdated: "2026-06-18"
---

# AP Cybersecurity 5.2: Access Control Models and Data Protection

## Summary

Review data states, PII/PHI/PCI regulations, RBAC vs. MAC models, Bell-LaPadula, and Linux chmod commands for AP Cybersecurity topic 5.2.

## Guide

## TLDR
Protecting applications and data starts with knowing what data you have, what state it is in, and what laws apply, then layering on policies and [access controls](/ap-cybersecurity/key-terms/access-control "fv-autolink") to limit who can touch it. This topic covers the three states of data, regulated data categories like PII, PHI, and PCI, managerial policies for [cryptography](/ap-cybersecurity/key-terms/cryptography "fv-autolink") and web apps, the main access control models, and how to set file permissions on a Linux system with `chmod`.

## Why This Matters for the AP Cybersecurity Exam

This topic ties together a lot of defensive thinking you will use across the [AP Cybersecurity exam](/ap-cybersecurity/ap-cybersecurity-exam "fv-autolink"). You need to classify data correctly, match it to the right legal or regulatory requirements, and pick an access control model that fits a scenario. The Linux permissions piece is hands-on: you should be able to read a permission string, calculate a numeric `chmod` value, and write a symbolic `chmod` command. Expect questions that give you a situation and ask you to choose the best protection, identify the data state, or fix a permissions problem.

## Key Takeaways

- Data exists in three states: at rest, in transit, and in use. Data must be unencrypted to be used, so access controls protect [data in use](/ap-cybersecurity/key-terms/data-in-use "fv-autolink").
- Regulated data categories include PII (Privacy Act of 1974, COPPA), PHI (HIPAA), and PCI (PCI-DSS). Know which law or standard maps to which data type.
- [Managerial controls](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") are written policies. A cryptography policy sets approved algorithms and key rules; a web application security policy sets testing and remediation rules.
- The main access control models are [RBAC](/ap-cybersecurity/key-terms/rbac "fv-autolink") (role), [RuBAC](/ap-cybersecurity/key-terms/rubac "fv-autolink") (rule), DAC (owner decides), and MAC (strict levels set by an admin). Bell-LaPadula is a MAC model summarized as "write up, read down."
- The principle of least privilege means giving each subject only the access it needs and nothing more.
- In Linux, permissions are read (r=4), write (w=2), execute (x=1) for owner, group, and others. Use `chmod` with numeric or symbolic methods to change them.

## Data States and Classification

Not all data is equal. A company's lunch menu does not need the same protection as a customer's social security number. To figure out the right security, you first need to know what state the data is in and what category it falls into.

### The Three States of Data

Data exists in one of three states at any moment, and each state has its own security concerns.

[Data at rest](/ap-cybersecurity/key-terms/data-at-rest) is data sitting on a storage device, like files saved on a hard drive, a USB stick, or a cloud server. The two main risks are physical (someone steals or harms the drive) and digital (someone copies the files). Protection usually means locking up the physical hardware and encrypting the files so a thief cannot read them.

[Data in transit](/ap-cybersecurity/key-terms/data-in-transit) is data moving between devices, like an email being sent or a webpage loading. If it travels over cables, you protect the cables. Either way, you [encrypt](/ap-cybersecurity/unit-5/asymmetric-cryptography/study-guide/VwtcdE1OgUXoQu0fiDG2 "fv-autolink") the data so anyone who intercepts it just sees scrambled junk.

[Data in use](/ap-cybersecurity/key-terms/data-in-use) is data being actively processed, either by [software](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn "fv-autolink") or by a person reading it on screen. Here is the catch: data has to be unencrypted to actually be used. So you cannot rely on [encryption](/ap-cybersecurity/key-terms/encryption "fv-autolink") alone. Instead, you use [access controls](/ap-cybersecurity/key-terms/access-control) to limit who can view or edit it.

### Categories of Regulated Data

Some types of data are protected by law, which means organizations face real consequences for handling them carelessly.

[Personally identifiable information (PII)](/ap-cybersecurity/key-terms/personally-identifiable-information) is anything that can identify a specific person. Names, signatures, phone numbers, addresses, biometric data like fingerprints, social security numbers, dates of birth, and email addresses all count. The Privacy Act of 1974 protects PII in general. For kids under 13, the Children's Online Privacy Protection Act of 1998 (COPPA) adds extra rules.

