Who is responsible for implementing user clearances in computer-based information systems at the B3 level of the TCSEC rating ?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Security administrator functions include user-oriented activities such as setting user clearances, setting initial password, setting other security characteristics for new users or changing security profiles for existing users.
Data owners have the ultimate responsibility for protecting data, thus determining proper user access rights to data.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
The B3 level of the Trusted Computer System Evaluation Criteria (TCSEC) is defined as a system that provides "good" security, meaning that it enforces mandatory access controls (MAC) and labels subjects and objects with sensitivity labels.
In this context, user clearances refer to the security clearance level that a user must possess in order to access certain data or perform specific tasks within a computer-based information system.
Therefore, the responsibility for implementing user clearances in computer-based information systems at the B3 level of the TCSEC rating falls on the Security administrators.
Security administrators are responsible for managing and implementing security policies and procedures to protect the confidentiality, integrity, and availability of information systems and data. This includes defining user roles and access rights based on clearance levels and ensuring that access controls are properly configured to enforce these policies.
Operators are responsible for executing system commands and performing routine maintenance tasks, but they do not have the authority or expertise to define security policies or implement access controls.
Data owners are responsible for the content of the data, but they are not responsible for managing the security of the system that holds the data or the access controls used to protect it.
Data custodians are responsible for the physical and technical aspects of protecting the data, such as backups, storage, and recovery, but they do not have the authority to define access controls or security policies.
Therefore, the correct answer is A. Security administrators.