According to the Orange Book, which security level is the first to require a system to support separate operator
and system administrator roles?

A.
A1

B.
B1

C.
B2

D.
B3

Explanation:
B2: Structured Protection: The security policy is clearly defined and documented, and the system design and
implementation are subjected to more thorough review and testing procedures. This class requires more
stringent authentication mechanisms and well-defined interfaces among layers. Subjects and devices require
labels, and the system must not allow covert channels. A trusted path for logon and authentication processes
must be in place, which means the subject communicates directly with the application or operating system, and
no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and
administration functions are separated within the system to provide more trusted and protected operationalfunctionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is
conducted. This class adds assurance by adding requirements to the design of the system.
The type of environment that would require B2 systems is one that processes sensitive data that require a
higher degree of security. This type of environment would require systems that are relatively resistant to
penetration and compromise.
Incorrect Answers:
A: Separate operator and system administrator roles are required at level A1. However, they are also required
at the lower level of B2.
B: Separate operator and system administrator roles are not required at level B1.
D: Separate operator and system administrator roles are required at level B3. However, they are also required
at the lower level of B2.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 396