[[Protected health information](/ap-cybersecurity/key-terms/protected-health-information) (PHI)](/ap-cybersecurity/key-terms/phi) covers anything tied to a person's health, treatment, or healthcare payments. Test results, hospital records, doctor's notes, and insurance payment records all qualify. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets the rules here.

[[Payment card information](/ap-cybersecurity/key-terms/payment-card-information) (PCI)](/ap-cybersecurity/key-terms/pci) is the data needed to process card payments: cardholder name, account number, expiration date, billing address, and CVV code. The Payment Card Industry Data Security Standard (PCI-DSS) regulates how this is handled.

### Why Classification Matters

Organizations sort data by sensitivity and apply stronger security to the more sensitive stuff. A marketing brochure might be public, while customer credit card numbers get [encrypted](/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP "fv-autolink"), logged, and access-restricted. When data falls under a law or standard like HIPAA or PCI-DSS, the organization usually labels it (tags it as "PHI" or "Confidential") and writes policies that match the requirements for storing, sending, and handling it.

## Managerial Controls for Applications and Data

Technical tools alone do not keep data safe. Organizations need written policies that tell employees and developers exactly what is allowed. These are called [managerial controls](/ap-cybersecurity/key-terms/managerial-control), and two of the most important ones deal with cryptography and web applications.

### Cryptography Policy

A cryptography policy spells out the encryption rules for the entire organization. Instead of letting every developer pick their own algorithm, the policy says exactly what is acceptable. A typical cryptography policy includes:

- A list of approved encryption algorithms for specific uses
- Minimum or maximum key lengths
- Cryptographic key-generation requirements and parameters
- Cryptographic key-storage requirements

The point is consistency. If one team uses strong encryption and another uses outdated algorithms, the weak link puts everyone at [risk](/ap-cybersecurity/key-terms/risk "fv-autolink").

### Web Application Security Policy

A web application security policy lays out how the organization tests and fixes [vulnerabilities](/ap-cybersecurity/key-terms/vulnerability "fv-autolink") in its web apps. It usually covers:

- When an application has to undergo a security assessment
- Timelines for fixing vulnerabilities based on risk level
- How assessments must be carried out, including specific tools or frameworks

This policy makes sure security testing actually happens on a predictable schedule instead of being skipped when deadlines get tight.

## Access Control Models

Access control is the system that decides which subjects (users or applications) can perform which operations (access, modify, add, remove) on which objects (files or applications). An access control model is the strategy used to make those decisions. There are four main models to know, plus one specific model used by governments.

### Role-Based Access Control (RBAC)

In [role-based access control (RBAC)](/ap-cybersecurity/key-terms/role-based-access-control), every subject gets assigned to a role, and permissions are tied to roles instead of individual people. So if you are hired as an accountant, you automatically get access to whatever accountants need.

Example: A company creates a role called "accountant." The payroll software is an object. RBAC ensures that only people in the accountant role can open the payroll software. When a new accountant joins, they get the role and instantly have the right access. When someone leaves [accounting](/ap-cybersecurity/unit-5/detecting-attacks-on-data-and-applications/study-guide/sHDJEWboTNQbNsGPNiq5 "fv-autolink"), you remove the role and their access disappears.

### Rule-Based Access Control (RuBAC)

[Rule-based access control (RuBAC)](/ap-cybersecurity/key-terms/rule-based-access-control) uses a set of rules to allow or [deny](/ap-cybersecurity/unit-3/protecting-networks-firewalls/study-guide/12y7V1SN54RlPrQELNJa "fv-autolink") access. It is typically layered on top of another model like RBAC, adding extra conditions.

Example: A rule says no one can access the customer database outside of local working hours. Even if you are an authorized accountant trying to log in at 2 AM, the rule denies you. RBAC says "yes, you have the role," but RuBAC overrides that with "not right now."

Do not mix up RBAC and RuBAC. RBAC = role-based. RuBAC = rule-based.

