The PRIMARY difference between the TCSEC and ITSEC data classifications is:
a. ITSEC classifications are based on integrity
b. TCSEC classifications are based on government requirements
c. ITSEC classifications are based on international requirements
d. TCSEC classifications are based on mandatory requirements
I've never seen a reference for this question, although I assume there must be one, somewhere. This is the type of question that proves that, no, you can't just get the right book and have all the answers. You have to understand that, although TCSEC is based on government requirements, and ITSEC is based on international input, and TCSEC does talk (at some levels) about mandatory (as opposed to discretionary) requirements, that the addition of integrity is a fundamental change over TCSEC (which was only concerned with confidentiality). You have to understand the concepts, and the implications.
...it's just one that a surprising number of people get wrong....
This also serves as an example of why Psycho-analytics are performed on the exam Over time, (ISC)² deletes questions which are regularly answered incorrectly by those who pass. So, if most people disagree with "D", the question will eventually get kicked out, regardless of if D is right or wrong.
Actually they really resist a question getting kicked out as in eliminated. I just participated in something ISC2 tried for the first time and that is a CISSP item rework workshop. We got questions "kicked back" to rework to address some defect that statistics showed as a poor performer. There were many scenarios the questions fell in and although I thought it would be easier than writing original content it was not. There were a few that were so easy they were not salvageable, in my opinion anyone subject to a good security awareness program could answer the question and thus I recommended tossing it. It was another great learning experience for me provided by ISC2.
What is the PRIMARY use of a password?
a. Allow access to files.
b. Identify the user.
c. Authenticate the user.
d. Segregate various user’s accesses.
Reference: Info Systems Security; Fites & Kratz; pg 4; 1.2.4
Some of the easier questions you'll face allow you to quickly eliminate a couple of the options. In this case, while file access and other types of access are going to be related to a login process, they clearly aren't primary. That leaves you with two fairly similar options: identifying and authenticating the user. At this point you should be a little careful, and remember that identification is the function of the username. The password is used for authentication.
...We got questions "kicked back" to rework to address some defect that statistics showed as a poor performer...
That seems like a valuable enhancement. There is value in "human review" and salvaging what one can. I do suspect that the reworked question would reenter the whole testing and psycho-analysis processes and if it remains a poor performer, it would again be kicked back/out.
The fascinating part to me is that although citations and references are important to the question development process, it is group consensus that ultimately determines the correct answer. Over time, this eliminates the problem of faulty references.
So many moons ago, all items that had bad stats were kicked out to determine if they were worth saving or not.
When one was rewritten, it did go back into the process and started its life all over again, so that new stats were generated to determine if the rewrite made the question any better.....some times it worked, other times, it didn't