Your company sells toys online worldwide, which is supported by a three-tiered E-Commerce web-based system. You are planning for patching the web servers and worried about the integrity of system configurations is compromised if failures occur when applying patches. Which of the following security functional components best addresses your concerns?
A. Reference monitor
B. Trusted path
C. Configuration management
D. Manual recovery

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Manual recovery.

Security Function vs Security Assurance

If a patch failed, it should be rolled back and recovered. Configuration management helps in the process of rollback and recovery, but it, on its own, cannot recover the patch. The recovery work is done by trusted recovery, a Security Functional Requirement (SFR) specified in the Common Criteria, while configuration management is a Security Assurance Requirement (SAR).

Moreover, the question is asking about “security functional components.”

Trusted Recovery

There are four types of trusted recovery defined in the Common Criteria:

1. Manual recovery: e.g., entering the safe mode of Windows to fix the problem manually.
2. Automated recovery: e.g., The blue screen of death (BSOD) pops up, and the Windows system reboots and repairs automatically. However, your files or data may get lost.
3. Automated recovery without undue loss: e.g., the BSOD pops up, Windows reboots, and your office files restored.
4. Functional recovery: e.g., if the installation program (setup.exe) failed, all the installed programs, files, and configurations are rolled back.