UNIVERSITY OF CAMBRIDGE (INGLATERRA)

Assurance is simply defined as the degree of confidence in satisfaction of security needs. The following sections summarize guidelines and standards that have been developed to evaluate and accept the assurance aspects of a system.

Evaluation Criteria

In 1985, the Trusted Computer System Evaluation Criteria (TCSEC) was developed by the National Computer Security Center (NCSC) to provide guidelines for evaluating vendors’ products for the specified security criteria. TCSEC provides the following:

§ A basis for establishing security requirements in the acquisition specifications

§ A standard of the security services that should be provided by vendors for the different classes of security requirements

§ A means to measure the trustworthiness of an information system

The TCSEC document, called the Orange Book because of its color, is part of a series of guidelines with covers of different coloring called the Rainbow Series. The Rainbow Series is covered in detail in Appendix B. In the Orange book, the basic control objectives are security policy, assurance, and accountability. TCSEC addresses confidentiality, but does not cove r integrity. Also, functionality (security controls applied) and assurance (confidence that security controls are functioning as expected) are not separated in TCSEC as they are in other evaluation criteria developed later. The Orange Book defines the major hierarchical classes of security by the letters D through A as follows:

§ D. Minimal protection

§ C. Discretionary protection (C1 and C2)

§ B. Mandatory protection (B1, B2, and B3)

§ A. Verified protection; formal methods (A1)

The DoD Trusted Network Interpretation (TNI) is analogous to the Orange Book. It addresses confidentiality and integrity in trusted computer/communications network

systems and is called the Red Book. The Trusted Data Base Management System Interpretation (TDI) addresses the trusted database management systems.

The European Information Technology Security Evaluation Criteria (ITSEC), address confidentiality, integrity, and availability. The product or system to be evaluated by ITSEC is defined as the Target of Evaluation (TOE). The TOE must have a security target, which includes the security enforcing mechanisms and the system’s security policy.

ITSEC separately evaluates functionality and assurance, and it includes ten functionality classes (F), eight assurance levels (Q), seven levels of correctness (E), and eight basic security functions in its criteria. It also defines two kinds of assurance. One assurance measure is of the correctness of the security functions’ implementation, and the other is the effectiveness of the TOE while in operation.

The ITSEC ratings are in the form F-X,E where functionality and assurance are listed. The ITSEC ratings that are equivalent to TCSEC ratings are

F-C1, E1 = C1 F-C2, E2 = C2 F-B1, E3 = B1 F-B2, E4 = B2 F-B3, E5 = B3 F-B3, E6 = A1

The other classes of the ITSEC address high integrity and high availability.

TCSEC, ITSEC, and the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) have evolved into one evaluation criteria, called the Common Criteria. The Common Criteria defines a Protection Profile that specifies the security requirements and protections of a product that is to be evaluated. The functional requirements of the Common Criteria are organized around TCB entities. These entities include physical and logical controls, start-up and recovery, reference mediation, and privileged states. The Common Criteria are discussed in Appendix G. As with TCSEC and ITSEC, the ratings of the Common Criteria are also hierarchical.

Certification and Accreditation

In many environments, formal methods must be applied to ensure that the appropriate information system security safeguards are in place and that they are functioning per the specifications. In addition, an authority must take responsibility for putting the system into operation. These actions are known as certification and accreditation.

Formally, the definitions are as follows:

Certification. The comprehensive evaluation of the technical and non-technical security features of an information system and the other safeguards, which are created in support of the accreditation process, to establish the extent in which a particular design and implementation meets the set of specified security requirements.

Accreditation. A formal declaration by a Designated Approving Authority (DAA) where an information system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.

The certification and accreditation of a system must be checked after a defined period of time or when changes occur in the system and/or its environment. Then, recertification and re-accreditation are required.

DITSCAP and NIACAP

Two U.S. defense and government certification and accreditation standards have been developed for the evaluation of critical information systems. These standards are the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) and the National Information Assurance Certification and Accreditation Process (NIACAP.)

DITSCAP

DITSCAP establishes a standard process, a set of activities, general task descriptions, and a management structure to certify and accredit the IT systems that will maintain the required security posture. This process is designed to certify that the IT system meets the accreditation requirements and that the system will maintain the accredited security posture throughout the its life cycle. These are the four phases to the DITSCAP:

Phase 1, Definition. Phase 1 focuses on understanding the mission, the environment, and the architecture in order to determine the security requirements and level of effort necessary to achieve accreditation.

Phase 2, Verification. Phase 2 verifies the evolving or modified system’s compliance with the information agreed on in the System Security Authorization Agreement

(SSAA.) The objective is to use the SSAA to establish an evolving, yet binding

agreement on the level of security required before system development begins or changes to a system are made. After accreditation, the SSAA becomes the baseline security configuration document.

Phase 3, Validation. Phase 3 validates the compliance of a fully integrated system with the information stated in the SSAA.

Phase 4, Post Accreditation. Phase 4 includes the activities that are necessary for the continuing operation of an accredited IT system in its computing environment, and for addressing the changing threats a system faces through its life cycle.

NIACAP

The NIACAP establishes the minimum national standards for certifying and accrediting national security systems. This process provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that maintain the information assurance and the security posture of a system or site. The NIACAP is designed to certify that the information system meets the documented accreditation requirements and will continue to maintain the accredited security posture throughout the system’s life cycle.

There are three types of NIACAP accreditation:

§ A site accreditation. Evaluates the applications and systems at a

specific, self-contained location

§ A type accreditation. Evaluates an application or system that is

distributed to a number of different locations

§ A system accreditation. Evaluates a major application or general

support system

The NIACAP is composed of four phases — Definition, Verification, Validation, and Post Accreditation — that are essentially identical to those of the DITSCAP.

Currently, the Commercial Information Security Analysis Process (CIAP) is being developed for the evaluation of critical commercial systems using the NIACAP methodology.