it security evaluation according to harmonized and approved criteria
Post on 05-Jan-2016
33 Views
Preview:
DESCRIPTION
TRANSCRIPT
TÜViT, Inc. MueSecurity Evaluation (1) 10/1999
Roland Mueller
TÜViT, Inc.
8716 North Mopac
Austin, TX 78731
phone: (512) 795-0494
email: roland@tuvit.net
URL: http:\\www.tuvit.net
IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA
TÜViT, Inc. MueSecurity Evaluation (2) 10/1999
Presentation Plan
History of Harmonization Evaluations within QM Scheme Characteristics of an Evaluation Process Main Goal of an Evaluation Types of Evaluations Scaled Security Basic Approach Evaluated IT Components / Systems
TÜViT, Inc. MueSecurity Evaluation (3) 10/1999
HISTORY OF HARMONIZATION
ITSEC1991
Common Criteria1998
ISO/IEC 15408German Criteria 1989
French Criteria 1989
UK Confidence Levels 1989
Orange Book(TCSEC) 1985
Federal CriteriaDraft 1993
Canadian Criteria(CTCPEC) 1993
TÜViT, Inc. MueSecurity Evaluation (4) 10/1999
EVALUATIONS WITHIN THE QM-SCHEME
Manufacturer/Product( ISO 9001)
Evaluation Body(EN 45001)
Certification Body(EN 45011)
Accreditation Body(EN 45002/3)
TGA
Certificate
TÜViT, Inc. MueSecurity Evaluation (5) 10/1999
CHARACTERISTICS OF AN EVALUATION PROCESS
Impartiality
ObjectivityRepeatability
Reproducibility
TÜViT, Inc. MueSecurity Evaluation (6) 10/1999
MAIN GOAL OF AN EVALUATION
CONFIDENCE
Security Measures
in implemented
TÜViT, Inc. MueSecurity Evaluation (7) 10/1999
TYPES OF EVALUATIONS
collaterally
afterwards
Re-Evaluation
TÜViT, Inc. MueSecurity Evaluation (8) 10/1999
SCALED SECURITY
Security Functionalitytechnical security measures designed with a specific security purpose
Assurance Levelconfidence in the correctness of the security functionality
Effectiveness Levelconfidence in the robustness of the security functionality
TÜViT, Inc. MueSecurity Evaluation (9) 10/1999
SECURITY FUNCTIONALITY (I): DEFINITION
Confidentiality
Integrity
Availability
TÜViT, Inc. MueSecurity Evaluation (10) 10/1999
FunctionalRequirements (Part II)
modular
hierarchical dependencies
Generic Headings
I&A Access Control Accountability ...
SECURITY FUNCTIONALITY (II): PRESENTATION
or
manufacturer requirements
ITSEC
CC
TÜViT, Inc. MueSecurity Evaluation (11) 10/1999
ASSURANCE LEVEL
functionally tested
structurally tested
methodically tested andchecked
methodically designed,tested and reviewed
semi-formallydesignedandtested
semi-formallyverifieddesign andtested
formallyverifieddesignandtested
EAL1
E1EAL2
E2EAL3
E3EAL4
E4EAL5
E5EAL6
E6EAL7
ITSEC
CC
TÜViT, Inc. MueSecurity Evaluation (12) 10/1999
protection against deliberately planned or organized breach
EFFECTIVENESS LEVEL
protection against casual breach
protection against straightforward
or intentional breach
high
medium
basic
TÜViT, Inc. MueSecurity Evaluation (13) 10/1999
BASIC APPROACH
Specification
Design
Implementation
Development Environment Operational Environment
Tests
Security Analyses
Start Up
Operation
InstallationSecurity Target(Protection Profile)
Configuration
TÜViT, Inc. MueSecurity Evaluation (14) 10/1999
Smart card Operating Systems (E3 - E4, high)
PC Security Products (E1, basic - E3, high)
Smart card Readers (E1 - E2, basic)
Personalization Systems (E2, medium)
Security Modules (E3, high)
Security Controller (Chip-Hardware) (E4, high)
Technical Components According to SigG (E2, high / E4, high)
...
EVALUATED IT COMPONENTS / SYSTEMS
„TÜ
ViT
His
tory“
top related