Effective CISSP Questions

Your company develops security products. You are the head of the firewall product line and studying well-known evaluation criteria for your products, e.g., TCSEC, ITSEC, Common Criteria, etc. Which of the following is least preferable as the objectives of the evaluation criteria?
A. To provide guidance for manufacturers to build trustworthy products
B. To provide users with a yardstick to assess the degree of trust of your products
C. To benchmark products in terms of cost/benefit to inform procurement decisions
D. To provide a basis for specifying security requirements in acquisition specifications

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. To benchmark products in terms of cost/benefit to inform procurement decisions.

Those evaluation criteria typically describe security requirements, e.g., security functional requirements and assurance requirements. They tend to be neutral to vendors. Assessment of cost/benefits varies from company to company because every company has its business objectives, risk tolerance, budget, etc. Generally speaking, evaluation criteria are not suitable for prescribing criteria related to cost/benefits analysis.


  • The Orange Book


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply