Effective CISSP Questions

A trusted computer system is typically designed based on a formal model. Which of the following is incorrect about the Trusted Computer System Evaluation Criteria (TCSEC)? (Wentz QOTD)
A. TCSEC is developed based on the Bell-LaPadula Model (BLP).
B. The clearance/classification scheme is expressed in terms of a lattice.
C. A trusted path ensures recovery without a compromise if secure state transitions fail.
D. Discretionary access control enables objects sharing by named individuals or groups, or both.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. A trusted path ensures recovery without a compromise if secure state transitions fail.

Trusted recovery is the “ability to ensure recovery without compromise after a system failure.” (NIST Glossary) There are four components of the Trusted Recovery family specified in the Common Criteria:

  • Manual recovery (FPT_RCV.1)
  • Automated recovery (FPT_RCV.2)
  • Automated recovery without undue loss (FPT_RCV.3)
  • Function recovery (FPT_RCV.4)

Trusted Path

Trusted Path and Trusted Channel
Trusted Path and Trusted Channel

Trusted path is “a mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software.” (NIST Glossary)

TCSEC, The Orange Book

There are 38 references listed in the TCSEC. BLP is one of them:

Bell, D. E. and LaPadula, L. J. Secure Computer Systems: Unified Exposition and Multics Interpretation, MTR-2997 Rev. 1, MITRE Corp., Bedford, Mass., March 1976.

The Orange Book (Image Credit: Luis F. Gonzalez)

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications.

Initially issued in 1983 by the National Computer Security Center (NCSC), an arm of the National Security Agency, and then updated in 1985, TCSEC was eventually replaced by the Common Criteria international standard, originally published in 2005.

On 24 October 2002, The Orange Book (aka DoDD 5200.28-STD) was canceled by DoDD 8500.1, which was later reissued as DoDI 8500.02, on 14 March 2014.

Source: Wikipedia

Discretionary Access Control

The TCB shall define and control access between named users and named objects (e.g., files and programs) in the ADP system. The enforcement mechanism (e.g., self/group/public controls, access control lists) shall allow users to specify and control sharing of those objects by named individuals or defined groups or both.

Source: TCSEC

Security Kernel
Security Kernel



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

受信任的計算機系統通常是基於正式模型來設計的。關於受信任的計算機系統評估標準(TCSEC),以下哪項是不正確的?(Wentz QOTD)
A. TCSEC是基於Bell-LaPadula模型(BLP)發展的。
B. 許可/分類方案(clearance/classification scheme)以格子(lattice)表示。
C. 如果安全狀態轉換失敗,則可信路徑(trusted path)可確保恢復而不會受損(compromise)。

Leave a Reply