Which TCSEC (Orange Book) level requires the system to clearly identify functions of security
administrator to perform security-related functions?

A.
C2

B.
B1

C.
B2

D.
B3

Explanation:
B1: Labeled Security
Each data object must contain a classification label and each subject must have a clearance label.
When a subject attempts to access an object, the system must compare the subject and object’s
security labels to ensure the requested actions are acceptable. Data leaving the system must also
contain an accurate security label. The security policy is based on an informal statement and the
design specifications are reviewed and verified. It is intended for environments that require
systems to handle classified data.
B2: Structured Protection
The security policy is clearly defined and documented, and the system design and implementation
are subjected to more thorough review and testing procedures. This class requires more stringent
authentication mechanisms and well-defined interfaces among layers. Subjects and devices
require labels, and the system must not allow covert channels. A trusted path for logon and
authentication processes must be in place, which means there are no trapdoors. A trusted path
means that the subject is communicating directly with the application or operating system. There is
no way to circumvent or compromise this communication channel. There is a separation of
operator and administration functions within the system to provide more trusted and protected
operational functionality. Distinct address spaces must be provided to isolate processes, and a
covert channel analysis is conducted. This class adds assurance by adding requirements to the
design of the system.
The environment that would require B2 systems could process sensitive data that require a higher
degree of security. This environment would require systems that are relatively resistant to
penetration and compromise.
(A trusted path means that the user can be sure that he is talking to a genuine copy of the
operating system.)
B3: Security Domains
In this class, more granularity is provided in each protection mechanism, and the programming
code that is not necessary to support the security policy is exclude. The design and
implementation should not provide too much complexity because as the complexity of a system
increases, the ability of the individuals who need to test, maintain, and configure it reduces; thus,
the overall security can be threatened. The reference monitor components must be small enough
to test properly and be tamperproof. The security administrator role is clearly defined, and the
system must be able to recover from failures without it security level being compromised. When
the system starts up and loads it operating system and components, it must be done in an initial
secure state to ensure that any weakness of the system cannot be taken advantage of in this slice
of time. ” pg. 226 Shon Harris: All-In-One CISSP Certification Exam Guide