@Franklin-Shinn , I hope all is well. First of all, I would not be overly concerned about EITHER of these two items, as they are unlikely to appear on the exam.
Having said that, Positive risk management is primarily concerned with identifying, assessing and managing potentially beneficial outcomes.
Trusted Computer System Evaluation Criteria (TCSEC) - frequently referred to as the Orange Book, was a United States Government Department of Defense standard that set basic standards for the implementation of security protections in computing systems. Strongly focused on enforcing confidentiality with no focus on other aspects of security such as integrity or availability. Although it has since been superseded by the common criteria, it influenced the development of other product evaluation criteria, and some of its basic approach and terminology continues to be used. Introduced the idea of the Trusted Computing Base (TCB) into product evaluation.
TCSEC combines functionality & assurance rating of the confidentiality protection of a system into four categories. These are then subdivided into numbered subcategories:
Level Label Requirements
D Minimal Protection
C1 Discretionary Protection
C2 Controlled Access Protection
B1 Labeled Security
B2 Structured Protection
B3 Security Domains
A1 Verified Protection
Evaluation of a target system is used to assign the appropriate category ranking. "A" is the highest level.
Rainbow Series is where Orange Book comes from. Approx. 30 titles with different color designations make up the series. Red Book (Trusted Network Interpretation | TNI), discussed how to implement the Orange Book concept into a trusted network.
Hope that helps to clarify.
Good Luck on your exam ... If you have any other questions, please be in touch as needed.
Cheers,
Adam