Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other.

Published byKristian Collins Modified over 9 years ago

Similar presentations

Presentation on theme: "Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other."— Presentation transcript:

1 security consulting What about the ITSEC?

2 security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other criteria Comparison of ITSEC/CC/FIPS140 rationale Mutual Recognition

3 security consulting Where it came from UK (mainly government) criteria German criteria French and Dutch proposals Proposed new UK criteria European harmonisation...

4 security consulting Where it came from 2 Traceability Analysis Functional Testing Penetration Testing Vulnerability Analysis Security Target SEFsThreats Security Objectives Correctness Effectiveness

5 security consulting The future Common Criteria (CC) – Upgrade path defined in UK Common Evaluation Method (CEM) ISO standard 15408 Mutual Recognition Global market

6 security consulting The future 2 Certificate Maintenance Scheme (CMS) – Based on Logica’s Traffic Light Method for re- evaluation – The UK’s version of RAMP – In CC as Maintenance of Assurance (AMA)

7 security consulting How it relates to CC and other criteria US CANADA UK GERMANY FRANCE 198319931996 ITSEC 19891991 COMMON CRITERIA ORANGE BOOK ZSEIC B-W-R BOOK FEDERAL CRITERIA 1999 ISO 15408 CTCPEC MEMO 3 DTI

8 security consulting How it relates to CC etc - 2

9 security consulting Comparisons Orange Book – Specific functionality FIPS 140 – Specific crypto architecture Derived Test Requirements – consistency, etc ITSEC – General functionality – General architecture – Not really for crypto, but not excluded Requirements case-by- case – more subjective?

10 security consulting Comparisons 2 ITSEC – 163 pages – E1 to E6 – Separate Correctness and Effectiveness – No pre-defined functionality CC – 638 pages – EAL1 to EAL7 – Effectiveness ‘merged in’ with correctness – No pre-defined functionality mandated

11 security consulting Comparisons 3 Orange Book/FIPS – Defines the security “problem” – Guides architecture and functionality to sensible “solution” – Defines how it is tested ITSEC/CC – Lets you define the security “problem” – Allows any “solution”, since there may be any “problem” – Defines what evaluators must do to derive how to test it

12 security consulting Mutual Recognition - ITSEC Originally bi-partite arrangements – UK-Germany – Germany-France – France-UK Then SOG-IS MRA – 11 nations in EU Extended with bi- partite arrangements – UK-Australia Applies E1-E6 Not legally binding

13 security consulting Mutual Recognition - CC Interim Recognition – October 1997 – UK/US/Canada – EAL1-EAL3 Formal Recognition – October 1998 – UK/US/Canada/France/ Germany/Netherlands/A ustralia – EAL1-EAL4 Not legally binding

14 security consulting Combined Evaluation Simple Crypto Device

15 security consulting Combined Evaluation Example Software Product

16 security consulting Combined Evaluation Issues

17 security consulting So; what about the ITSEC? ITSEC experience is very valuable ITSEC evaluations (and CMS) will be around for some time to come Putting evaluations and assessments together to get assurance in real systems is hard

Download ppt "Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other."

Similar presentations

Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA.

Title Slide EVOLVING CRITERIA FOR INFORMATION SECURITY PRODUCTS Ravi Sandhu George Mason University Fairfax, Virginia USA.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
© Crown Copyright (2000) Module 2.2 Development Representations.

© Crown Copyright (2000) Module 2.2 Development Representations.
1 Intraday in the CWE region NWE and Bilateral initiatives Common RCC CSE - CWE 28 September 2010.

1 Intraday in the CWE region NWE and Bilateral initiatives Common RCC CSE - CWE 28 September 2010.
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.

Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
International Recognition System for Accreditation

International Recognition System for Accreditation
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
4/28/20151 Computer Security Security Evaluation.

4/28/20151 Computer Security Security Evaluation.
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
1 Common Criteria Ravi Sandhu. 2 Common Criteria International unification CC v2.1 is ISO 15408 Flexibility Separation of Functional requirements Assurance.

1 Common Criteria Ravi Sandhu. 2 Common Criteria International unification CC v2.1 is ISO Flexibility Separation of Functional requirements Assurance.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.

Bangalore, India,17-18 December 2012 Sustainable Broadband Communications: International Perspective – Common Criteria David Martin, Head of International.

Similar presentations

Ads by Google