Which of the following best entails the security capabilities of an information system?
A. Security kernel
B. Enterprise architecture
C. Information security strategy
D. Trusted computing base (TCB)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Trusted computing base (TCB).
The CISSP exam outline mentioned the “security capabilities of information systems” and gave some technical examples such as memory protection, TPM, and cryptography. The security capabilities of information systems comprise not only technical means but also physical means and procedural means.
A combination of mutually-reinforcing security controls (i.e., safeguards and countermeasures) implemented by technical means (i.e., functionality in hardware, software, and firmware), physical means (i.e., physical devices and protective measures), and procedural means (i.e., procedures performed by individuals).
Source: NIST SP 800-53 Rev. 4
Trusted Computing Base
Totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.
Source: NIST SP 800-12 Rev. 1
The security kernel is a crucial part of the TCB in charge of access control.
Hardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must 1) mediate all accesses, 2) be protected from modification, and 3) be verifiable as correct.
Source: CNSSI 4009-2015
Information Security Strategy
A strategy is a high-level plan that fulfills long-term goals or the vision and mission. It typically provides directions or an overall approach upon which action or implementation plans can be developed. As a result, the information security strategy won’t elaborate on security capabilities at the information systems level.
44 U.S.C., Sec. 3601
A strategic information asset base, which:
- defines 1) the mission; 2) the information necessary to perform the mission; 3) the technologies necessary to perform the mission; and 4) the transitional processes for implementing new technologies in response to changing mission needs; and
- includes 1) a baseline architecture; 2) a target architecture; and 3) a sequencing plan.
The description of an enterprise’s entire set of information systems:
- how they are configured,
- how they are integrated,
- how they interface to the external environment at the enterprise’s boundary,
- how they are operated to support the enterprise mission, and
- how they contribute to the enterprise’s overall security posture.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.