Domain 3: Security Engineering: Evaluation Methods, Certification, and Accreditation Flashcards Preview

CISSP > Domain 3: Security Engineering: Evaluation Methods, Certification, and Accreditation > Flashcards

Flashcards in Domain 3: Security Engineering: Evaluation Methods, Certification, and Accreditation Deck (12):
1

TCSEC, ITSEC, and the Common Criteria were designed to answer what questions?

When choosing a security product, how do you know which is best?
How do you know a specific vendor's software will not introduce malicious code?
How do you know how well a software was tested and what the results were?

2

What is the Trusted Computer System Evaluation Criteria (TCSEC) also known as?

The Orange Book.

3

What are the four divisions of protection as described by TCSEC? What are the classes?

D: Minimal Protection
C: Discretionary Protection
C1: Discretionary Security Protection
C2: Controlled Access Protection
B: Mandatory Protection
B1: Labeled Security Protection
B2: Structured Protection
B3: Security Domains
A: Verified Protection
A1: Verified Design

4

What is the TNI / Red Book (Trusted Network Interpretation)?

It brings TCSEC concepts to network systems.

5

What is ITSEC (The European Information Technology Security Evaluation Criteria)?

The first successful international evaluation model. It refers to the TCSEC Orange Book levels, separating functionality (F, how well a system works) from assurance (the ability to evaluate the security of a system). There are two types of assurance: effectiveness (Q) and correctness (E).

6

What is the International Common Criteria?

It is an internationally agreed upon standard for describing and testing the security of IT products.

7

What is the Target of Evaluation (ToE)?

The system or product being evaluated.

8

What is the Security Target (ST)?

The documentation describing the TOE, including the security requirements and operational environment.

9

What is the Protection Profile?

An independent set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems.

10

What is Evaluation Assurance Level (EAL) ?

The evaluation score of the tested product or system.

11

Within the Common Criteria, how many levels are there in the EAL? What are they?

There are seven:
EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested and checked
EAL4: Methodically designed, tested, and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed, and tested
EAL7: Formally verified, designed, and tested

12

Regarding the four divisions, which has the highest level of security and which has the lowest?

A is the highest security and D is the lowest.