Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other.

Slides:

Advertisements

Similar presentations

Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA.

Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)

© Crown Copyright (2000) Module 2.2 Development Representations.

1 Intraday in the CWE region NWE and Bilateral initiatives Common RCC CSE - CWE 28 September 2010.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

International Recognition System for Accreditation

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

4/28/20151 Computer Security Security Evaluation.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

1 Common Criteria Ravi Sandhu. 2 Common Criteria International unification CC v2.1 is ISO Flexibility Separation of Functional requirements Assurance.

Effective Design of Trusted Information Systems Luděk Novák,

IT Security Evaluation By Sandeep Joshi

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.

Secure Operating Systems Lesson 0x11h: Systems Assurance.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Information Security Standards Gary Gaskell © 2001.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting.

SMART GRID DEVICES SECURITY CERTIFICATION

Stephen S. Yau CSE , Fall Evaluating Systems for Functionality and Assurance.

OSR/Aug 02 Data Security E2002, Lecture 1 August 30, History Background - Batch - Remote access, DB, RACF - Orange Book - ITSec, Common Criteria.

1 Copyright © 2014 M. E. Kabay. All rights reserved. Standards for Security Products CSH5 Chapter 51 “Security Standards for Products” Paul J. Brusil and.

Gurpreet Dhillon Virginia Commonwealth University

Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007.

1 Anthony Apted/ James Arnold 26 September 2007 Has the Common Criteria Delivered?

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.

A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc

Evaluating Systems Information Assurance Fall 2010.

Conformity Assessment and Accreditation Mike Peet Chief Executive Officer South African National Accreditation System.

1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater.

Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Background. History TCSEC Issues non-standard inflexible not scalable.

1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Unix Systems security and security evaluation criteria.

You say to-mah-to, I say to-mae-to: why isn’t there a single solution to Information Security Assurance? Apostol Vassilev atsec information security &

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

CACR CC Briefing Stephen Booth Computer and System Security Section Communications Security Establishment

Compound Inequalities

Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.

Common Criteria V3 Overview Presented to P2600 October Brian Smithson.

CMSC : Common Criteria for Computer/IT Systems

TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

1 Common Criteria Discussions CCSDS Security Working Group Fall 2007 Meeting 3-5 October 2007 ESA/ESOC, Darmstadt Germany (Hotel am Bruchsee, Heppenheim)

======!"§==Systems= Technical Guidance for CC Evaluation Wolfgang Killmann T-Systems GEI GmbH.

Copyright atsec information security, IBM, 2007 How To Eat A Mammoth Experiences With the Evaluation of Complex Software Products Under the Common Criteria.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

CSCE 727 Awareness and Training Secure System Development and Monitoring.

9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.

Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.

1 Security Architecture and Designs  Security Architecture Description and benefits  Definition of Trusted Computing Base (TCB)  System level and Enterprise.

Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.

Ch.18 Evaluating Systems - Part 2 -

EU R&D in cybersecurity's certification

9th International Common Criteria Conference Report to IEEE P2600 WG

Common Criteria Ravi Sandhu.

Common Criteria Ravi Sandhu.

The Grand Goal: One Evaluation Per Planet

Computer Security: Art and Science, 2nd Edition

IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA

Presentation transcript:

security consulting What about the ITSEC?

security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other criteria Comparison of ITSEC/CC/FIPS140 rationale Mutual Recognition

security consulting Where it came from UK (mainly government) criteria German criteria French and Dutch proposals Proposed new UK criteria European harmonisation...

security consulting Where it came from 2 Traceability Analysis Functional Testing Penetration Testing Vulnerability Analysis Security Target SEFsThreats Security Objectives Correctness Effectiveness

security consulting The future Common Criteria (CC) – Upgrade path defined in UK Common Evaluation Method (CEM) ISO standard Mutual Recognition Global market

security consulting The future 2 Certificate Maintenance Scheme (CMS) – Based on Logica’s Traffic Light Method for re- evaluation – The UK’s version of RAMP – In CC as Maintenance of Assurance (AMA)

security consulting How it relates to CC and other criteria US CANADA UK GERMANY FRANCE ITSEC COMMON CRITERIA ORANGE BOOK ZSEIC B-W-R BOOK FEDERAL CRITERIA 1999 ISO CTCPEC MEMO 3 DTI

security consulting How it relates to CC etc - 2

security consulting Comparisons Orange Book – Specific functionality FIPS 140 – Specific crypto architecture Derived Test Requirements – consistency, etc ITSEC – General functionality – General architecture – Not really for crypto, but not excluded Requirements case-by- case – more subjective?

security consulting Comparisons 2 ITSEC – 163 pages – E1 to E6 – Separate Correctness and Effectiveness – No pre-defined functionality CC – 638 pages – EAL1 to EAL7 – Effectiveness ‘merged in’ with correctness – No pre-defined functionality mandated

security consulting Comparisons 3 Orange Book/FIPS – Defines the security “problem” – Guides architecture and functionality to sensible “solution” – Defines how it is tested ITSEC/CC – Lets you define the security “problem” – Allows any “solution”, since there may be any “problem” – Defines what evaluators must do to derive how to test it

security consulting Mutual Recognition - ITSEC Originally bi-partite arrangements – UK-Germany – Germany-France – France-UK Then SOG-IS MRA – 11 nations in EU Extended with bi- partite arrangements – UK-Australia Applies E1-E6 Not legally binding

security consulting Mutual Recognition - CC Interim Recognition – October 1997 – UK/US/Canada – EAL1-EAL3 Formal Recognition – October 1998 – UK/US/Canada/France/ Germany/Netherlands/A ustralia – EAL1-EAL4 Not legally binding

security consulting Combined Evaluation Simple Crypto Device

security consulting Combined Evaluation Example Software Product

security consulting Combined Evaluation Issues

security consulting So; what about the ITSEC? ITSEC experience is very valuable ITSEC evaluations (and CMS) will be around for some time to come Putting evaluations and assessments together to get assurance in real systems is hard