The Orange Book describes four hierarchical levels to categorize security systems. Which of the following
levels require mandatory protection?
A.
A and B.
B.
B and C.
C.
A, B, and C.
D.
B and D.
Explanation:
The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which
was used to evaluate operating systems, applications, and different products. These evaluation criteria are
published in a book known as the Orange Book.
TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels:
A:
Verified protection
B:
Mandatory protection
C:
Discretionary protection
D:
Minimal security
Classification A represents the highest level of assurance, and D represents the lowest level of assurance.
Level B is the lowest level that requires mandatory protection. Level A, being a higher level also requires
mandatory protection.
Incorrect Answers:
B: Mandatory protection is not required for level C. Level C is Discretionary protection.
C: Mandatory protection is not required for level C. Level C is Discretionary protection.
D: Mandatory protection is not required for level D. Level D is Minimal security.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393