Domain 3 – Section A Review: Design Principles and Models
This section integrates:
- Secure Design Principles (defense in depth, least privilege, separation of duties, fail-safe, zero trust, privacy by design)
- Security Models (Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, state machine, information flow, noninterference)
- Security Requirements and Control Selection (Common Criteria, EAL levels, baselines, scoping, tailoring, compensating controls)
- Information System Security Capabilities (memory protection, virtualization, TPM, Secure Boot, HSM, RAID, failover)
Domain 3 Section A questions connect principles to models to controls. A design principle tells you what property to protect. A security model formalizes how. Evaluation criteria and control selection turn theory into procurement and implementation decisions. System security capabilities provide the hardware foundation.
1. Principles Guide Model Selection
When a scenario requires confidentiality, you think Bell-LaPadula. When it requires integrity through classification levels, Biba. When it requires integrity through controlled transactions, Clark-Wilson. When it requires conflict-of-interest prevention, Brewer-Nash. The design principle identifies the property; the model provides the formal structure.
2. Evaluation Connects Requirements to Products
Common Criteria bridges the gap between what you need (Protection Profile) and what vendors claim to deliver (Security Target). EAL levels measure how rigorously those claims were tested. Control baselines provide a starting point that you scope and tailor to fit your specific environment.
3. Hardware Is the Trust Anchor
Software controls are only as trustworthy as the platform they run on. TPM and Secure Boot establish boot integrity. HSMs protect high-value keys. Memory protection enforces process isolation. RAID and failover protect availability. Match the technology to the specific risk.
Section A Decision Pattern
When facing a Domain 3 Section A question:
- Identify the security property at stake — confidentiality, integrity, availability, or conflict of interest
- Match the property to the appropriate model or principle
- If the scenario involves product procurement or evaluation, apply Common Criteria concepts
- If the scenario involves hardware or platform security, identify the correct system capability
- If controls need adjustment, determine whether it is scoping, tailoring, or a compensating control
Section A – Practice Questions
Question 1
A defense contractor’s document management system allows a user with Secret clearance to read Confidential and Secret documents. The same user attempts to save a summary of Secret-level intelligence into an Unclassified folder shared with public affairs staff.
Which security model rule should block this action?
A. Biba Simple Integrity Axiom — the user cannot read down to unclassified data
B. Bell-LaPadula *-Property — the user cannot write to a lower classification level
C. Clark-Wilson Transformation Procedure — the save action is not an approved transaction
D. Bell-LaPadula Simple Security Property — the user cannot read above their clearance
Answer & reasoning
Correct: B
The user is writing Secret data to an Unclassified location — writing down. Bell-LaPadula’s *-Property (Star Property, no write down) prevents subjects from writing information to a lower classification level. This prevents classified data from flowing to less-protected locations where unauthorized people could access it. The Simple Security Property (D) addresses reading up, not writing down. Biba (A) addresses integrity, not confidentiality.
Question 2
A hospital’s electronic door access system is being redesigned. The architect must decide the failure behavior for the pharmacy drug storage room and the main patient corridor. During a power failure, the pharmacy must remain secured to prevent drug theft, while the corridor must allow free movement for evacuation.
What failure modes should be specified?
A. Both should fail-open to prioritize patient safety over asset protection
B. Both should fail-secure to prevent unauthorized access throughout the facility
C. Pharmacy: fail-secure (locked); corridor: fail-safe (unlocked)
D. Pharmacy: fail-safe (unlocked); corridor: fail-secure (locked)
Answer & reasoning
Correct: C
Different areas have different priorities. The pharmacy stores controlled substances — unauthorized access during a power failure is a theft and safety risk, so it should fail-secure (remain locked). The patient corridor is a life-safety path — locked doors during a power failure could trap patients and staff, so it should fail-safe (unlock). The correct answer applies different failure modes based on what each area protects.
Question 3
An accounting firm implements a new ERP system where accountants cannot directly edit the general ledger. Instead, they enter journal entries through a structured transaction form that validates debits equal credits, checks account codes against the chart of accounts, and creates an immutable audit trail before committing changes.
Which security model does this implementation reflect?
A. Bell-LaPadula — preventing unauthorized access to financial data
B. Biba — integrity levels prevent low-integrity input from reaching the ledger
C. Clark-Wilson — well-formed transactions through transformation procedures protect data integrity
D. Brewer-Nash — preventing conflicts of interest between accounting departments
Answer & reasoning
Correct: C
This is a textbook Clark-Wilson implementation. Users do not touch the ledger directly (Constrained Data Items). They interact through structured transaction forms (Transformation Procedures) that enforce business rules (debits equal credits, valid account codes). The audit trail serves as an Integrity Verification Procedure. Biba (B) also protects integrity but through classification levels, not controlled transactions. The scenario specifically describes procedural integrity enforcement, which is Clark-Wilson.
Question 4
A government agency publishes a document specifying that all database encryption products it purchases must support AES-256, role-based key management, automated key rotation, and tamper-evident logging. Three vendors submit proposals describing how their products meet these specifications.
In Common Criteria terms, what did the agency publish and what did the vendors submit?
A. The agency published a Security Target; vendors submitted Protection Profiles
B. The agency published a Protection Profile; vendors submitted Security Targets
C. The agency published an EAL requirement; vendors submitted Targets of Evaluation
D. The agency published Security Functional Requirements; vendors submitted Security Assurance Requirements
Answer & reasoning
Correct: B
The agency published a vendor-neutral specification of what any database encryption product must do — this is a Protection Profile (PP). Each vendor then submitted a document describing how their specific product meets those requirements — these are Security Targets (STs). The PP defines requirements for a product category; the ST describes how a specific product fulfills them. Answer A reverses the relationship.
