Which of the following components are considered part of the Trusted Computing Base?

A.
Trusted hardware and firmware.

B.
Trusted hardware and software.

C.
Trusted hardware, software and firmware.

D.
Trusted computer operators and system managers.

Explanation:
The trusted computing base (TCB) is a collection of all the hardware, software, and firmware components
within a system that provide some type of security and enforce the system’s security policy. The TCB does not
address only operating system components, because a computer system is not made up of only an operating
system. Hardware, software components, and firmware components can affect the system in a negative or
positive manner, and each has a responsibility to support and enforce the security policy of that particular
system. Some components and mechanisms have direct responsibilities in supporting the security policy, such
as firmware that will not let a user boot a computer from a USB drive, or the memory manager that will not let
processes overwrite other processes’ data. Then there are components that do not enforce the security policy
but must behave properly and not violate the trust of a system. Examples of the ways in which a component
could violate the system’s security policy include an application that is allowed to make a direct call to a piece of
hardware instead of using the proper system calls through the operating system, a process that is allowed to
read data outside of its approved memory space, or a piece of software that does not properly release
resources after use.
To assist with the evaluation of secure products, TCSEC introduced the idea of the Trusted Computing Base
(TCB) into product evaluation. In essence, TCSEC starts with the principle that there are some functions that
simply must be working correctly for security to be possible and consistently enforced in a computing system.
For example, the ability to define subjects and objects and the ability to distinguish between them is so
fundamental that no system could be secure without it. The TCB then are these fundamental controls
implemented in a given system, whether that is in hardware, software, or firmware. Each of the TCSEC levels
describes a different set of fundamental functions that must be in place to be certified to that level.
Incorrect Answers:
A: Software is also considered part of the Trusted Computing Base.
B: Firmware is also considered part of the Trusted Computing Base.
D: Trusted computer operators and system managers are not considered part of the Trusted Computing Base.References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 360
https://www.freepracticetests.org/documents/TCB.pdf