Your company develops security products. You are the head of the firewall product line and studying well-known evaluation criteria for your products, e.g., TCSEC, ITSEC, Common Criteria, etc. Which of the following is least preferable as the objectives of the evaluation criteria?
A. To provide guidance for manufacturers to build trustworthy products
B. To provide users with a yardstick to assess the degree of trust of your products
C. To benchmark products in terms of cost/benefit to inform procurement decisions
D. To provide a basis for specifying security requirements in acquisition specifications
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. To benchmark products in terms of cost/benefit to inform procurement decisions.
Those evaluation criteria typically describe security requirements, e.g., security functional requirements and assurance requirements. They tend to be neutral to vendors. Assessment of cost/benefits varies from company to company because every company has its business objectives, risk tolerance, budget, etc. Generally speaking, evaluation criteria are not suitable for prescribing criteria related to cost/benefits analysis.
Reference
- The Orange Book
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.