{"id":264,"date":"2021-01-17T05:30:21","date_gmt":"2021-01-16T17:56:45","guid":{"rendered":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0256\/"},"modified":"2021-01-17T05:44:00","modified_gmt":"2021-01-17T05:44:00","slug":"systems-security-certified-practitioner-sscp-question0256","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0256\/","title":{"rendered":"Systems Security Certified Practitioner &#8211; SSCP &#8211; Question0256"},"content":{"rendered":"<div class=\"question\">The Orange Book states that &quot;Hardware and software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB [Trusted Computing Base].&quot; This statement is the formal requirement for: <br \/><strong><br \/>A.<\/strong> Security Testing. <br \/><strong>B.<\/strong> Design Verification. <br \/><strong>C.<\/strong> System Integrity. <br \/><strong>D.<\/strong> System Architecture Specification.<\/div>\n<p><\/p>\n<style> .hidden-div{ display:none } <\/style>\n<p>\t\t\t\t\t\t\t<button onclick=\"getElementById('hidden-div').style.display = 'block'\"> Show Answer <\/button> <button onclick=\"getElementById('hidden-div').style.display = 'none'\">Hide Answer<\/button><\/p>\n<div class=\"hidden-div\" id=\"hidden-div\"><span style=\"\"><\/p>\n<div class=\"answer\">Correct Answer: <strong>C<\/strong><\/div>\n<p><strong>Explanation:<\/strong> <\/p>\n<div class=\"explanation\">\nThis is a requirement starting as low as C1 within the TCSEC rating.<br \/>\nThe Orange book requires the following for System Integrity Hardware and\/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB.<br \/>\nNOTE FROM CLEMENT: This is a question that confuses a lot of people because most people take for granted that the orange book with its associated Bell LaPadula model has nothing to do with integrity. However you have to be careful about the context in which the word integrity is being used. You can have Data Integrity and you can have System Integrity which are two completely different things.<br \/>\nYes, the Orange Book does not specifically address the Integrity requirements, however it has to run on top of systems that must meet some integrity requirements.<br \/>\nThis is part of what they call operational assurance which is defined as a level of confidence of a trusted system\u2019s architecture and implementation that enforces the system\u2019s security policy. It includes:<br \/>\nSystem architecture Covert channel analysis System integrity Trusted recovery<br \/>\nDATA INTEGRITY<br \/>\nData Integrity is very different from System Integrity. When you have integrity of the data, there are three goals:<br \/>\n1. Prevent authorized users from making unauthorized modifications<br \/>\n2. Preven unauthorized users from making modifications 3. Maintaining internal and external consistancy of the data<br \/>\nBell LaPadula which is based on the Orange Book address does not address Integrity, it addresses only Confidentiality. Biba address only the first goal of integrity. Clark-Wilson addresses the three goals of integrity.<br \/>\nIn the case of this question, there is a system integrity requirement within the TCB. As mentioned above here is an extract of the requirements: Hardware and\/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB.<br \/>\nThe following answers are incorrect:<br \/>\nSecurity Testing. Is incorrect because Security Testing has no set of requirements in the Orange book.<br \/>\nDesign Verification. Is incorrect because the Orange book&#8217;s requirements for Design Verification include: A formal model of the security policy must be clearly identified and documented, including a mathematical proof that the model is consistent with its axioms and is sufficient to support the security policy.<br \/>\nSystem Architecture Specification. Is incorrect because there are no requirements for System Architecture Specification in the Orange book.<br \/>\nThe following reference(s) were used for this question:<br \/>\nTrusted Computer Security Evaluation Criteria (TCSEC), DoD 5200.28-STD, page 15, 18, 25, 31, 40, 50.<br \/>\nHarris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Security Architecture and Design, Page 392-397, for users with the Kindle Version see Kindle Locations 28504-28505. and DOD TCSEC &#8211;<a href=\"http:\/\/www.cerberussystems.com\/INFOSEC\/stds\/d520028.htm\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/www.cerberussystems.com\/INFOSEC\/stds\/d520028.htm<\/a><\/div>\n<p><\/strong><\/span> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>The Orange Book states that &quot;Hardware and software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and firmware elements of the TCB [Trusted Computing Base].&quot; This statement is the formal requirement for: A. Security Testing. B. Design Verification. C. System Integrity. D. System Architecture Specification. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1078,259,3],"class_list":["post-264","post","type-post","status-publish","format-standard","hentry","category-systems-security-certified-practitioner-sscp","tag-choices","tag-question-0256","tag-systems-security-certified-practitioner-sscp"],"_links":{"self":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/comments?post=264"}],"version-history":[{"count":1,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/264\/revisions"}],"predecessor-version":[{"id":1340,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/264\/revisions\/1340"}],"wp:attachment":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/media?parent=264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/categories?post=264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/tags?post=264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}