CISSP · Question #814
Changes to a Trusted Computing Base (TCB) system that could impact the security posture of that system and trigger a recertification activity are documented in the
The correct answer is A. security impact analysis.. Changes to a Trusted Computing Base (TCB) that may affect its security posture must be formally documented through a security impact analysis, which evaluates whether the change necessitates recertification or reaccreditation.
Question
Options
- Asecurity impact analysis.
- Bstructured code review.
- Croutine self assessment.
- Dcost benefit analysis.
How the community answered
(27 responses)- A93% (25)
- C4% (1)
- D4% (1)
Why each option
Changes to a Trusted Computing Base (TCB) that may affect its security posture must be formally documented through a security impact analysis, which evaluates whether the change necessitates recertification or reaccreditation.
A security impact analysis (SIA) is the formal process used to evaluate how proposed or implemented changes to a system - especially a high-assurance system like a TCB - affect its security controls and overall security posture. NIST SP 800-37 and SP 800-128 specifically require organizations to conduct an SIA before implementing configuration changes to determine whether those changes trigger a need for recertification or reauthorization of the system.
A structured code review is a software quality and security assurance technique focused on examining source code for vulnerabilities or defects, not a mechanism for documenting system-level changes that impact security posture or trigger recertification.
A routine self-assessment is a periodic evaluation of security controls against a baseline, not a targeted documentation activity specifically triggered by changes to a TCB that could alter its security posture.
A cost-benefit analysis is a financial and operational decision-making tool used to weigh the costs versus benefits of a security control or project, and has no formal role in documenting security-impacting changes to a TCB for recertification purposes.
Concept tested: Security impact analysis for TCB change management
Source: https://csrc.nist.gov/publications/detail/sp/800-128/final
Topics
Community Discussion
No community discussion yet for this question.