### Discretionary Access Control (DAC)

In [discretionary access control](/ap-cybersecurity/key-terms/discretionary-access-control "fv-autolink") (DAC), individual users decide who can access the files they own. If you create a document, you choose who can read or edit it. Some subjects are designated as administrators or super users, and they can override the access controls other subjects set.

Example: Bob creates a file. He gives Alice permission to edit it, gives Frank read-only permission, and blocks everyone else. Bob is in charge because he owns the file.

### Mandatory Access Control (MAC)

[Mandatory access control](/ap-cybersecurity/key-terms/mandatory-access-control "fv-autolink") (MAC) is much stricter. Subjects and objects are assigned security levels by an outside administrator, and access follows rigid rules based on whether an object is above, at, or below the subject's level. Individual users cannot change permissions, even on files they create.

### The Bell-LaPadula Model

The [Bell-LaPadula model](/ap-cybersecurity/key-terms/bell-lapadula-model "fv-autolink") is a specific MAC model used heavily by governments and the military to protect classified information. It has two key properties:

1. **Simple Security Property:** A subject may not read objects that are above their level. (No reading up.)
2. **Star Security Property (\* Property):** A subject may not write to objects below their level. (No writing down.)

The shortcut to remember this is "write up, read down" ([WURD](/ap-cybersecurity/key-terms/wurd "fv-autolink")). The "no writing down" rule prevents someone with high clearance from accidentally leaking secrets to a lower-level object where unauthorized people could see them.

### Principle of Least Privilege

No matter which model you use, follow the principle of least privilege: give each subject exactly the access it needs to do its function and nothing more. An intern does not need admin rights. The marketing team does not need access to source code. Less access means less damage if an account gets compromised.

## Configuring Access Controls in Linux

Linux uses file permissions to enforce access control. [Authorization](/ap-cybersecurity/key-terms/authorization "fv-autolink") is the moment an entity gets permission to access a resource, and Linux handles this through a permission system you set on every file.

### Reading Linux Permissions

Every file has three types of access that can be granted or denied, always in this order:

1. **Read (r):** view the file's contents
2. **Write (w):** make changes to the file
3. **Execute (x):** run a binary file such as a program

If a permission is missing, you see a `-` in its place. So `r-x` means read and execute, but no write.

Permissions are set for three default entities, always in this order:

1. The file owner
2. The file group
3. **Other** (all other users)

You will see all three sets together with no spaces, like `rwxrwxrwx` (everyone can do everything) or `rwxr-x---` (owner has full access, group can read and execute, others have nothing).

### Viewing Permissions

To see permissions, use:

```
ls -l
```

This lists files with their current permissions for owner, group, and others. If you see a `+` at the end of the permissions string, it means extra permissions have been set beyond the defaults. To view those, use:

```
getfacl filename
```

### Changing Permissions with chmod (Numeric Method)

The `chmod` command modifies permissions. The numeric method uses three digits, one for each entity (owner, group, other). Each digit is the sum of the values for the permissions you want:

- `0` = no permissions
- `1` = execute
- `2` = write
- `4` = read

Add them up to get combinations:

- `3` = write + execute (2+1)
- `5` = read + execute (4+1)
- `6` = read + write (4+2)
- `7` = read + write + execute (4+2+1)

Syntax: `chmod ### filename`

Examples:

```
chmod 750 test
```
Owner gets read, write, execute (7). Group gets read and execute (5). Others get nothing (0).

```
chmod 543 test
```
Owner gets read and execute (5). Group gets read only (4). Others get write and execute (3).

```
chmod 777 test
```
All three entities get read, write, and execute on the file `test`. (Generally a bad idea in real systems.)

### Changing Permissions with chmod (Symbolic Method)

The symbolic method uses letters instead of numbers. It works well when you want to add or remove a single permission without rewriting the whole set.

Entities:

- `u` = user owner
- `g` = group
- `o` = others
- `a` = all

Operators:

- `+` = add the permission
- `-` = remove the permission

Permissions:

- `r` = read
- `w` = write
- `x` = execute

Syntax: `chmod entity +(or -) permission filename`

Example: to add read and execute permissions for both the user owner and the group on a file called `testfile`:

```
chmod ug+rx testfile
```

You can combine entities and permissions in one command, which makes the symbolic method flexible for quick tweaks. If you wanted to remove write access from others, you would run `chmod o-w testfile`. No need to recalculate the whole numeric value.

