Standard for Assessing Computer Security Controls

B.

The standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system is the Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book.

The TCSEC was developed by the United States Department of Defense in the 1980s to provide a standardized way of evaluating the security of computer systems. The TCSEC defines different security levels ranging from D (minimal protection) to A (maximum protection) and specifies the criteria that a system must meet to achieve each level.

The criteria defined by the TCSEC include:

1. Security Policy: The system must have a clearly defined security policy that outlines the rules and guidelines for protecting the system.

2. Access Control: The system must have mechanisms in place to control access to resources based on the user's identity and their level of authorization.

3. Audit and Accountability: The system must be capable of generating audit records that can be used to trace events and activities back to specific users.

4. Trusted Recovery: The system must have procedures in place to recover from security breaches and ensure the integrity of the system.

5. Trusted Distribution: The system must ensure that software and data are distributed in a secure manner, and that only authorized individuals have access to sensitive information.

The other options listed in the question are:

A. FITSAF: The Federal Information Technology Security Assessment Framework (FITSAF) is a framework for assessing the security of federal information systems.

C. FIPS: The Federal Information Processing Standards (FIPS) are a set of standards developed by the U.S. government for use in computer systems.

D. SSAA: The System Security Authorization Agreement (SSAA) is a document that outlines the security controls and procedures for a system and is used to obtain authorization to operate.

While these other options are related to computer security, they do not specifically set basic requirements for assessing the effectiveness of computer security controls built into a computer system, as the TCSEC does.