Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection?

A.
C

B.
B

C.
A

D.
D

Explanation:
The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which
was used to evaluate operating systems, applications, and different products. These evaluation criteria are
published in a book known as the Orange Book.
TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels:
A:
Verified protection
B:
Mandatory protection
C:
Discretionary protection
D:
Minimal protection
Classification A represents the highest level of assurance, and D represents the lowest level of assurance.
Level C: Discretionary Protection: The C rating category has two individual assurance ratings within it. The
higher the number of the assurance rating, the greater the protection.
Incorrect Answers:
B: Level B is defined as mandatory protection, not discretionary protection.
C: Level A is defined as verified protection, not discretionary protection.
D: Level D is defined as minimal security, not discretionary protection.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 392, 394