Effective CISSP Questions

Your company develops security products and competes in the market with the first-mover strategy. Time-to-market and third-party assurance, e.g., Common Criteria, are critical success factors. You lead the firewall development team. Which of the following does not belong to assurance requirements defined in Common Criteria?
A. Non-repudiation of origin
B. Security architecture
C. Functional specification
D. Security policy modelling

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Non-repudiation of origin.


It kind of relies on rote memorization. A. Non-repudiation of origin. I created that question as a reminder of the security functional requirements and security assurance requirements.

Security Functional Requirements (SFR)

Non-repudiation of origin (FCO_NRO) is a family of security functional requirements in the Class FCO: Communication.

Non-repudiation of origin ensures that the originator of information cannot successfully deny having sent the information. This family requires that the TSF provide a method to ensure that a subject that receives information during a data exchange is provided with evidence of the origin of the information. This evidence can then be verified by either this subject or other subjects.

Security Assurance Requirements (SAR)

Security Architecture (ADV_ARC), Functional specification (ADV_FSP), and Security policy modelling (ADV_SPM) are families of security assurance requirements in the Class ADV: Development.


  • Common Criteria for Information Technology Security Evaluation Part 2: Security functional components
  • Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply