- Email: [email protected]
Appendix 5 - itsec and itsem
S[C{!Rf~'Y GUID[i~,INtS IN INF(N{MAI'ION T{~(L~ ()[ O{~ fOR THE ~R(}} [2kSIC ~ A~ PI~A{[ FITION~J¢(
For evaluation purposes a 'target of evaluation' (TOE) is constructed by a 'sponsor' (who may be the vendor). The TOE will contain security forcing components, but may also contain security relevant components and components which do not contribute to the security objectives of the TOE. The security objectives take into account legal and other regulations and the extent to which they form the contribution to security the TOE is intended to provide. A CLEF will be concerned with the evaluation of those components stated to be security forcing and security relevant. However, a CLEF will also verify that the other components are neither security enforcing nor relevant. There are six evaluation levels -~ E1 to E6. To quote ffSEC, not all of these levels will necessarily be needed by, or appropriate for, all market sectors. The above has described evaluation - the assessment of an IT system or product against criteria determined by the vendor (or sponsor) of the product or system. The next step is certification - the examination of the evaluator's report and, assuming that the report is satisfactory, the issue of a formal statement confirming the results of an evaluation, and that the evaluation criteria used were correctly applied. The product or system is then certified. There is, however, a third stage - accreditation*. Above, one meaning of this term has been used in the context of CLEFs. A second meaning is - the procedure for accepting an IT product or system for use within a particular environment. In the main, such accreditation applies to systems rather than to products. With or without ITSEC, someone has to act as an 'accreditor'. Within ITSEC, an accreditor's level of confidence in using a certified product or system will be raised appropriately. ITSEM is a technical document applying to both the commercial and government sectors. It describes evaluation methods in detail with the aim of demonstrating that ITSEC evaluations carried out in diifferent environments are technically equivalent and that one country's certifications are valid in another. It is germane to note that the use of a given certified product can, itself, be a countermeasure. Such countermeasure may, or may not, be adopted at the discretion of management. A Certified Products List is published as part of the UK Security Evaluation and Certification Scheme. Copies are available from:
2 6 A P P E N D I X 5 - ITSEC A N D I T S E M Potential procurers and accreditors responsible for choosing, installing or using IT products and systems have, in the past, faced considerable difficulty in choosing an IT product or system purporting to provide a 'secure environment'. Until recently, the only creditable set of non-subjective criteria appeared in the American 'Trusted Computer Systems Evaluation Criteria' (TCSEC - the Orange Book) and the concomitant Yellow Book which gave guidance on the use of the Orange Book in the American Government (military) environment. TCSEC provided the first basis for the independent certification of 'trusted computer systems'. The situation is changing. Currently (06107194), effort on an international scale is being expended on the drafting of a document entitled the 'Common Criteria for Information Technology Security Evaluation'. Version 0.6 was issued for discussion on 22•04•94. However, in view of its draft status and for the purpose of these Guidelines, what follows is based on two other documents of European origin - ITSEC and ITSEM* - which, in the UK and certain other European countries, are in use as the basis of certification schemes. Adopting ITSEC, the UK Government, in May 1991, established the IT Evaluation and Certification Scheme under the auspices of the Department of Trade and Industry. To quote the DTI, the Scheme allows for the provision of independent evaluation services to all sectors of industry, commerce and government. Evaluations are performed by Commercial Licensed Evaluation Facilities (CLEFS)which are themselves assessed by the National Measurement Accreditation Service (NAMAS) for compliance with EC Standard EN 45001 and ISO Guide 25. The scheme formalises the basis on which evaluations (by CLEFS) are, in turn, certified. A companion document to ITSEC is 'IT Security Evaluation Manual' (ITSEM) intended to ensure that a common standard applies to UK accredited CLEFs and that, within Europe, one country's evaluations/certifications can be accepted by another. Version 1.2 of ITSEC, published in June 1991, fully describes the criteria. As described in ITSEC, claims will be made (by a vendor, say) that an IT system or product maintains confidentiality, integrity and availability by means of technical security enforcing functions covering such areas as access control, auditing and error recovery. A potential procurer or user will need to have confidence in those claims, in the correctness of those functions or in their effectiveness. The security enforcing functions may be individually specified or defined by reference to a pre-defined functionality class or classes; ITSEC contains ten example functionality classes.
UK IT Security Evaluation and Certification Scheme Room 2•0804 Fiddlers Green Lane Cheltenham GIoucestershire GL52 5AJ
20
For evaluation purposes a 'target of evaluation' (TOE) is constructed by a 'sponsor' (who may be the vendor). The TOE will contain security forcing components, but may also contain security relevant components and components which do not contribute to the security objectives of the TOE. The security objectives take into account legal and other regulations and the extent to which they form the contribution to security the TOE is intended to provide. A CLEF will be concerned with the evaluation of those components stated to be security forcing and security relevant. However, a CLEF will also verify that the other components are neither security enforcing nor relevant. There are six evaluation levels -~ E1 to E6. To quote ffSEC, not all of these levels will necessarily be needed by, or appropriate for, all market sectors. The above has described evaluation - the assessment of an IT system or product against criteria determined by the vendor (or sponsor) of the product or system. The next step is certification - the examination of the evaluator's report and, assuming that the report is satisfactory, the issue of a formal statement confirming the results of an evaluation, and that the evaluation criteria used were correctly applied. The product or system is then certified. There is, however, a third stage - accreditation*. Above, one meaning of this term has been used in the context of CLEFs. A second meaning is - the procedure for accepting an IT product or system for use within a particular environment. In the main, such accreditation applies to systems rather than to products. With or without ITSEC, someone has to act as an 'accreditor'. Within ITSEC, an accreditor's level of confidence in using a certified product or system will be raised appropriately. ITSEM is a technical document applying to both the commercial and government sectors. It describes evaluation methods in detail with the aim of demonstrating that ITSEC evaluations carried out in diifferent environments are technically equivalent and that one country's certifications are valid in another. It is germane to note that the use of a given certified product can, itself, be a countermeasure. Such countermeasure may, or may not, be adopted at the discretion of management. A Certified Products List is published as part of the UK Security Evaluation and Certification Scheme. Copies are available from:
2 6 A P P E N D I X 5 - ITSEC A N D I T S E M Potential procurers and accreditors responsible for choosing, installing or using IT products and systems have, in the past, faced considerable difficulty in choosing an IT product or system purporting to provide a 'secure environment'. Until recently, the only creditable set of non-subjective criteria appeared in the American 'Trusted Computer Systems Evaluation Criteria' (TCSEC - the Orange Book) and the concomitant Yellow Book which gave guidance on the use of the Orange Book in the American Government (military) environment. TCSEC provided the first basis for the independent certification of 'trusted computer systems'. The situation is changing. Currently (06107194), effort on an international scale is being expended on the drafting of a document entitled the 'Common Criteria for Information Technology Security Evaluation'. Version 0.6 was issued for discussion on 22•04•94. However, in view of its draft status and for the purpose of these Guidelines, what follows is based on two other documents of European origin - ITSEC and ITSEM* - which, in the UK and certain other European countries, are in use as the basis of certification schemes. Adopting ITSEC, the UK Government, in May 1991, established the IT Evaluation and Certification Scheme under the auspices of the Department of Trade and Industry. To quote the DTI, the Scheme allows for the provision of independent evaluation services to all sectors of industry, commerce and government. Evaluations are performed by Commercial Licensed Evaluation Facilities (CLEFS)which are themselves assessed by the National Measurement Accreditation Service (NAMAS) for compliance with EC Standard EN 45001 and ISO Guide 25. The scheme formalises the basis on which evaluations (by CLEFS) are, in turn, certified. A companion document to ITSEC is 'IT Security Evaluation Manual' (ITSEM) intended to ensure that a common standard applies to UK accredited CLEFs and that, within Europe, one country's evaluations/certifications can be accepted by another. Version 1.2 of ITSEC, published in June 1991, fully describes the criteria. As described in ITSEC, claims will be made (by a vendor, say) that an IT system or product maintains confidentiality, integrity and availability by means of technical security enforcing functions covering such areas as access control, auditing and error recovery. A potential procurer or user will need to have confidence in those claims, in the correctness of those functions or in their effectiveness. The security enforcing functions may be individually specified or defined by reference to a pre-defined functionality class or classes; ITSEC contains ten example functionality classes.
UK IT Security Evaluation and Certification Scheme Room 2•0804 Fiddlers Green Lane Cheltenham GIoucestershire GL52 5AJ
20