Effective Design of Trusted Information Systems Luděk Novák,

Slides:



Advertisements
Similar presentations
Security Requirements
Advertisements

Module 1 Evaluation Overview © Crown Copyright (2000)
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
EPSON STAMPING ISO REV 1 2/10/2000.
IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Security Controls – What Works
Chapter 1 – Introduction
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 Terrie Diaz/ James Arnold 27 September 2007 Threats, Policies, and Assumptions in the Common Criteria What is the target of evaluation anyhow?
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Gurpreet Dhillon Virginia Commonwealth University
SEC835 Database and Web application security Information Security Architecture.
1 Autumn 2008 TM8104 IT Security Evaluation Guide on the production of Protection Profiles Karin Sallhammar Q2S/NTNU 29/11/2003 Reference: ISO/IEC TR
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc
1 A Disciplined Security Specification for a High- Assurance Grid by Ning Zhu, Jussipekka Leiwo, and Stephen John Turner Parallel Computing Centre Distributed.
Cryptography and Network Security
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Background. History TCSEC Issues non-standard inflexible not scalable.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Chapter VII Security Management for an E-Enterprise -Ramyah Rammohan.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Eliza de Guzman HTM 520 Health Information Exchange.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Common Criteria V3 Overview Presented to P2600 October Brian Smithson.
CMSC : Common Criteria for Computer/IT Systems
Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #
TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
SecSDLC Chapter 2.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Strawman operating environment proposal Presented to P2600 Meeting #16, Las Vegas NV January 16-17, 2006 Brian Smithson.
Describe the potential of IT to improve internal and external communications By Jim Green.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
1 Network Security: Introduction Behzad Akbari Fall 2009 In the Name of the Most High.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
By Marwan Al-Namari & Hafezah Ben Othman Author: William Stallings College of Computer Science at Al-Qunfudah Umm Al-Qura University, KSA, Makkah 1.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
CII badging program for ONAP ONAP security committee Stephen Terrill
TCSEC: The Orange Book.
Chapter 1: Introduction
Ch.18 Evaluating Systems - Part 2 -
Introduction Of Information Security
Chapter 19: Building Systems with Assurance
Chapter 5 Computer Security
Presentation transcript:

Effective Design of Trusted Information Systems Luděk Novák,

May 2001 CATE Security and Protection of Information 2 Content Brief Introduction into Security Design Five Steps of Security Design General Description Security Environment Security Objectives Security Requirements Rationale Conclusion

May 2001 CATE Security and Protection of Information 3 International Standards ISO/IEC PDTR 15446:2000 –Information technology – Security techniques – Guide for the production of protection profiles and security targets ISO/IEC 15408:1999 –Information technology – Security techniques – Evaluation criteria for IT security

May 2001 CATE Security and Protection of Information 4 Basic Term Target of Evaluation - TOE –IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation –A formal evaluation is not necessity

May 2001 CATE Security and Protection of Information 5 Structure of Design

May 2001 CATE Security and Protection of Information 6 General Description Background information on TOE and its purpose, usage, operation etc. –Document Identification –General TOE Functionality –TOE Boundary –TOE Operational Environment

May 2001 CATE Security and Protection of Information 7 Security Environment

May 2001 CATE Security and Protection of Information 8 Security Environment Asset –information or a resource, which needs to be protected by TOE countermeasures –Data Objects –Software –Hardware

May 2001 CATE Security and Protection of Information 9 Security Environment Threat –undesirable event characterised by: threat agent attack method vulnerability assets under the attack Threat Agent –source of event, which can be: human non-human

May 2001 CATE Security and Protection of Information 10 Security Environment Assumption –potential threat to assets not relevant to or not involved in TOE security Organisational Security Policy –rules, procedures, practices, etc. imposed by organisation or other authorities

May 2001 CATE Security and Protection of Information 11 Security Objectives Security Objectives for TOE –express what is the responsibility of the TOE and its security functions Security Objectives for Environment –address aspects of the security needs the TOE will not to do

May 2001 CATE Security and Protection of Information 12 Security Objectives

May 2001 CATE Security and Protection of Information 13 Security Objectives Preventative Objectives –measures prevent a threat from being carried out Detective Objectives –means detect/monitor events Corrective Objectives –actions take in response

May 2001 CATE Security and Protection of Information 14 Security Requirements

May 2001 CATE Security and Protection of Information 15 Functional Requirements Security Functional Requirements identify demands for the security functions which the TOE must provide to fulfil the security objectives for the TOE It can be based on: –ITSEC’s Generic Headings –ISO15408 – Common Criteria

May 2001 CATE Security and Protection of Information 16 Functional Requirements Identification and Authentication Access Control Audit Integrity Availability Privacy Data Exchange Security Audit Communication Cryptographic Support User Data Protection Identification and Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilisation TOE Access Trusted Path/Channels

May 2001 CATE Security and Protection of Information 17 Assurance Requirements Security Assurance Requirements prescribes clear objective criteria which express quality of the TOE development Evaluation Assurance Level – EAL –EAL1 up to EAL4 – Commercial Security –EAL5 up to EAL7 – Special Security Tools

May 2001 CATE Security and Protection of Information 18 Requirements on Environment Security Requirements on Environment bring up the claims which would not be under a direct control of any IT security function within the TOE. –Personnel Security –Physical Security –Procedural Security

May 2001 CATE Security and Protection of Information 19 Rationale Security Objectives Rationale –demonstrates the identified security objectives are suitable to cover all aspects of the security needs Security Requirements Rationale –makes evident the identified security requirements are suitable to meet the security objectives

May 2001 CATE Security and Protection of Information 20 Rationale

May 2001 CATE Security and Protection of Information 21 Conclusions Advantages Clear, Transparent and Effective Way Simple Sharing of Know-How Based on Well- Known Common Criteria Project Disadvantages Not Officially Approved No Direct Connection to Special Security Tools

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.