4. The Common Criteria (CC) addresses which of the following in an uncommon way?
a. Confidentiality
b. Risks
c. Integrity
d. Availability
4. b. The Common Criteria (CC) addresses information protection from unauthorized disclosure (confidentiality), modification (integrity), or loss of use (availability). These are the most common ways. The CC is also applicable to risks arising from human activities (malicious or otherwise) and to risks arising from nonhuman activities, which is an uncommon way.
5. The scope of Common Criteria (CC) covers which of the following?
a. Physical protection
d. Administrative security
c. Electromagnetic emanation control
d. Quality of cryptographic algorithm
5. a. In particular, the Common Criteria (CC) addresses some aspects of physical protection. Administrative security is incorrect because the CC does not contain security evaluation criteria pertaining to administrative security measures not related directly to the IT security functionality. Electromagnetic emanation control is incorrect because the CC does not cover the evaluation of technical physical aspects of IT security such as electromagnetic emanation control. Quality of cryptographic algorithm is incorrect because the CC does not cover the inherent qualities of cryptographic algorithms.
6. Which of the following is not one of the target audiences of the Common Criteria (CC) from a general interest viewpoint?
a. Security designers
b. Consumers
c. Developers
d. Evaluators
6. a. There are three groups with a general interest in evaluating the security properties of target of evaluations (TOEs): consumers, developers, and evaluators. Additional interest groups that can benefit from information contained in the Common Criteria (CC) are system custodians, system security officers, auditors, security architects, and security designers.
7. Regarding the Common Criteria (CC), which of the following alone is not sufficient for use in common evaluation methodology?
1. Repeatability
2. Objectivity
3. Judgment
4. Knowledge
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
7. c. Use of a common evaluation methodology contributes to the repeatability and objectivity of the results but it is not by itself sufficient. Many of the evaluation criteria require the application of expert judgment and background knowledge for which consistency is more difficult to achieve.
8. Regarding the Common Criteria (CC), precise and universal rating for IT security products is infeasible due to:
1. Reducing risks
2. Protecting assets
3. Objective elements
4. Subjective elements
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
8. d. Evaluation should lead to objective and repeatable results that can be cited as evidence, even if there is no totally objective scale for representing the results of a security evaluation. As the application of criteria contains objective and subjective elements, precise and universal ratings for IT security are infeasible. Reducing risks and protecting assets are the outcomes of a target of evaluation (TOE).
9. Regarding the Common Criteria (CC), how should a Security Target (ST) be used?
1. Before evaluation
2. After evaluation
3. Detailed specification
4. Complete specification
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
9. c. A typical ST fulfills two roles, such as before and during the evaluation and after the evaluation. Two roles that a security target (ST) should not fulfill include a detailed specification and a complete specification.
10. Regarding the Common Criteria (CC), how should a Protection Profile (PP) be used?
1. Specification of a single product
2. Complete specification
3. Requirements specification
4. Baseline
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
10. d. A protection profile (PP) is typically used as part of a requirement specification, part of a regulation from a specific regulatory entity, or a baseline defined by a group of IT developers. Three roles that a PP should not fulfill include a detailed specification, a complete specification, and a specification of a single product.
11. Regarding the Common Criteria (CC), the outcome of a target of evaluation (TOE) leads to:
1. Objective results
2. Repeatable results
3. Defensible results
