Flashcards in Domain 3: Security Engineering: Evaluation Methods, Certification, and Accreditation Deck (12):
TCSEC, ITSEC, and the Common Criteria were designed to answer what questions?
When choosing a security product, how do you know which is best?
How do you know a specific vendor's software will not introduce malicious code?
How do you know how well a software was tested and what the results were?
What is the Trusted Computer System Evaluation Criteria (TCSEC) also known as?
The Orange Book.
What are the four divisions of protection as described by TCSEC? What are the classes?
D: Minimal Protection
C: Discretionary Protection
C1: Discretionary Security Protection
C2: Controlled Access Protection
B: Mandatory Protection
B1: Labeled Security Protection
B2: Structured Protection
B3: Security Domains
A: Verified Protection
A1: Verified Design
What is the TNI / Red Book (Trusted Network Interpretation)?
It brings TCSEC concepts to network systems.
What is ITSEC (The European Information Technology Security Evaluation Criteria)?
The first successful international evaluation model. It refers to the TCSEC Orange Book levels, separating functionality (F, how well a system works) from assurance (the ability to evaluate the security of a system). There are two types of assurance: effectiveness (Q) and correctness (E).
What is the International Common Criteria?
It is an internationally agreed upon standard for describing and testing the security of IT products.
What is the Target of Evaluation (ToE)?
The system or product being evaluated.
What is the Security Target (ST)?
The documentation describing the TOE, including the security requirements and operational environment.
What is the Protection Profile?
An independent set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems.
What is Evaluation Assurance Level (EAL) ?
The evaluation score of the tested product or system.
Within the Common Criteria, how many levels are there in the EAL? What are they?
There are seven:
EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested and checked
EAL4: Methodically designed, tested, and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed, and tested
EAL7: Formally verified, designed, and tested