Which TCSEC (Orange Book) level requires the system to clearly identify functions of security
administrator to perform security-related functions?

A.
C2

B.
B1

C.
B2

D.
B3

Explanation:

B1: Labeled Security
Each data object must contain a classification label and each subject must have a clearance label.
When a subject attempts to access an object, the system must compare the subject and object’s
security labels to ensure the requested actions are acceptable. Data leaving the system must also
contain an accurate security label. The security policy is based on an informal statement and the
design specifications are reviewed and verified. It is intended for environments that require systems
to handle classified data.
B2: Structured Protection
The security policy is clearly defined and documented, and the system design and implementation
are subjected to more thorough review and testing procedures. This class requires more stringent
authentication mechanisms and well-defined interfaces among layers. Subjects and devices require
labels, and the system must not allow covert channels. A trusted path for logon and authentication
processes must be in place, which means there are no trapdoors. A trusted path means that the
subject is communicating directly with the application or operating system. There is no way to
circumvent or compromise this communication channel. There is a separation of operator and
administration functions within the system to provide more trusted and protected operational
functionality. Distinct address spaces must be provided to isolate processes, and a covert channel
analysis is conducted. This class adds assurance by adding requirements to the design of the system.
The environment that would require B2 systems could process sensitive data that require a higher
degree of security. This environment would require systems that are relatively resistant to
penetration and compromise.
(A trusted path means that the user can be sure that he is talking to a genuine copy of the operating
system.)
B3: Security Domains
In this class, more granularity is provided in each protection mechanism, and the programming code
that is not necessary to support the security policy is exclude. The design and implementation should
not provide too much complexity because as the complexity of a system increases, the ability of the
individuals who need to test, maintain, and configure it reduces; thus, the overall security can be
threatened. The reference monitor components must be small enough to test properly and be
tamperproof. The security administrator role is clearly defined, and the system must be able to
recover from failures without it security level being compromised. When the system starts up and
loads it operating system and components, it must be done in an initial secure state to ensure that
any weakness of the system cannot be taken advantage of in this slice of time. ” pg. 226 Shon Harris:
All-In-One CISSP Certification Exam Guide