Exam CISSP topic 1 question 17 discussion

Although I went for B: I assume they're talking about the IT Asset Management(ITAM) Tiers of which there are three: So there is no Tier 0 Tier 1 - Asset Data Collection - method to inventory every software application and virtual OS that runs on the hardware you have in your inventory Tier 2 - Asset Data Intelligence - normalize the information, to map the assets to relevant information, and to link the assets to their contracts, projects, departments, and people. Tier 3 - Asset Lifecycle management - processes that control how you purchase, procure, and dispose of IT assets. This includes virtual devices and software, along with the associated software licenses. NIST has it as Tier 1 - Reporting, Analytics, Data storage Tier 2 - Data collection ie location/HW/SW Tier 3 - Enterprise assets - Servers, workstations, Laptops etc So for tracking mobile devices, according to these it could be Tier 3 as the diagrams seem to work backwards to what you would expect (devices at level 1 etc)

In reference architecture models (like those used in industrial control systems or enterprise IT architecture), the tiers typically represent layers of control and responsibility. Here's how Tier 0 fits: Tier 0 includes the physical assets and endpoints — such as: Servers Workstations Mobile devices Sensors and field devices (in ICS environments) Tracking mobile devices as physical assets places them in Tier 0, where asset management and inventory control operate at the device level.

In the reference architecture model (like the Purdue Enterprise Reference Architecture, often used in cybersecurity and ICS/SCADA environments), the tiers or levels are generally defined as: Level 0: Physical processes (sensors, actuators) Level 1: Intelligent devices (PLCs, RTUs) Level 2: Control systems (SCADA, HMIs) Level 3: Operations and asset management (production workflows, tracking, data collection) Level 4: Business planning and logistics (ERP, corporate IT) Since the question involves tracking mobile devices using an asset management system, that clearly places it in: 👉 Level 3 – the Operations and Supervisory level, which is responsible for asset tracking, monitoring, and management systems. So again, the correct answer is: D. 3

There is no mention of NIST tiers, so assuming ITAM tiers, the answer is B. Mobile devices would be tracked starting from ITAM Tier 1 (for basic discovery) and continue through Tier 2 (for ongoing management and lifecycle tracking).

Explanation: In reference architectures, Tier 0 typically represents the physical layer of the architecture, which includes devices such as sensors, actuators, and mobile devices. This layer is responsible for directly interacting with the physical environment and providing data to higher tiers for processing and analysis. For mobile devices, they are considered part of the asset layer that needs to be tracked and managed, making them belong to Tier 0 in most reference architectures. Breakdown of Tiers: Tier 0: Physical devices and endpoints (e.g., mobile devices, sensors, and other assets). Tier 1: Edge processing, where data from Tier 0 is collected, processed, or aggregated locally. Tier 2: Centralized systems for data management and processing, like enterprise servers. Tier 3: Business and analytics applications that leverage processed data for decision-making. Tracking mobile devices in an asset management system starts at the Tier 0 level, where their identification, status, and usage data are collected.

You guys should stop confusing people. The Right Answer is D. Read the NIST pub below

Tier 3 as per NIST: Explanation: According to the NIST SP 1800-5 Vol B guidelines, Tier 3 is where mobile devices are actively tracked and managed using Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) systems. This tier is responsible for managing the devices, monitoring their status, ensuring compliance with security policies, and making real-time decisions regarding their security posture.

n the context of a reference architecture for tracking assets, mobile devices would typically be tracked in System Tier 1. This tier focuses on managing all end-user devices, including mobile devices, ensuring they are properly configured, secured, and monitored. So B is the right response

Per Google search: In a typical reference architecture, mobile devices would be tracked within the "Access" or "Presentation" tier as this layer represents the user interface and directly interacts with end-user devices like smartphones and tablets, where data is accessed and displayed. Key points about the access tier: Direct user interaction: This tier is where users interact with applications through their mobile devices, sending requests and receiving responses. Data presentation: The access tier is responsible for presenting data in a user-friendly format on the mobile device screen. Security considerations: Due to the direct user interaction, this tier requires robust security measures to protect sensitive data on mobile devices.

According to the NIST (National Institute of Standards and Technology) reference architecture, mobile devices would be tracked in Tier 1. Here's a brief overview of the tiers: Tier 0: This tier typically includes the physical infrastructure, such as hardware and network components. Tier 1: This tier includes the platform infrastructure, which encompasses operating systems, middleware, and mobile devices. Tier 2: This tier focuses on the application infrastructure, including applications and software services. Tier 3: This tier involves the business processes and information systems that support organizational operations.

Answer id B Tier 0: Facilities, power systems, and environmental controls. Tier 1: Hardware and software supporting IT infrastructure. Tier 2: Shared services like email, directories, and collaboration tools. Tier 3: Business-critical systems and databases.

NIST ITAM Reference Architecture clearly states these would fall into Tier 3 systems. Tier 3 - Enterprise assets - Servers, workstations, Laptops etc

The correct answer is A. 0. In a typical reference architecture, Tier 0 refers to the physical devices or endpoints, including mobile devices, that interact directly with the environment. Mobile devices, as physical assets, would be tracked in this tier because they represent the lowest level in the architecture, where the hardware and direct interfaces with the system occur. Tiers 1, 2, and 3 typically deal with higher levels of abstraction, such as applications, data processing, and overall system management.

Context because I see people quoting different tiers. This is CISSP Sysytem Tier architecture reference: The protection ring model is a security architecture model that uses layers to control code execution and access in an operating system: Layer 0: The most trusted layer, where the operating system kernel resides Layer 1: Contains nonprivileged parts of the operating system Layer 2: Contains I/O drivers, low-level operations, and utilities Layer 3: Contains applications and processes

Tier 2: This tier encompasses end-user devices, such as desktops, laptops, and mobile devices. These are the devices used daily by the end users to perform their tasks

System tier 1 is responsible for identifying and discovering the assets that are owned, leased, or used by the organization, and collecting information about their attributes, location, status, and configuration. System tier 1 can use various methods and technologies to identify and discover assets, such as barcodes, QR codes, RFID tags, GPS, Bluetooth, Wi-Fi, etc.

B Mobile devices would be tracked in Tier 1 of the asset management reference architecture. Tier 1 focuses on the hardware and software assets that support the overall IT environment. This includes things like servers, workstations, network devices, and mobile devices that provide compute infrastructure and platforms. Tier 0 contains facilities, power systems and environmental controls. Tier 2 consists of shared services like directories, email systems, and collaboration tools. Tier 3 comprises core line of business systems and databases.