Risk can be positive or negative?

Franklin Shinn

Studying for CASP- Can you tell me where positive risk and negative risk was covered ?
also looking for TCSEC coverage ?
Saw this and it was explained in the practise tests but still not solid on this topic was hoping to watch that episode again or find study sheets or something.
Might take my test soon next few days or this week, depending on schedule juggle

Adam Gordon

@Franklin-Shinn , I hope all is well. First of all, I would not be overly concerned about EITHER of these two items, as they are unlikely to appear on the exam.

Having said that, Positive risk management is primarily concerned with identifying, assessing and managing potentially beneficial outcomes.

Trusted Computer System Evaluation Criteria (TCSEC) - frequently referred to as the Orange Book, was a United States Government Department of Defense standard that set basic standards for the implementation of security protections in computing systems. Strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability. Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used. Introduced the idea of the Trusted Computing Base (TCB) into product evaluation.

TCSEC combines functionality & assurance rating of the confidentiality protection of a system into four categories. These are then subdivided into numbered subcategories:

Level Label           Requirements

    D                 Minimal Protection

    C1                Discretionary Protection

    C2                Controlled Access Protection

    B1                Labeled Security

    B2                Structured Protection

    B3                Security Domains

    A1                Verified Protection

Evaluation of a target system is used to assign the appropriate category ranking. "A" is the highest level.

Rainbow Series is where Orange Book comes from. Approx. 30 titles with different color designations make up the series. Red Book (Trusted Network Interpretation | TNI), discussed how to implement the Orange Book concept into a trusted network.

Hope that helps to clarify.

Good Luck on your exam ... If you have any other questions, please be in touch as needed.

Cheers,

Adam