SAM-101 Standards and Evaluation

SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can: –Trust manufacturer (not always a good idea) –Test system themselves (expertise may not be available and costly) –Rely on impartial third party assessment (evaluation)

SAM-103 Introduction The Trusted Computer Security Evaluation Criteria (TCSEC) were the first generally accepted criteria for evaluating secure products It provides method to rate products on a simple scale Other criteria developed since, but still relate their schemes back to Orange Book

SAM-104 Target of an evaluation Evaluating criteria over products (operating system) and systems (collection of products) for a specific use Product evaluation needs a set of generic requirements – provided by classes of TCSEC and profiles of ITSEC System evaluation needs requirements capture to be part of evaluation – covered by ITSEC

SAM-105 Purpose of an evaluation Orange Book distinguish between: –Evaluation assessing whether a product has claimed security properties –Certification to establish the extent in which a particular design and implementation meets the set of specified security requirements.

SAM-106 Purpose of an evaluation Accreditation A formal declaration by a Designated Approving Authority (DAA) where an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

SAM-107 Method of an evaluation Evaluation credibility depends on evaluation methods Need to prevent situations where –Evaluated product later found to contain a serious flaw –Different evaluations of same product disagree in assessment (requirement for repeatability and reproducibility in method)

SAM-108 Product-oriented versus process-oriented evaluation Evaluation methods can be product or process oriented Product-oriented evaluations test the product Process-oriented evaluations look at product development process

SAM-109 Structure of the evaluation criteria The product evaluated on aspects: –Functionality: secure features of the product, MAC, DAC, authentication, auditing etc. –Effectiveness: the appropriateness of the functionality for the security requirements –Assurance: degree of certainty in the correctness of the implementation of the functionality

SAM-1010 Structure of the evaluation criteria Orange Book looks at all aspects at the same time ITSEC is more flexible

SAM-1011 Organizational framework Evaluation should give an independent verdict on products Independent evaluation facility can be a government agency or a licensed agency Both cases a government agency backs the evaluation process and issues certificate

SAM-1012 Government versus commercial If done by government, result should be consistent but may take a long time If evaluation done privately, then checks need be carried out to ensure consistency. Precise formulation of criteria becomes very important. Danger of commercial pressures influence the end result.

SAM-1013 Contracts and procedures Contractual relationship needed between the sponsor of the evaluation, the product manufacturer, and the evaluation facility Procedures needed for start of an evaluation, for issuing evaluation certificates, and for re-evaluation of modifications of evaluated products.

SAM-1014 Costs and benefits The cost would include both the evaluation fee and the indirect costs (time to gather and produce evidence, liaise with evaluation teams) For off-the-shelf software, cost can spread over many customers For customised systems, the sponsor to bear all costs

SAM-1015 Information Security Management System It provides a systematic approach to manage sensitive information in order to protect it. It encompasses employees, processes, and information systems It should include an evaluation method, safeguards and a documentation and revision process

SAM-1016 Getting certified Compliance: a self assessment to check if the system implemented complies with a standard Certification (registration): confer by an accredited certification body when an organisation successfully completes an independent audit

SAM-1017 Getting certified Accreditation: an authorised body (the accreditation body) officially recognises the authority of a certification body to evaluate, certify and register an organisation with regard to published standards

SAM-1018 ISO/IEC and BS 7799 The best reference for information security management system. A structured and internationally recognised guide with recommendations devoted to information security Not a product-oriented or technological standard

SAM-1019 Contents Published in 2 parts: ISO/IEC Part 1: Code of Practice for Information Security Management BS 7799 Part 2: Information Security Management

SAM domains of ISO/IEC (Part 1) Security policy Organisation policy Asset classification and control Personnel security Physical and environmental security Communications and operations management

SAM domains of ISO/IEC (Part 1) Access control Systems development and management Business continuity management Compliance

SAM-1022 Steps in implementing an ISMS Project initiation Definition of the ISMS Risk assessment Risk treatment Training and awareness Audit preparation Audit Control and Continual improvement

SAM-1023 Documentation required Security manual: policy, scope, risk assessment, statement of applicability Procedures: who, what, when, where Working instructions, checklists, forms etc: describe how tasks and specific activities are done Records: provide objective evidence of compliance with ISMS requirements