Вы находитесь на странице: 1из 14

Computer Security

Research on on TCSEC, CC, SSE-CMM


and ISO27001
Assignment 4

Comparison of Properties:
TCSEC

CC

SSE-CMM

ISO27001

Issued by National Computer


Security Center
(NCSC), an arm of
the National
Security Agency

International
Standards
Organization

A combination of
NSA, Office of Sec.
Defense,
Department of
Defense, USA,
Communications
Security
Establishment,
Canada

Jointly by the
International
Security Office
(ISO) and the
International
Electrotechnical
Commission (IEC)

Focuses
on

Assessing the
effectiveness of
computer security
controls built into
a computer
system

Evaluation of a
product or system,
and less on
development of
requirements

Systems security
engineering,
management
process
improvement &
practices
necessary to
safeguard
information

Best practices for


an Information
Security
Management
System (ISMS)

Approach

A prescriptive
approach. Requires
a computer
system to contain
hardware/software
mechanisms that
can be
independently
evaluated to
provide sufficient
assurance that the
system enforces
the specified
requirements.

A very generic
approach; it does
not directly
provide a list of
product security
requirements or
features for
specific (classes
of) products

The security
engineering
process is well
defined,
measured,
controlled and
thus effective

Sets out specific


requirements, all
of which must be
followed, and
against which an
organisations
Information
Security
Management
System (ISMS) can
be audited and
certified.
also it is an
international
standard defining
the requirements
for establishing,
implementing,
maintaining and
managing of iSMS

Evaluatio
n basis

Four divisions:
D(Minimal
protection),
C(Discretionary

Seven Evaluation
Assurance Levels
(EALs):
Functionally

Capability Levels:
0-Not Performed, IPerformed
Informally, II-

Four phases: Plan,


Do, Check, Act

Security
Policy

protection),
B(Mandatory
protection) and
A(Verified
protection) where
division A has the
highest security

Tested,
Structurally
Tested,
Methodically
Tested and
Checked,
Methodically
Designed, Tested,
and Reviewed,
Semiformally
Designed and
Tested,
Semiformally
Verified Design
and Tested,
Formally Verified
Design and Tested

Planned & Tracked,


III-Well Defined, IVQuantitatively
Controlled, VContinuously
Improving

Mandatory
Security
Policy(Enforces

Operational/en
vironmental
security policy

access control
rules,
authorization for
information)

(rules, directives,
and practices that
govern how assets
are managed,
protected, and
distributed within
and external to
an organization)

Marking(Stores
access control
labels, preserves
label when
exported)

System
security policy
(rules, directives,
and practices that
govern how assets
are managed,
protected, and
distributed by a
system or product)

Discretionary
Security
Policy(Enforces a
consistent set of
rules for
controlling and
limiting access
based on identified
individuals)
Accounta
bility

Three
requirements:

Identification
(recognize an

Guidelines are set


out to define
security policies
covering many
aspects such as
Information
Security
Organization,
Classifying
Information &
Data, Controlling
Access to
Information &
Systems,
Combating Cyber
Crime, Delivering
Training & Staff
Awareness etc.

Requirements for
the

establishment,
implementation

individual user)

, monitoring
and review,
maintenance
and
improvement of

Authentication
(verification of an
individual user's
authorization to
specific categories
of information)
Auditing (allow
an authenticated
individual to trace
actions affecting
security)

Assuran
ce

Operational
Assurance
(System
Architecture,
System Integrity,
Covert Channel
Analysis, Trusted
Facility
Management and
Trusted Recovery)

Life-cycle
Assurance
(Security Testing,
Design
Specification and
Verification,
Configuration
Management and
Trusted System
Distribution)

Continuous
Protection
Assurance (The
trusted
mechanisms that
enforce these
basic requirements
must be
continuously

a management
system

Depends on the
level.
Assure taht the
process of
specification,
implementation
and evaluation of
a computer
security product
has been
conducted in a
rigorous and
standard manner.

1.Provides a way
to measure and
enhance the way
in which an
organization
translates
customer security
needs into a
security
engineering
process to produce
products that
effectively meet
their needs
2.Provides an
alternate
assurance
viewpoint for
customers who
may not need the
formal assurances
provided by full
evaluation or
certification and
accreditation
efforts;
3. To provides a
standard which
customers can use
to gain confidence

Assurance that
the management
system for
information
security is in place,
but says little
about the absolute
state of
information
security within the
organization

protected against
tampering and/or
unauthorized
changes)

that their security


needs will be
adequately
addressed.

Documen Addresses the


tation
development,
deployment and
management of
the system rather
than its
capabilities.
(Security Features
User's Guide,
Trusted Facility
Manual, Test
Documentation
and Design
Documentation)

Usually depends
on the level.
EAL1 requires no
documentation.
EAL2 requires test
documentation
and test results
from a
vulnerability
analysis. EAL3
requires high level
design
documentation
and
documentation on
test coverage.
EAL4 requires low
level design and
source code of
security functions.
EAL5 , 6, 7
requires formal
model of the
security policy,
semi formal high
level design,
functional
specifications of
the system and full
source code.

