Exam CISSP topic 1 question 17 discussion

Although I went for B: I assume they're talking about the IT Asset Management(ITAM) Tiers of which there are three: So there is no Tier 0 Tier 1 - Asset Data Collection - method to inventory every software application and virtual OS that runs on the hardware you have in your inventory Tier 2 - Asset Data Intelligence - normalize the information, to map the assets to relevant information, and to link the assets to their contracts, projects, departments, and people. Tier 3 - Asset Lifecycle management - processes that control how you purchase, procure, and dispose of IT assets. This includes virtual devices and software, along with the associated software licenses. NIST has it as Tier 1 - Reporting, Analytics, Data storage Tier 2 - Data collection ie location/HW/SW Tier 3 - Enterprise assets - Servers, workstations, Laptops etc So for tracking mobile devices, according to these it could be Tier 3 as the diagrams seem to work backwards to what you would expect (devices at level 1 etc)

Tier 0: Physical Layer . - This layer includes the actual mobile devices (smartphones, tablets, etc.) and other physical assets that need to be tracked. It's where the initial data about the asset is collected, such as its identification, location, and status.

When you include mobile devices to your Asset management system they are included as part of your organization's IT infrastructure, which change how they're classified in the reference architecture. In most reference architectures (such as NIST, DOD, or enterprise IT models), moblie devices fall under Tier1 = Client Trier (or Endpoint tier)

| **Tier** | **Description** | **Examples** | | -------- | ------------------------------------ | ---------------------------------------------------------- | | **0** | **Physical process / field devices** | Sensors, actuators, **mobile devices**, physical equipment | | **1** | **Basic control** | PLCs, embedded controllers | | **2** | **Supervisory control** | SCADA, HMI | | **3** | **Operations management** | MES (Manufacturing Execution Systems), batch management | | **4** | **Enterprise level** | ERP systems, business planning |

Tier 1 generally deals with primary assets that require direct management and oversight. Mobile devices, as part of the organization’s core IT infrastructure, would be tracked here for better visibility, security, and lifecycle management. A. 0: This tier is typically reserved for core infrastructure or foundational components that form the backbone of the system, like servers or core network devices. C. 2: This tier may represent secondary systems or systems that interface with Tier 1 systems but aren’t directly responsible for asset management. D. 3: Tier 3 is typically used for external or peripheral systems such as user devices that don’t require the same level of management as primary assets.

In reference architecture models (like those used in industrial control systems or enterprise IT architecture), the tiers typically represent layers of control and responsibility. Here's how Tier 0 fits: Tier 0 includes the physical assets and endpoints — such as: Servers Workstations Mobile devices Sensors and field devices (in ICS environments) Tracking mobile devices as physical assets places them in Tier 0, where asset management and inventory control operate at the device level.

In the reference architecture model (like the Purdue Enterprise Reference Architecture, often used in cybersecurity and ICS/SCADA environments), the tiers or levels are generally defined as: Level 0: Physical processes (sensors, actuators) Level 1: Intelligent devices (PLCs, RTUs) Level 2: Control systems (SCADA, HMIs) Level 3: Operations and asset management (production workflows, tracking, data collection) Level 4: Business planning and logistics (ERP, corporate IT) Since the question involves tracking mobile devices using an asset management system, that clearly places it in: 👉 Level 3 – the Operations and Supervisory level, which is responsible for asset tracking, monitoring, and management systems. So again, the correct answer is: D. 3

There is no mention of NIST tiers, so assuming ITAM tiers, the answer is B. Mobile devices would be tracked starting from ITAM Tier 1 (for basic discovery) and continue through Tier 2 (for ongoing management and lifecycle tracking).

Explanation: In reference architectures, Tier 0 typically represents the physical layer of the architecture, which includes devices such as sensors, actuators, and mobile devices. This layer is responsible for directly interacting with the physical environment and providing data to higher tiers for processing and analysis. For mobile devices, they are considered part of the asset layer that needs to be tracked and managed, making them belong to Tier 0 in most reference architectures. Breakdown of Tiers: Tier 0: Physical devices and endpoints (e.g., mobile devices, sensors, and other assets). Tier 1: Edge processing, where data from Tier 0 is collected, processed, or aggregated locally. Tier 2: Centralized systems for data management and processing, like enterprise servers. Tier 3: Business and analytics applications that leverage processed data for decision-making. Tracking mobile devices in an asset management system starts at the Tier 0 level, where their identification, status, and usage data are collected.

You guys should stop confusing people. The Right Answer is D. Read the NIST pub below

Tier 3 as per NIST: Explanation: According to the NIST SP 1800-5 Vol B guidelines, Tier 3 is where mobile devices are actively tracked and managed using Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) systems. This tier is responsible for managing the devices, monitoring their status, ensuring compliance with security policies, and making real-time decisions regarding their security posture.

n the context of a reference architecture for tracking assets, mobile devices would typically be tracked in System Tier 1. This tier focuses on managing all end-user devices, including mobile devices, ensuring they are properly configured, secured, and monitored. So B is the right response

Per Google search: In a typical reference architecture, mobile devices would be tracked within the "Access" or "Presentation" tier as this layer represents the user interface and directly interacts with end-user devices like smartphones and tablets, where data is accessed and displayed. Key points about the access tier: Direct user interaction: This tier is where users interact with applications through their mobile devices, sending requests and receiving responses. Data presentation: The access tier is responsible for presenting data in a user-friendly format on the mobile device screen. Security considerations: Due to the direct user interaction, this tier requires robust security measures to protect sensitive data on mobile devices.

According to the NIST (National Institute of Standards and Technology) reference architecture, mobile devices would be tracked in Tier 1. Here's a brief overview of the tiers: Tier 0: This tier typically includes the physical infrastructure, such as hardware and network components. Tier 1: This tier includes the platform infrastructure, which encompasses operating systems, middleware, and mobile devices. Tier 2: This tier focuses on the application infrastructure, including applications and software services. Tier 3: This tier involves the business processes and information systems that support organizational operations.

Answer id B Tier 0: Facilities, power systems, and environmental controls. Tier 1: Hardware and software supporting IT infrastructure. Tier 2: Shared services like email, directories, and collaboration tools. Tier 3: Business-critical systems and databases.

NIST ITAM Reference Architecture clearly states these would fall into Tier 3 systems. Tier 3 - Enterprise assets - Servers, workstations, Laptops etc

The correct answer is A. 0. In a typical reference architecture, Tier 0 refers to the physical devices or endpoints, including mobile devices, that interact directly with the environment. Mobile devices, as physical assets, would be tracked in this tier because they represent the lowest level in the architecture, where the hardware and direct interfaces with the system occur. Tiers 1, 2, and 3 typically deal with higher levels of abstraction, such as applications, data processing, and overall system management.