## How to Use This on the AP Cybersecurity Exam

### MCQ

- When a scenario describes data sitting on a drive, moving across a network, or being processed, identify the state (at rest, in transit, in use) and match it to the right protection. Remember that data in use cannot stay encrypted, so access controls carry the load.
- Match data types to their laws or standards: PII to the Privacy Act of 1974 and COPPA for children under 13, PHI to HIPAA, PCI to PCI-DSS.
- For access control questions, read the scenario for clues. If the file owner sets the permissions, that is DAC. If a role determines access, that is RBAC. If a condition like time of day decides, that is RuBAC. If an external admin assigns strict levels, that is MAC.

### Problem Solving

- Practice converting between permission strings and numeric values. For example, `rwxr-xr--` is 754: owner 7, group 5, others 4.
- Be ready to build a `chmod` command both ways. Numeric uses three digits (owner, group, other). Symbolic uses an entity (`u`, `g`, `o`, `a`), an operator (`+` or `-`), and a permission (`r`, `w`, `x`).
- For Bell-LaPadula, apply "write up, read down." No reading above your level, no writing below it.

### Common Trap

- Mixing up RBAC and RuBAC is easy. Tie RBAC to role and RuBAC to rule every time.
- Do not flip the Bell-LaPadula rules. The Simple Security Property is about reading (no reading up); the Star Property is about writing (no writing down).

## Common Misconceptions

- "Encryption protects data in every state." Data in use must be unencrypted while it is being processed, so access controls, not encryption, protect it at that moment.
- "PCI-DSS is a law." PCI-DSS is an industry standard, not a federal law, though organizations that ignore it can lose the ability to process card payments.
- "RBAC and RuBAC are the same thing." RBAC assigns access by role; RuBAC allows or denies access based on rules and is usually layered on top of another model.
- "DAC means no one can override the owner." In DAC, administrators or super users can override the permissions an owner sets.
- "In Bell-LaPadula you can read anything above your clearance." It is the opposite. You read down (at or below your level) and write up (at or above your level).
- "A higher `chmod` number is always more secure." A higher number grants more access, not less. `chmod 777` gives everyone full access, which is usually the least secure option.

## Related AP Cybersecurity Guides

- [5.1 Application and Data Vulnerabilities and Attacks](/ap-cybersecurity/unit-5/application-and-data-vulnerabilities-and-attacks/study-guide/T25I7qaDw4w4XT1rkAYr)
- [5.3 Protecting Stored Data with Cryptography](/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG)
- [5.4 Asymmetric Cryptography](/ap-cybersecurity/unit-5/asymmetric-cryptography/study-guide/VwtcdE1OgUXoQu0fiDG2)
- [5.5 Protecting Applications](/ap-cybersecurity/unit-5/protecting-applications/study-guide/NlU1CUWEo8RNupZqXUMH)
- [5.6 Detecting Attacks on Data and Applications](/ap-cybersecurity/unit-5/detecting-attacks-on-data-and-applications/study-guide/sHDJEWboTNQbNsGPNiq5)

