Customs Tariff According to the Amendments of The Harmonized ...
IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA
description
Transcript of IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA
TÜViT, Inc. MueSecurity Evaluation (1) 10/1999
Roland Mueller
TÜViT, Inc.
8716 North Mopac
Austin, TX 78731
phone: (512) 795-0494
email: [email protected]
URL: http:\\www.tuvit.net
IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA
TÜViT, Inc. MueSecurity Evaluation (2) 10/1999
Presentation Plan
History of Harmonization Evaluations within QM Scheme Characteristics of an Evaluation Process Main Goal of an Evaluation Types of Evaluations Scaled Security Basic Approach Evaluated IT Components / Systems
TÜViT, Inc. MueSecurity Evaluation (3) 10/1999
HISTORY OF HARMONIZATION
ITSEC1991
Common Criteria1998
ISO/IEC 15408German Criteria 1989
French Criteria 1989
UK Confidence Levels 1989
Orange Book(TCSEC) 1985
Federal CriteriaDraft 1993
Canadian Criteria(CTCPEC) 1993
TÜViT, Inc. MueSecurity Evaluation (4) 10/1999
EVALUATIONS WITHIN THE QM-SCHEME
Manufacturer/Product( ISO 9001)
Evaluation Body(EN 45001)
Certification Body(EN 45011)
Accreditation Body(EN 45002/3)
TGA
Certificate
TÜViT, Inc. MueSecurity Evaluation (5) 10/1999
CHARACTERISTICS OF AN EVALUATION PROCESS
Impartiality
ObjectivityRepeatability
Reproducibility
TÜViT, Inc. MueSecurity Evaluation (6) 10/1999
MAIN GOAL OF AN EVALUATION
CONFIDENCE
Security Measures
in implemented
TÜViT, Inc. MueSecurity Evaluation (7) 10/1999
TYPES OF EVALUATIONS
collaterally
afterwards
Re-Evaluation
TÜViT, Inc. MueSecurity Evaluation (8) 10/1999
SCALED SECURITY
Security Functionalitytechnical security measures designed with a specific security purpose
Assurance Levelconfidence in the correctness of the security functionality
Effectiveness Levelconfidence in the robustness of the security functionality
TÜViT, Inc. MueSecurity Evaluation (9) 10/1999
SECURITY FUNCTIONALITY (I): DEFINITION
Confidentiality
Integrity
Availability
TÜViT, Inc. MueSecurity Evaluation (10) 10/1999
FunctionalRequirements (Part II)
modular
hierarchical dependencies
Generic Headings
I&A Access Control Accountability ...
SECURITY FUNCTIONALITY (II): PRESENTATION
or
manufacturer requirements
ITSEC
CC
TÜViT, Inc. MueSecurity Evaluation (11) 10/1999
ASSURANCE LEVEL
functionally tested
structurally tested
methodically tested andchecked
methodically designed,tested and reviewed
semi-formallydesignedandtested
semi-formallyverifieddesign andtested
formallyverifieddesignandtested
EAL1
E1EAL2
E2EAL3
E3EAL4
E4EAL5
E5EAL6
E6EAL7
ITSEC
CC
TÜViT, Inc. MueSecurity Evaluation (12) 10/1999
protection against deliberately planned or organized breach
EFFECTIVENESS LEVEL
protection against casual breach
protection against straightforward
or intentional breach
high
medium
basic
TÜViT, Inc. MueSecurity Evaluation (13) 10/1999
BASIC APPROACH
Specification
Design
Implementation
Development Environment Operational Environment
Tests
Security Analyses
Start Up
Operation
InstallationSecurity Target(Protection Profile)
Configuration
TÜViT, Inc. MueSecurity Evaluation (14) 10/1999
Smart card Operating Systems (E3 - E4, high)
PC Security Products (E1, basic - E3, high)
Smart card Readers (E1 - E2, basic)
Personalization Systems (E2, medium)
Security Modules (E3, high)
Security Controller (Chip-Hardware) (E4, high)
Technical Components According to SigG (E2, high / E4, high)
...
EVALUATED IT COMPONENTS / SYSTEMS
„TÜ
ViT
His
tory“