Question 5
A development team deploys applications in a virtualized environment using a Type 2 hypervisor running on developer workstations. The security team discovers that a compromised application in one VM was able to access files on the host operating system, exposing source code for other projects.
What is the PRIMARY architectural weakness?
A. The VMs lacked memory protection mechanisms
B. A Type 2 hypervisor runs on a host OS, creating an additional attack surface that allows VM escape to the host
C. The developer workstations should have used RAID for data protection
D. The applications were not evaluated using Common Criteria
Answer & reasoning
Correct: B
Type 2 hypervisors run on top of a host operating system, which means an attacker who escapes the VM can access the host OS and everything on it — including other projects’ source code. A Type 1 (bare-metal) hypervisor would have a smaller attack surface because there is no underlying host OS to compromise. This is a VM escape scenario enabled by the Type 2 architecture’s inherent weakness.
Question 6
An investment bank employs analysts who serve clients in the pharmaceutical industry. An analyst who has been working with Pharma Company X for six months requests access to the financial projections of Pharma Company Y for a new engagement. The compliance department denies the request.
Which security model supports this decision?
A. Bell-LaPadula — the analyst lacks clearance for Company Y data
B. Biba — Company Y data integrity may differ from Company X data
C. Clark-Wilson — the access request is not a well-formed transaction
D. Brewer-Nash — accessing data from both competing companies creates a conflict of interest
Answer & reasoning
Correct: D
Both pharmaceutical companies are in the same conflict-of-interest class. Under the Brewer-Nash (Chinese Wall) model, once the analyst accessed Company X data, they became dynamically barred from accessing Company Y data — because possessing insider knowledge about both competitors would create an information advantage and a conflict of interest. This is a dynamic restriction based on access history, which is the defining characteristic of Brewer-Nash.
Question 7
An organization categorizes its customer-facing web application as high impact under FIPS 199. The security team applies the NIST 800-53 high baseline. During implementation, they discover that the baseline includes controls for physical facility protection, but the application runs entirely in a cloud provider’s infrastructure. The organization does not control the physical data center.
How should the team handle the physical security controls?
A. Implement them by requesting the cloud provider install additional physical controls
B. Scope them out with documentation noting the organization does not operate physical infrastructure, and verify the cloud provider’s physical controls through their SOC reports
C. Replace them with compensating controls such as additional encryption
D. Move the application to on-premises infrastructure to satisfy the physical controls
Answer & reasoning
Correct: B
Scoping removes controls that do not apply to the organization’s operational context. The organization does not manage physical infrastructure — the cloud provider does. The appropriate approach is to scope out the physical controls from the organization’s baseline and verify that the cloud provider addresses them through SOC 2 reports or equivalent assurance. This is not a compensating control situation (C) because the controls do apply — just not to this organization. The responsibility shifts to the provider.
Question 8
A company’s IT service desk has a single administrator who creates user accounts, assigns permissions, and also handles account termination when employees leave. The same administrator can access all systems without logging or review. A former employee’s account remained active for three months after their departure.
Which design principle violations contributed to this situation?
A. Defense in depth and zero trust
B. Separation of duties and trust but verify
C. Least privilege and privacy by design
D. Fail-safe and security defaults
Answer & reasoning
Correct: B
Two principles are violated. First, separation of duties: one person controls account creation, permission assignment, and termination with no independent check. This concentration of authority means mistakes and intentional misuse go undetected. Second, trust but verify: the administrator operates without logging or review, so there is no verification mechanism. The stale account persisted because no independent process reviewed active accounts — a direct consequence of both violations.
Question 9
An organization’s certificate authority issues certificates for encrypted communications across all internal services. The CA’s root private key is currently stored in a software key store on the CA server. A security audit recommends moving the key to dedicated hardware that prevents extraction and supports high-speed signing operations.
What technology should the organization implement?
A. TPM on the CA server to bind the key to the platform
B. UEFI Secure Boot to protect the CA application during startup
C. Hardware Security Module (HSM) for tamper-resistant key storage and cryptographic processing
D. RAID 5 to protect against key loss from disk failure
Answer & reasoning
Correct: C
An HSM is purpose-built for protecting high-value cryptographic keys and performing high-speed cryptographic operations. It is tamper-resistant, prevents key extraction even by administrators with physical access, and supports the signing throughput a CA needs. A TPM (A) binds keys to a platform but is not designed for enterprise key management or high-volume operations. Secure Boot (B) protects the boot process. RAID (D) addresses disk availability, not key protection.
Question 10
A new cloud-based SaaS application collects user location data, browsing history, and purchase preferences. The product team plans to enable all data collection by default and allow users to opt out through a settings page buried three menus deep. The legal team asks whether this approach meets regulatory expectations.
Which design principle does this approach violate?
A. Defense in depth — the application relies on a single privacy control
B. Least privilege — the application collects more data than it needs
C. Privacy by design — personal data should be protected by default, not require users to actively opt out
D. Zero trust — the application trusts user data without verification
Answer & reasoning
Correct: C
Privacy by design requires that privacy is the default setting. Users should not need to navigate through multiple menus to protect their own data. The principle states that personal data should be automatically protected, with users opting in to less privacy rather than opting out. Collecting everything by default and making opt-out difficult violates both the “privacy as the default” and “respect for user privacy” foundational principles. This approach would also conflict with GDPR’s requirement for data protection by design and by default.