practices with an emphasis on assuring functionality. Security Policy and Security Policy Model Specification System Design Implementation Security Testing Security Documentation Configuration Management Verification and Validation of the development process
a set of criteria or requirements relating to security functionality and assurance Criteria are usually divided into “Levels of Trust” or ratings Computer systems are evaluated against a set of criteria and are given the rating or ”Level of Trust” of which they satisfy they have satisfied the requirements. A metric for measuring the level of security provided and confidence in that security provided by a system.
Commercial Computer Security Centre Evaluation Levels Manual German Criteria for the Evaluation of Trustworthiness of Information Technology Systems French “Blue-White-Red” Book Information Technology Security Evaluation Criteria (ITSEC) [UK, France, Germany, the Netherlands] International Common Criteria (CC)
widely used evaluation criteria were selected for the comparison. Trusted Computer System Evaluation Criteria (TCSEC) [Orange Book] Information Technology Security Evaluation Criteria (ITSEC) Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
assurance requirements Scope is very high level Interpretation documents (The Rainbow Series) required for more specific cases. (eg: The Red Book is the Trusted Network Interpretation of the Orange Book).
Requirements Specification Architectural Design Detailed Design Implementation 2. Development Environment Configuaration Control Programming Languages and Compilers Developer’s Security 3. Operational Documentation User Documentation Administrator Documentation 4. Operational Environment Delivery and Configuration Start-up and Operation
Functionality Class F-B1 Functionality Class F-B2 Functionality Class F-B3 Functionality Class F-IN Functionality Class F-AV Functionality Class F-DI Functionality Class F-DC Functionality Class F-DX