CISSP Practice Questions

Your company is procuring computer systems to support the new business of video streaming services. You are responsible for ensuring the computer systems are compliant with the security policies in your company. Which of the following is your most concern?
A. Trusted Computing Base
B. System Design Flaws
C. Security Kernel
D. Implicit Covert Channels

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

My suggested answer is A. Trusted Computing Base

Trusted Computing Base

Trusted Computing Base (TCB)

  • The totality of protection mechanisms within a computer system — including hardware, firmware, and software — the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system.
  • The ability of a trusted computing base to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user’s clearance) related to the security policy.

Security Kernel

The hardware, firmware, and software elements of a Trusted Computing Base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.


An error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed.

Covert Channel

A communication channel that allows a process to transfer information in a manner that violates the system’s security policy.

Source of Definitions: DoD 5200.28-STD (Orange Book)

3 thoughts on “CISSP PRACTICE QUESTIONS – 20190822

  1. Which of the following is your most concern?
    I feel, this question pointing to some vulnerability. option B is what i feel.
    Why some one concerned about TCB, which is a secure system.

    • Thanks for your feedback, Antony.
      A Trusted Computing Base (TCB) is trusted because it is evaluated and proofed to be trustworthy. This is where TCSEC and Common Criteria come into play. In other words, a TCB is not 100% trustworthy, so the TCB itself is a major concern. A system with CC EAL 7 is more trustworthy than the one with CC EAL 1, or we have more confidence in a system with CC EAL 7 then the one with CC EAL 1.
      The TCB is the totality of protection mechanisms, which includes concerns such as B. System Design Flaws, C. Security Kernel, and D. Implicit Covert Channels. A trustworthy TCB addresses these concerns. That’s why I suggest TCB as the answer.

Leave a Reply