Non Discretionary Access Control include Role Based Access Control
(RBAC) and Rule Based Access Control (RBAC or RuBAC). RABC being a subset of
NDAC, it was easy to eliminate RBAC as it was covered under NDAC already.
Some people think that RBAC is synonymous with NDAC but RuBAC would also fall into this category.
Discretionary Access control is for environment with very low level of security. There is no control on the dissemination of the information. A user who has access to a file can copy the file or further share it with other users.
Rule Based Access Control is when you have ONE set of rules applied uniformly to all users. A good example would be a firewall at the edge of your network. A single rule based is applied against any packets received from the internet.
Mandatory Access Control is a very rigid type of access control. The subject must dominate the object and the subject must have a Need To Know to access the information. Objects have labels that indicate the sensitivity (classification) and there is also categories to enforce the Need To Know (NTK).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

"One-time" or "dynamic" password technology concept is having your remote host already know a password that is not going to go over insecure channels and when you connect, you get a challenge. You take the challenge information and password and plug it into an algorithm which generates the response that should get the same answer if the password is the same on the both sides. Therefore the password never goes over the network, nor is the same challenge used twice. Unlike SecurID or SNK, with S/key you do not share a secret with the host.
Other one time password technology is card systems where each user gets a card that generates numbers that allow access to their account. Without the card, it is improbable to guess the numbers.

File services share data files and subdirectories on file servers.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 99.

TCSEC does not separate functionality and assurance from evaluation. It makes them a combined criteria. Just to remember, The Trusted Computer System
Evaluation Criteria (TCSEC) is a collection of criteria used to grade or rate the security offered by a computer system product. The TCSEC is sometimes referred to as "the
Orange Book" because of its orange cover (Orange Book deals with networks and communications). The current version is dated 1985 (DOD 5200.28-STD, Library
No.S225,711) The TCSEC, its interpretations and guidelines all have different color covers, and are sometimes known as the "Rainbow Series". Database management is also covered in TCSEC.
The Orange Book is used to evaluate whether a product contains the security properties the vendor claims it does and whether the product is appropriate for a specific application or function. The Orange Book is used to review the functionality, effectiveness, and assurance of a product during its evaluation, and it uses classes that were devised to address typical patterns of security requirements.
- Shon Harris, "CISSP All-in-One Exam Guide", 3rd Ed, p 302.

Explanation/Reference:
Explanation:
Access control lists defines subjects that are authorized to access a specific object, and includes the level of authorization that subjects are granted.
Incorrect Answers:
A: A capability table stipulates the access rights that a specified subject has in relation to detailed objects.
C: An access control matrix is a table of subjects and objects that specifies the actions individual subjects can take upon individual objects.
D: A role-based matrix is not a valid answer with regards to this question.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 229-231