Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stephen S. Yau CSE 465-591, Fall 2006 1 Evaluating Systems for Functionality and Assurance.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Stephen S. Yau CSE 465-591, Fall 2006 1 Evaluating Systems for Functionality and Assurance."— Presentation transcript:

1 Stephen S. Yau CSE 465-591, Fall 2006 1 Evaluating Systems for Functionality and Assurance

2 Stephen S. Yau CSE 465-591, Fall 2006 2 Evaluation for Functionality and Assurance Evaluation is a process in which the evidence for assurance is gathered and analyzed against criteria for functionality and assurance. Evaluation can result in a measure of trust indicating how well a system meets selected criteria –A system is trusted if it has been shown to meet users’ security requirements under specific conditions –Trust is based on assurance evidence t1- ch18, t2-ch21

3 Stephen S. Yau CSE 465-591, Fall 2006 3 Evaluation for Functionality and Assurance (cont.) An evaluation methodology provides following features: –A set of requirements defining security functionality –A set of assurance requirements specifying required evidence of assurance –A methodology for determining whether the security requirements are satisfied based on the assurance evidence. –A measure of the evaluation result (called a level of trust) indicating how trustworthy the product or system is

4 Stephen S. Yau CSE 465-591, Fall 2006 4 Trusted Computer System Evaluation Criteria (TCSEC) Developed in 1983-1999, by U.S./DoD Also known as the Orange Book Emphasizing confidentiality, especially protection of government classified information Impact: –Create an approach to identifying how secure a product is Limitations: –Focus on security needs of U.S. government and military –Not address integrity, availability or other requirements critical to business applications t1- ch18.2, t2-ch21.2

5 Stephen S. Yau CSE 465-591, Fall 2006 5 Information Technology Security Evaluation Criteria (ITSEC) Developed in 1991-2001 by Europe Union Major distinction between TCSEC and ITSEC –ITSEC emphasizes on integrity and availability, while TCSEC emphasizes on confidentiality Impact: –Can be used to evaluate any kinds of products or systems Limitations: –Weak in developing functional requirements –Not used in Canada and the U.S. t2-ch21.3

6 Stephen S. Yau CSE 465-591, Fall 2006 6 Federal Criteria (FC) Developed in 1992, by U.S./NIST, NSA Attempt to address the shortcomings of TCSEC and of ITSEC by adding new criteria for both classified and unclassified information Impacts: –Established the concept of protection profile, which is an abstract specification of the security aspects of a IT product. –Developed a profile registry that makes FC-approved protection profiles available for general use Limitation: –The FC has not been finalized and published t2-ch21.6

7 Stephen S. Yau CSE 465-591, Fall 2006 7 Common Criteria (CC) Developed at 1998 – present, by Canada, France, Germany, The Netherlands, the United Kingdom and the United States It is an international standard, also known as ISO 15408 Impacts: –Combines the best features of preceding methodologies, such as TCSEC with the ITSEC and the FC –Provides a common language and structure to express both security functional requirements and security assurance requirements Limitation: –Continue being developed, still needs time to test and refine t1- ch18.4, t2-ch21.8

8 Stephen S. Yau CSE 465-591, Fall 2006 8 System Security Engineering Capability Maturity Model (SSE-CMM) Developed at 1997 – present, by U.S./International Systems Security Engineering Association (ISSEA) A process-oriented methodology for developing secure systems based on Software Engineering Capability Maturity Model (SE-CMM) Impact: –Can be used to assess the capabilities of security engineering processes of an organization and provide guidance in designing and improving them Limitation: –Analysis is complex t1- ch18.5, t2-ch21.9

Download ppt "Stephen S. Yau CSE 465-591, Fall 2006 1 Evaluating Systems for Functionality and Assurance."

Similar presentations

Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA.

Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
The Systems Security Engineering Capability Maturity Model (ISO 21827)

The Systems Security Engineering Capability Maturity Model (ISO 21827)
Security Models and Architecture

Security Models and Architecture
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
S.S. Yau CSE465-591 Fall 2006 1 Classified Systems.

S.S. Yau CSE Fall Classified Systems.
1 Information Security Standards Gary Gaskell © 2001.

1 Information Security Standards Gary Gaskell © 2001.
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.

1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Similar presentations

Ads by Google