IT-Security Evaluation Criteria

More documents

Recommendations

Info

Summary of TCSEC- Security Classes: Division C: Discretionary Protection: Division D/ Class D: Minimal Protection: - unrated, no security characteristics required Class C1: Discretionary Security Protection: - for cooperating users processing at the same level of security - discretionary access controls (DAC): users can protect their own data and keep other users from accidentally reading or destroying their data - identification and authentication - penetration testing - Example: MVS/RACF Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 5 Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 6 C2: Controlled Access Protection: Features of C1 +: - more finely grained DAC: protection must be implementable at the degree of a single user - auditing - object reuse Examples: VAX VMS, MVS/ACF, Windows NT Division B: Mandatory Protection Class B1: Labelled Security Protection: Features of C2 +: - informal statement of security model - security labelling - mandatory access control (MAC) policy of the Bell LaPadula model - thorough analysis and testing of design documentation, source code, object code, - removal of security related flaws Examples: Trusted Solaris CMW 1.1, Trusted Oracle 7, Unix System V/MLS Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 7 Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 8
Class B2: Structured Protection: Features of B1 +: - formal security model - descriptive top-level specification (DTLS) - DAC and MAC enforcement shall be applied to all subjects and objects (also devices) - covert channel analysis - TCB must be structured into protection critical and non-protection critical elements (TCB: security-relevant portions of a system) - authentication mechanisms are strengthened - more thorough testing and code review - system is “relatively resistant to penetration” - separate operator and administrator functions - Example: Honeywell Multics Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 9 Class B3: Security Domains: Features of B2 +: - TCB satisfies the reference monitor concept - TCB is structured to exclude code not essential to security policy enforcement - auditing mechanisms signal security-related events - system recovery procedures - the system is highly resistant to penetration - convincing argument shall be given that DTLS is consistent with the model - system is “highly resistant to penetration” Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 10 Division A: Verified Protection Class A1: Verified Design: Systems in A1 are functionally equivalent to those in B3, but Class A1 requires a formally verified system design Formal Model Formal Top-Level Specification Implementation demonstration using formal or informal techniques consistency informally shown ITSEC Harmonisation and extension of existing national criteria: - UK Systems Security Confidence Levels, CESG 1989 - UK DTI Commercial Computer Security Centre Evaluation Manual/ Functionality Manual 1989 - German IT-Security Criteria, ZSI (now BSI) 1989 - French "Blue-White-Red Book", SCSSI 1989 Aim: - compatible basis for certification by national certification bodies - mutual recognition of evaluation results Example: Honeywell Scomp Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 11 Tillämpad datasäkerhet (DAVC17) – Security Evaluation Criteria Simone Fischer-Hübner 12
Page 1: IT-Security Evaluation Criteria Why
Page 5 and 6: Effectiveness: - assesses suitabili
Page 7: Example: Class-Family-Component Hie

IT-Security Evaluation Criteria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?