Predeces
sor

ITSEC and TCSEC

Objective
(s)

A statement of
intent with regard
to control over
access to and
dissemination of
information, to be
known as the
security policy,

To ensure that
evaluations of
Information
Technology (IT)
products and
protection profiles
are performed to

Specific
documentation
needed to support
security
requirements (e.g.
a administrator
manual, users
manual, specific
design
documentation)

Advance security
engineering as a
defined, mature,
and
measurable
discipline

Statement of
Applicability, Risk
Treatment Plan,
ISMS policy,
security admin
system designs,
procedures and
forms, description
of the risk
assessment
methodology,
records of
management
decisions, risk
assessment report.

The British
standard BS7799-2
To provide
management
direction and
support for
information
security in
accordance with
business

must be precisely
defined and
implemented for
each system that
is used to process
sensitive
information. The
security
policy must
accurately reflect
the laws,
regulations, and
general policies
from which it is
derived.

high and
consistent
standards and are
seen to contribute
significantly to
confidence in the
security of those
products and
profiles.
To improve the
availability of
evaluated,
security-enhanced
IT products and
protection profiles
To eliminate the
burden of
duplicating
evaluations of IT
products and
protection profiles.
To continuously
improve the
efficiency and
cost-effectiveness
of the evaluation
and
certification/valida
tion process for IT
products and
protection profiles

requirements and
relevant laws and
regulations.
To manage
information
security within the
organization.
To maintain the
security of the
organizations
information and
information
processing
facilities that are
accessed,
processed,
communicated to,
or managed by
external parties.
To achieve and
maintain
appropriate
protection of
organizational
assets.
To ensure that
information
receives an
appropriate level
of protection.
To ensure that
employees,
contractors and
third party users
understand their
responsibilities,
and are suitable
for the roles they
are considered for,
and to reduce the
risk of theft, fraud
or misuse of
facilities.
To ensure that all
employees,
contractors and
third party users
are aware of
information

security threats
and concerns, their
responsibilities and
liabilities, and are
equipped to
support
organizational
security policy in
the course of their
normal work, and
to reduce the risk
of human error.
To ensure that
employees,
contractors and
third party users
exit an
organization or
change
employment in an
orderly manner.
To prevent
unauthorized
physical access,
damage and
interference to the
organizations
premises and
information.
To prevent loss,
damage, theft or
compromise of
assets and
interruption to the
organizations
activities.
To ensure the
correct and secure
operation of
information
processing
facilities.
To implement and
maintain the
appropriate level
of information
security and
service delivery in
line with third

party service
delivery
agreements.
To minimize the
risk of systems
failures.
To protect the
integrity of
software and
information.
To maintain the
integrity and
availability of
information and
information
processing
facilities.
To ensure the
protection of
information in
networks and the
protection of the
supporting
infrastructure.
To prevent
unauthorized
disclosure,
modification,
removal or
destruction of
assets, and
interruption to
business activities.
To control access
to information.
To ensure that
security is an
integral part of
information
systems.
To avoid breaches
of any law,
statutory,
regulatory or
contractual
obligations,
and of any security
requirements.

Steps of
the
model

1. Identifying the
policy being
enforced.
2. Identifying
subjects and
objects
3.Providing
evidence that the
operation of the
reference
validation
mechanism
matches the highlevel description
of the user
interface.
4. Demonstrating
isolation of the
TCB

1. Rebuilding the
Common Criteria
brand is to get the
criteria themselves
out of the way. The
public documents
that are currently
produced are too
high level and too
encumbered by
Common Criteria
jargon. The fix is to
write documents
that are more
specific and more
understandable to
those responsible
for IT security in
their
organizations.
2. Write
requirements for a
technology that
includes the
vendors that build
the products.
Currently, each
country is allowed
to write a
Protection Profile
for a technology
that describes
threats to be
addressed and the
features expected
from a product to
mitigate the
threats. The U.S.,
several of the
other countries
and vendors have
started to write
Standard
Protection Profiles
for technologies
that:
a. Provide a
complete set of
understandable

1. Assess Threat
2. Assess
Vulnerabilities
3. Assess Impact
4. Assess Security
Risk

1. Get
Management
Support
The first thing that
you should do is
get a management
support. ISO 27001
implementation
need a corporate
wide top down
approach. Make
sure that you have
approval and
support from
higher
management level
2. Define ISMS
Scope
Whether
integrated for all
information
security layers or
just partial for data
center, server or
infrastructure is
basically depends
on your need and
capability. Most of
companies find
some difficulties
when
implementing this
standard for entire
department. So be
selective when
defining the scope
and limitation
3. Inventory
Information
Assets
Inventory asset is
the next important
thing. Make sure
that all of assets
recorded properly.
Make sure that
intellectual and
shared asset is
also not missed.

threats
b. Have a
negotiated set of
functional features
that is as specific
as possible
The intention is
that any security
professional
should be able to
readily understand
what types of
problems are
being addressed
and should be
confident that all
aspects of product
security are being
considered. The
security Functional
features should all
be justified in
simple prose
against the threats
being addressed.

