Security standards and regulations

Security management standards aid in the overall and detailed management of security in an organisation. In this work the most relevant standards within the security domain are the ISO/IEC 17799:2000 Information Technology – Code of Practice for information security management [55], ISO/IEC TR 13335:2001 Information Technology –Guidelines for management of IT Security [54] and the Australian/New Zealand standard for risk management AS/NZS 4360:2004 [4].

However, it is important to note the distinction between security management and security risk management. The …rst do not necessary include any use of structured risk analysis methods while the latter does. Security management is often aided by the use of checklists, vulnerability analysis and other similar security analysis.

Risk analysis in the context of this work refers to safety analysis methods adapted to the security domain, such as those described in the CORAS framework [97].

3.1 Security standards and regulations 25 The security management standard ISO/IEC 17799 provides recommendations for information security management and supports the people in an organisation that are responsible for initiating, implementing or maintaining security in an or-ganisation. The standard aid in developing organisational-speci…c security stan-dards and hence ensures e¤ective security management in practice. The standard also provides guidelines about how to establish con…dence in inter-organisational matters.

The security management standard ISO/IEC 13335 provides guidance on how to manage IT security. Here, the main objectives are to de…ne and describe the concepts associated with the management of IT security, to identify the relation-ships between the management of IT security and management of IT in general, to present models for reasoning about IT security and to provide general guidance on the management of IT security.

AS/NZS 4360 is a widely recognised and used standard within the risk assess-ment and manageassess-ment domain. The standard is a general risk manageassess-ment stan-dard that has been tailored for security risk assessment and management in the CORAS framework [97]. The standard includes a risk management process that consists of …ve assessment sub-processes and two management sub-processes, a detailed activity description for each sub-process, a separate guideline compan-ion standards and general risk management advice. More informatcompan-ion on risk management and AS/NZS 4360 is in Chapter 5.

The last category of security standards relevant for this work is security evalu-ation standards. ISO 15408:2005 Common Criteria for Informevalu-ation Technology Security Evaluation [15] is an example of a security evaluation standard. Such standards with their associated evaluation techniques and guidelines have been around since the beginning of the 1980s. The oldest known standard for evaluation and certi…cation of information security of IT products is the Trusted Computer System Evaluation Criteria (TCSEC) [24]. The standard was developed by the US Department of Defense (DoD), issued in 1985 and evaluates systems accord-ing to the six prede…ned classes: C1, C2, B1, B2, B3 and A1. These classes are hierarchically arranged with A1 as the highest level and C1 is the lowest level (actually TCSEC groups these classes into four categories: A, B, C and D, but category D is not used for certi…cation). Each class contains both functional and assurance requirements. The functional requirements are divided into authenti-cation, role-based access control, obligatory access control and logging and reuse of objects. TCSEC is also known as the Orange Book and was developed with military IT systems in mind. The standard was to some extent also used to evalu-ate industrial IT products but was shown to be too cost and resource demanding and thus not su¢ ciently e¤ective in an industrial setting.

26 3. Security in Information Systems

As a response to the development of TCSEC the United Kingdom, Germany, France and the Netherlands produced their own national evaluation criteria.

These were harmonised and in 1991 published under the name Information Tech-nology Security Evaluation Criteria (ITSEC) [25]. ITSEC certi…cation of a soft-ware product means that users can rely on an assured level of security for any product they are about to purchase. As for TCSEC, ITSEC certify products according to prede…ned classes of security (E0, E1, E2, E3, E4, E5 and E6).

A similar activity was also undertaken in Canada by the Communications Se-curity Establishment (CSE), which is an intelligence agency of the Canadian government charged with the duty of keeping track of foreign signals intelligence.

The Canadian initiative led to the Canadian Trusted Computer Product Eval-uation Criteria (CTCPEC) [39]. CTCPEC was published in 1993 and combines the TCSEC and ITSEC approaches.

However, TCSEC, ITSEC and CTCPEC did not su¢ ciently address the needs from industry and the International Organization for Standardization (ISO) started combining these e¤orts into one industrial adapted version called the Common Criteria (ISO 15408). This work started in 1990 and led to the publi-cation of the Common Criteria version 1.0 in 1995. The Common Criteria has since then largely taken over for TCSEC, ITSEC and CTCPEC. The idea behind the Common Criteria was to merge the three existing approaches into a world wide framework for evaluating security properties of IT products and systems.

The standard incorporates experience from TCSEC, ITSEC, CTCPEC and other relevant standards and provides a common set of requirements for the security functions of IT products and systems. As for its predecessors certi…cation is done according to prede…ned levels. In the Common Criteria these are called evalu-ation assurance levels (EAL) and there are seven EALs: EAL1, EAL2, EAL3, EAL4, EAL5, EAL6 and EAL7 where EAL 7 is the highest level and includes requirements for the use of formal methods during the development of the IT product.

The Common Criteria also provide a program called Arrangement on the Recog-nition of Common Criteria Certi…cates in the …eld of IT Security (CCRA) and an evaluation methodology called Common Methodology for IT Security Eval-uation (CEM). These two together ensure the equality and quality of security evaluations such that results from independent evaluations can be compared and hence aid decision makers (customers) in choosing among security solutions. More information on CCRA and CEM is given in Chapter 4.

A common problem for most security evaluations however is the large amount of information involved. The result of evaluations is also subject to bias as the evaluation is done by one or a few evaluators. However, these evaluators must usually be certi…ed to perform the evaluation but that does not prevent the

3.1 Security standards and regulations 27 evaluation from involving a high degree of subjectivity. It is these problems that the AORDD framework, and in particular the AORDD security solution trade-o¤ analysis described in Part 4 of this work and the trust-based information aggregation schema described in Part 5 of this work, is meant to aid.

4. Common Criteria for Information Technology