Effective CISSP Questions

Which of the following best entails the security capabilities of an information system?
A. Security kernel 
B. Enterprise architecture
C. Information security strategy
D. Trusted computing base (TCB)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Trusted computing base (TCB).

The CISSP exam outline mentioned the “security capabilities of information systems” and gave some technical examples such as memory protection, TPM, and cryptography. The security capabilities of information systems comprise not only technical means but also physical means and procedural means.

Security Capabilities

A combination of mutually-reinforcing security controls (i.e., safeguards and countermeasures) implemented by technical means (i.e., functionality in hardware, software, and firmware), physical means (i.e., physical devices and protective measures), and procedural means (i.e., procedures performed by individuals).

Source: NIST SP 800-53 Rev. 4

Trusted Computing Base

Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.

Source: NIST SP 800-12 Rev. 1

Security Kernel

The security kernel is a crucial part of the TCB in charge of access control.

Hardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must 1) mediate all accesses, 2) be protected from modification, and 3) be verifiable as correct.

Source: CNSSI 4009-2015

Information Security Strategy

A strategy is a high-level plan that fulfills long-term goals or the vision and mission. It typically provides directions or an overall approach upon which action or implementation plans can be developed. As a result, the information security strategy won’t elaborate on security capabilities at the information systems level.

Enterprise Architecture

44 U.S.C., Sec. 3601

A strategic information asset base, which:

  • defines 1) the mission; 2) the information necessary to perform the mission; 3) the technologies necessary to perform the mission; and 4) the transitional processes for implementing new technologies in response to changing mission needs; and
  • includes 1) a baseline architecture; 2) a target architecture; and 3) a sequencing plan.

Source: NIST SP 800-128 under enterprise architecture 44 U.S.C., Sec. 3601

CNSSI 4009

The description of an enterprise’s entire set of information systems:

  • how they are configured,
  • how they are integrated,
  • how they interface to the external environment at the enterprise’s boundary,
  • how they are operated to support the enterprise mission, and
  • how they contribute to the enterprise’s overall security posture.

Source: NIST SP 800-128 under Enterprise Architecture CNSSI 4009



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

The Effective CISSP - SRM

The Effective CISSP: Practice Questions

The Effective CISSP: Practice Questions

A. 安全內核
B. 企業架構
C. 資訊安全策略
D. 可信計算庫(TCB)


Leave a Reply