SAM-10 1

Standards and Evaluation

SAM-10 2

On security evaluations

• Users of secure systems need assurance that products they use are secure

• Users can:– Trust manufacturer (not always a good idea)– Test system themselves (expertise may not

be available and costly)– Rely on impartial third party assessment

(evaluation)

SAM-10 3

Introduction

• The Trusted Computer Security Evaluation Criteria (TCSEC) were the first generally accepted criteria for evaluating secure products

• It provides method to rate products on a simple scale

• Other criteria developed since, but still relate their schemes back to Orange Book

SAM-10 4

Target of an evaluation

• Evaluating criteria over products (operating system) and systems (collection of products) for a specific use

• Product evaluation needs a set of generic requirements – provided by classes of TCSEC and profiles of ITSEC

• System evaluation needs requirements capture to be part of evaluation – covered by ITSEC

SAM-10 5

Purpose of an evaluation

• Orange Book distinguish between:

–Evaluation assessing whether a product has claimed security properties

–Certification to establish the extent in which a particular design and implementation meets the set of specified security requirements.

SAM-10 6

Purpose of an evaluation

• Accreditation A formal declaration by a Designated Approving Authority (DAA) where an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

SAM-10 7

Method of an evaluation

• Evaluation credibility depends on evaluation methods

• Need to prevent situations where– Evaluated product later found to contain a

serious flaw– Different evaluations of same product

disagree in assessment (requirement for repeatability and reproducibility in method)

SAM-10 8

Product-oriented versus process-oriented evaluation

• Evaluation methods can be product or process oriented

• Product-oriented evaluations test the product

• Process-oriented evaluations look at product development process

SAM-10 9

Structure of the evaluation criteria

• The product evaluated on aspects:– Functionality: secure features of the product,

MAC, DAC, authentication, auditing etc.– Effectiveness: the appropriateness of the

functionality for the security requirements– Assurance: degree of certainty in the

correctness of the implementation of the functionality

SAM-10 10

Structure of the evaluation criteria

• Orange Book looks at all aspects at the same time

• ITSEC is more flexible

SAM-10 11

Organizational framework

• Evaluation should give an independent verdict on products

• Independent evaluation facility can be a government agency or a licensed agency

• Both cases a government agency backs the evaluation process and issues certificate

SAM-10 12

Government versus commercial

• If done by government, result should be consistent but may take a long time

• If evaluation done privately, then checks need be carried out to ensure consistency. Precise formulation of criteria becomes very important. Danger of commercial pressures influence the end result.

SAM-10 13

Contracts and procedures

• Contractual relationship needed between the sponsor of the evaluation, the product manufacturer, and the evaluation facility

• Procedures needed for start of an evaluation, for issuing evaluation certificates, and for re-evaluation of modifications of evaluated products.

SAM-10 14

Costs and benefits

• The cost would include both the evaluation fee and the indirect costs (time to gather and produce evidence, liaise with evaluation teams)

• For off-the-shelf software, cost can spread over many customers

• For customised systems, the sponsor to bear all costs

SAM-10 15

Information Security Management System

• It provides a systematic approach to manage sensitive information in order to protect it.

• It encompasses employees, processes, and information systems

• It should include an evaluation method, safeguards and a documentation and revision process

SAM-10 16

Getting certified

• Compliance: a self assessment to check if the system implemented complies with a standard

• Certification (registration): confer by an accredited certification body when an organisation successfully completes an independent audit

SAM-10 17

Getting certified

• Accreditation: an authorised body (the accreditation body) officially recognises the authority of a certification body to evaluate, certify and register an organisation with regard to published standards

SAM-10 18

ISO/IEC 17799 and BS 7799

• The best reference for information security management system.

• A structured and internationally recognised guide with recommendations devoted to information security

• Not a product-oriented or technological standard

SAM-10 19

Contents

• Published in 2 parts:

• ISO/IEC 17799 Part 1: Code of Practice for Information Security Management

• BS 7799 Part 2: Information Security Management

SAM-10 20

10 domains of ISO/IEC 17799 (Part 1)

• Security policy

• Organisation policy

• Asset classification and control

• Personnel security

• Physical and environmental security

• Communications and operations management

SAM-10 21

10 domains of ISO/IEC 17799 (Part 1)

• Access control

• Systems development and management

• Business continuity management

• Compliance

SAM-10 22

Steps in implementing an ISMS

• Project initiation

• Definition of the ISMS

• Risk assessment

• Risk treatment

• Training and awareness

• Audit preparation

• Audit

• Control and Continual improvement

SAM-10 23

Documentation required

• Security manual: policy, scope, risk assessment, statement of applicability

• Procedures: who, what, when, where

• Working instructions, checklists, forms etc: describe how tasks and specific activities are done

• Records: provide objective evidence of compliance with ISMS requirements