Your company sells toys online worldwide, which is supported by a three-tiered E-Commerce web-based system. You are planning for patching the web servers and worried about the integrity of system configurations is compromised if failures occur when applying patches. Which of the following security functional components best addresses your concerns?
A. Reference monitor
B. Trusted path
C. Configuration management
D. Manual recovery
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Manual recovery.
Security Function vs Security Assurance
If a patch failed, it should be rolled back and recovered. Configuration management helps in the process of rollback and recovery, but it, on its own, cannot recover the patch. The recovery work is done by trusted recovery, a Security Functional Requirement (SFR) specified in the Common Criteria, while configuration management is a Security Assurance Requirement (SAR).
Moreover, the question is asking about “security functional components.”
There are four types of trusted recovery defined in the Common Criteria:
- Manual recovery: e.g., entering the safe mode of Windows to fix the problem manually.
- Automated recovery: e.g., The blue screen of death (BSOD) pops up, and the Windows system reboots and repairs automatically. However, your files or data may get lost.
- Automated recovery without undue loss: e.g., the BSOD pops up, Windows reboots, and your office files restored.
- Functional recovery: e.g., if the installation program (setup.exe) failed, all the installed programs, files, and configurations are rolled back.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.