## Vocabulary

- **Bell-LaPadula model**: A mandatory access control model often used by governments and military organizations that enforces the rules that subjects may not read objects above their level and may not write to objects below their level.
- **Simple Security Property**: A rule in the Bell-LaPadula model stating that subjects may not read objects that are above their level.
- **Star Security Property**: A rule in the Bell-LaPadula model stating that subjects may not write to objects below their level.
- **access control**: Security mechanisms that restrict who can access specific resources, systems, or data based on user identity and permissions.
- **access control model**: A framework that describes how to determine which subjects have what type of access to which objects.
- **authorization**: Permission granted to an entity to have a certain type of access to a resource.
- **chmod**: A Linux command used to modify the permission settings for a file.
- **cryptographic key-generation requirements**: Organizational standards that specify how encryption keys must be created and initialized.
- **cryptographic key-storage requirements**: Organizational standards that specify how encryption keys must be securely stored and protected.
- **cryptography policy**: An organizational policy that specifies acceptable encryption protocols, algorithms, key lengths, and key management requirements.
- **data at rest**: Data that are stored on a drive or storage device and require protection from physical destruction, theft, or unauthorized access through encryption.
- **data classification**: The process of categorizing data based on sensitivity levels such as private, educational, healthcare, or financial to determine appropriate security controls.
- **data in transit**: Data being sent from one device to another over physical media or networks, requiring protection through encryption or physical media security.
- **data in use**: Data being actively processed by software or a person, requiring access controls to limit who or what can view or edit the data.
- **data labeling**: The practice of marking or identifying regulated data to ensure compliance with legal or regulatory requirements for safe storage, transmission, and handling.
- **data sensitivity**: The degree to which data require protection based on their classification and the potential impact of unauthorized access or disclosure.
- **discretionary access control (DAC)**: An access control model that gives individual subjects the ability to set the type of access that other subjects have on objects they own.
- **encryption**: A security technique that converts data into an unreadable format to prevent unauthorized access if data are stolen or intercepted.
- **encryption algorithms**: Mathematical procedures used to convert plaintext data into ciphertext using cryptographic keys.
- **encryption protocols**: Standardized methods and procedures for encrypting data to protect its confidentiality and integrity.
- **execute access**: Permission that allows a user to run a binary file such as a program.
- **file group**: A set of users grouped together; the second entity for which permissions are set in Linux.
- **file owner**: The user who created or owns a file; the first entity for which permissions are set in Linux.
- **getfacl**: A Linux command used to view additional permissions set on a file beyond the default three entities.
- **key lengths**: The size of cryptographic keys, typically measured in bits, which determines the strength of encryption.
- **key parameters**: Specifications that define how cryptographic keys are generated, stored, and used within an organization.
- **legal requirements**: Laws and regulations that mandate how certain types of data must be stored, transmitted, and handled by organizations.
- **ls -l**: A Linux command used to view the current permission settings for a file.
- **managerial controls**: Security measures that provide rules, guidelines, policies, and procedures to specify what security should be in place, including password policies and incident response plans.
- **mandatory access control (MAC)**: An access control model that follows strict rules for which types of access each subject level has for objects that are above, at, or below their level, with levels assigned by an external administrator.
- **numeric method**: A method of using chmod to set file permissions by assigning numeric values (0-7) to represent combinations of read, write, and execute permissions.
- **objects**: Files or applications that are protected by access control mechanisms.
- **operations**: Actions that subjects can perform on objects, such as access, modify, add, or remove.
- **payment card information (PCI)**: Data collected by organizations to process card payments, including name, account number, expiration date, address, and CVV code.
- **personally identifiable information**: Any data that allows someone to be identified, including name, signature, phone number, address, biometric data, social security number, date of birth, and email address.
- **principle of least privilege**: The security concept that entities should be given exactly as much access as they need to perform their function and no more.
- **protected health information (PHI)**: Any data related to an individual's health, treatment, or payment for healthcare, including test results, treatment records, hospital records, and doctor visit notes.
- **read access**: Permission that allows a user to view the contents of a file.
- **risk level**: A classification that indicates the severity and potential impact of a security vulnerability or threat.
- **role-based access control (RBAC)**: An access control model that assigns every subject to a role and defines which roles have which types of access to which objects.
- **rule-based access control (RuBAC)**: An access control model that checks a set of rules to determine what type of access a subject should have for a specific object and allows or denies access based on those rules.
- **security assessment**: A systematic evaluation of an application's security posture to identify vulnerabilities and weaknesses.
- **security control**: Measures or safeguards implemented to reduce the likelihood or impact of a risk.
- **subjects**: Users or applications that request access to resources in an access control system.
- **symbolic method**: A method of using chmod to set file permissions by using letters to represent entities (u, g, o, a) and permissions (r, w, x), with + or - to add or remove permissions.
- **vulnerability remediation**: The process of fixing or mitigating identified security weaknesses in applications.
- **web application security policy**: An organizational policy that outlines requirements and procedures for testing, assessing, and remediating vulnerabilities in web applications.
- **web application vulnerabilities**: Weaknesses or flaws in web applications that can be exploited by attackers to compromise security.
- **write access**: Permission that allows a user to make changes to a file.
- **write up, read down (WURD)**: A summary of the Bell-LaPadula model rules that allows subjects to write to higher-level objects and read from lower-level objects.

