Which of the following statements pertaining to the Trusted Computer System Evaluation Criteria
(TCSEC) is incorrect?

A.
With TCSEC, functionality and assurance are evaluated separately.

B.
TCSEC provides a means to evaluate the trustworthiness of an information system.

C.
The Orange book does not cover networks and communications.

D.
Data base management systems are not covered by the TCSEC.

Explanation:
TCSEC does not separate functionality and assurance from evaluation. It makes
them a combined criteria. Just to remember, The Trusted Computer System Evaluation Criteria
(TCSEC) is a collection of criteria used to grade or rate the security offered by a computer system
product. The TCSEC is sometimes referred to as “the Orange Book” because of its orange cover
(Orange Book deals with networks and communications). The current version is dated 1985 (DOD
5200.28-STD, Library No.S225,711) The TCSEC, its interpretations and guidelines all have
different color covers, and are sometimes known as the “Rainbow Series”. Database management
is also covered in TCSEC.
The Orange Book is used to evaluate whether a product contains the security properties the
vendor claims it does and whether the product is appropriate for a specific application or function.
The Orange Book is used to review the functionality, effectiveness, and assurance of a product
during its evaluation, and it uses classes that were devised to address typical patterns of security
requirements.
– Shon Harris, “CISSP All-in-One Exam Guide”, 3rd Ed, p 302.