Collecting this
information assets
usually facing a
challenge since
many of
information is
distributed and
separated in
several functions.
4. Conduct
Information
Security Risk
Assessment
5. Develop ISMS
Implementation
program
6. ISMS
Implementation
Program
7. Information
Security
Management
System
8. ISMS Operation
Artifacts
- Policies,
Procedures,
Guidelines
- Security Log,
Configuration
- Compliance and
Audit Report
- Awareness
Training,
Attendance Report
9. Compliance
Review
10. Corrective
Action
11. Precertification
Assessment
12. Certification
Audit

3. A tailored
evaluation
methodology has
to be created for
each technology
area

Effective
ness and
Benefits

sets basic
requirements for
assessing the

If a product is
Common Criteria
certified, it does

Improves the
ability to transition
to an improved

1.protected
against
unauthorized

effectiveness of
computer security
controls
1. provide users
with a yardstick
with which to
assess the degree
of trust that can
be placed in
computer systems
for the secure
processing of
classified or other
sensitive
information;
2. to provide
guidance to
manufacturers as
to what to build
into their new,
widely-available
trusted
commercial
products in order
to satisfy trust
requirements for
sensitive
applications
3. to provide a
basis for specifying
security
requirements in
acquisition
specifications

not necessarily
mean it is
completely secure.
There are no
security
requirements that
address the need
to trust external
systems or the
communications
links to such
systems.
The effort and
time necessary to
prepare evaluation
evidence and
other evaluationrelated
documentation is
so cumbersome
that by the time
the work is
completed, the
product in
evaluation is
generally obsolete.

process effectively.
Provides a logical
sequence for
improvement
based on years of
experience.
Leads to better
processes & better
products
Provides the data
necessary for
effective
management of
process
improvement
efforts.
Strong return on
investment.

changes or
destruction.
i.e. Improved
effectiveness of
Information
Security.
2. Provides
confidence to
trading
partners,
stakeholders, and
customers
(certification
demonstrates 'due
diligence')
3. Market
Differentiation
Potential lower
rates on
insurance
premiums
4. Compliance with
mandates and
laws (e.g., Data
Protection Act,
Communications
Protection Act)
5. Reduced liability
due to
unimplemented
or enforced
policies and
procedures
6. The only
standard with
global
acceptance

References:
http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria
http://searchsecurity.techtarget.com/answer/Is-the-Orange-Book-stillrelevant-for-assessing-security-controls

http://tech.uh.edu/faculty/conklin/IS7033Web/7033/RainbowSeries/C-TR-111-91.pdf

http://www.fas.org/irp/nsa/rainbow/tg021.htm

http://www.boran.com/security/tcsec.html
http://linux.about.com/cs/linux101/g/tcseclpardodtru.htm

http://en.wikipedia.org/wiki/Common_Criteria
https://buildsecurityin.us-cert.gov/bsi/articles/bestpractices/requirements/239-BSI.html
http://www.commoncriteriaportal.org/files/ppfiles/PP0002.pdf
http://www.commoncriteriaportal.org/ccra/

http://www.niap-ccevs.org/cc_docs/CC_Community_Paper_10_Jan_2011.pdf
http://www.la-acm.org/Archives/laacm0010.html
http://www.infocellar.com/networks/Security/cc.htm

http://archive.adaic.com/ase/ase02_01/bookcase/se_sh/cmms/systems_securi
ty_engineering/SSEovrw_lkd.pdf
http://www.nmmu.ac.za/documents/theses/Business%20Process%20Security
%20Maturity%20_%20A%20Paradigm%20Convergence%20_%20D
%20Box.pdf
http://archive.adaic.com/ase/ase02_01/bookcase/se_sh/cmms/systems_security_eng
ineering/ssecmm.pdf
http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R2.pdf
https://ssl.apple.com/support/security/commoncriteria/CC_Whitepaper_SnowLeopard
.pdf
http://whatis.techtarget.com/definition/common-criteria.html
http://en.wikipedia.org/wiki/Common_Criteria
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R3.pdf
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.145.6773

http://www.itgovernance.co.uk/iso27001.aspx
http://www.iso27001standard.com/en/what-is-iso-27001#
http://csrc.nist.gov/nissc/1998/proceedings/tutorB5.pdf
http://csrc.nist.gov/nissc/2000/proceedings/papers/916slide.pdf
http://www.mscservices.eu/en/kop8.php
http://www.27001-online.com/secpols.htm
http://www.gov.mu/portal/goc/women/file/AnnexIX1302.pdf
http://www.securityprocedure.com/12-important-steps-iso-27001implementation-and-certification
http://iso27001security.com/html/27001.html
http://en.wikibooks.org/wiki/Security_Architecture_and_Design/Security_Prod
uct_Evaluation_Methods_and_Criteria