## FAQs

### What is the difference between RBAC, RuBAC, DAC, and MAC in AP Cybersecurity?

RBAC assigns permissions based on a user's role, while RuBAC uses a set of rules to allow or deny access and is typically layered on top of another model. DAC lets the file owner decide who gets access, and MAC uses strict security levels assigned by an external administrator that individual users cannot change.

### How does the Bell-LaPadula model work and what does write up read down mean?

Bell-LaPadula is a mandatory access control model used by governments and the military where subjects cannot read objects above their security level and cannot write to objects below their level. This is summarized as 'write up, read down' (WURD), and the no-writing-down rule prevents higher-clearance users from leaking secrets to lower-level objects.

### What is the difference between PII, PHI, and PCI and which laws protect each?

PII is any data that can identify a person and is protected by the Privacy Act of 1974 and COPPA for children under 13. PHI covers health and treatment records and is regulated by HIPAA, while PCI is payment card data such as account numbers and CVV codes, which is governed by the PCI-DSS standard.

### How do you use chmod numeric method in Linux for AP Cybersecurity?

The chmod numeric method uses three digits representing the owner, group, and other users, where read equals 4, write equals 2, and execute equals 1, and you add the values for the permissions you want each entity to have. For example, chmod 750 gives the owner full access (7), the group read and execute (5), and others no access (0).

### What are the three states of data and how does each one get protected?

Data at rest is stored on a drive and is protected through physical security and encryption. Data in transit is moving between devices and is protected by encrypting it so interceptors cannot read it. Data in use is actively being processed and must be unencrypted, so access controls are used to limit who can view or edit it.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2#what-is-the-difference-between-rbac-rubac-dac-and-mac-in-ap-cybersecurity","name":"What is the difference between RBAC, RuBAC, DAC, and MAC in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"RBAC assigns permissions based on a user's role, while RuBAC uses a set of rules to allow or deny access and is typically layered on top of another model. DAC lets the file owner decide who gets access, and MAC uses strict security levels assigned by an external administrator that individual users cannot change."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2#how-does-the-bell-lapadula-model-work-and-what-does-write-up-read-down-mean","name":"How does the Bell-LaPadula model work and what does write up read down mean?","acceptedAnswer":{"@type":"Answer","text":"Bell-LaPadula is a mandatory access control model used by governments and the military where subjects cannot read objects above their security level and cannot write to objects below their level. This is summarized as 'write up, read down' (WURD), and the no-writing-down rule prevents higher-clearance users from leaking secrets to lower-level objects."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2#what-is-the-difference-between-pii-phi-and-pci-and-which-laws-protect-each","name":"What is the difference between PII, PHI, and PCI and which laws protect each?","acceptedAnswer":{"@type":"Answer","text":"PII is any data that can identify a person and is protected by the Privacy Act of 1974 and COPPA for children under 13. PHI covers health and treatment records and is regulated by HIPAA, while PCI is payment card data such as account numbers and CVV codes, which is governed by the PCI-DSS standard."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2#how-do-you-use-chmod-numeric-method-in-linux-for-ap-cybersecurity","name":"How do you use chmod numeric method in Linux for AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"The chmod numeric method uses three digits representing the owner, group, and other users, where read equals 4, write equals 2, and execute equals 1, and you add the values for the permissions you want each entity to have. For example, chmod 750 gives the owner full access (7), the group read and execute (5), and others no access (0)."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-5/protecting-applications-and-data-managerial-controls-and-access-controls/study-guide/tZFME9LjYUHiIc9fHQE2#what-are-the-three-states-of-data-and-how-does-each-one-get-protected","name":"What are the three states of data and how does each one get protected?","acceptedAnswer":{"@type":"Answer","text":"Data at rest is stored on a drive and is protected through physical security and encryption. Data in transit is moving between devices and is protected by encrypting it so interceptors cannot read it. Data in use is actively being processed and must be unencrypted, so access controls are used to limit who can view or edit it."}}]}
```
