Mandatory Protection Levels in TCSEC (Orange Book) | SSCP Exam Question

First Level (Lower) in TCSEC (Orange Book) - SSCP Exam Question

Prev Question Next Question

Question

Which of the following classes is the first level (lower) defined in the TCSEC (Orange Book) as mandatory protection?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

B level is the first Mandatory Access Control Level.

First published in 1983 and updated in 1985, the TCSEC, frequently referred to as the Orange Book, was a United States Government Department of Defense (DoD) standard that sets basic standards for the implementation of security protections in computing systems.

Primarily intended to help the DoD find products that met those basic standards, TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information on military and government systems.

As such, it was strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability.

Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used.

Reference used for this question: Hernandez CISSP, Steven (2012-12-21)

Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 17920-17926)

Auerbach Publications.

Kindle Edition.

and THE source for all TCSEC "level" questions: http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt (paragraph 3 for this one)

The Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book, is a United States Government Department of Defense standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system.

The TCSEC defines four levels of security, ranging from the lowest to the highest level: D, C, B, and A. Each level is associated with a set of security requirements, with higher levels requiring more stringent security controls.

In the context of the TCSEC, the term "mandatory protection" refers to the requirement that a computer system must enforce access controls to prevent unauthorized users from accessing sensitive data or functions.

The first level of mandatory protection defined in the TCSEC is Level B, which requires the implementation of discretionary access controls (DAC) and identification and authentication mechanisms to protect against unauthorized access.

Therefore, the correct answer to the question is A. B.