CS 4050 Computer Security - Assignment

Comparison and contrast on TCSEC, CC, SSE-CMM and ISO27001

Group members B. Gokulakrishnan P. Priyanthan N. Prasath T. Ragavan 080125J 080389U 080372L 080395J

TCSEC

CC

SSE-CMM

ISO 27001

Unabbreviated name

Trusted Computer Evaluation Criteria

System

Common criteria

Systems Engineering Maturity Model

Not an abbreviation. Full name is ISO/IEC 27001:2005 Security - Information technology -Capability Security techniques -Information security management systems -Requirements.

Applicability

Security systems and services

Type

Methodology

Hierarchical framework

Reference model

Standardized framework

Defines the 4 key factors of Policy, Accountability, Assurance and Documentation. Policy - must be explicit, welldefined and enforced by the computer system. (types: Mandatory, Marking and Discretionary) Accountability individual accountability regardless of policy must be enforced (types: Identification, Authentication and Auditing) Objectives Assurance - the computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the above requirements (contains Assurance Mechanisms, Operational Assurance, Life-cycle Assurance and Continuous Protection Assurance) Documentation - addresses the development, deployment and management of the system rather than its capabilities.

Defines the Common Criteria recognition Arrangement, and Describes the essential requires the participants of the characteristics of an arrangement to: organization's security engineering process that 1. Ensure that evaluations of must exist to ensure good Information Technology (IT) security engineering. The products and protection model is intended to be profiles are performed to used as a: high and consistent standards and are seen to Tool for engineering contribute significantly to organizations to evaluate confidence in the security of security engineering those products and profiles practices and define improvements to them. 2. Improve the availability of evaluated, security Standard mechanism for enhanced IT products and customers to evaluate a protection profiles provider's security engineering capability. 3. Eliminate the burden of Basis for security duplicating evaluations of IT engineering evaluation products and protection organization (e.g., system profiles certifiers and product evaluators) to establish 4. Continuously improve the organization capabilityefficiency and costbased confidences (as an effectiveness of the ingredient to system or evaluation project security and certification/validation assurance). process for IT products and protection profiles.

The objective of the standard is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System. Further, The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization.

Origins

Initially issued by the National Computer Security Center (NCSC - an arm of the National Security Agency) in 1983 and then updated in 1985. Cancelled by DoD directive in 2004 and superseded by CC in 2005.

Produced unifying 3 separate standards (ITSEC the European standard, CTCPEC the Canadian standard, and TCSEC United States Dept. of Defense standard)

Developed by the International Systems Security Engineering Association (ISSEA) and standardized by ISO/IEC 21827 Uses multiple datagathering methods to obtain information on the processes being practiced within the organization or project selected for appraisal.

Combines the coverage of 3 parts of the British standard BS7799 (1995, 1999 and 2005)

Defines four divisions: D, C, B and A; where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Appraisal process Divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1. Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.

1. Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance.

Requires the organization to

Systematically

Defines five capability 2. Supporting documents are used levels: within the Common Criteria certificatio performed informally n process to define how planned and tracked the criteria and evaluation well defined methods are applied when quantitatively controlled certifying specific technologies. continuously improving 3. The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation. A capability level from 1 to 5 is determined for each process area and displayed in a simple bar chart. The actual results of an appraisal include significant detail about each of the areas in this summary and detailed

examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts

Design and implement a

coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
Adopt

an overarching management process to ensure that the

findings.

information security controls continue to meet the organization's information security needs on an on-going basis.

References

TCSEC - Trusted Computer System Evaluation Criteria - https://www.ccn-cert.cni.es/publico/serieCCN-STIC401/en/t/tcsec.htm - Accessed 26 Jan 2012 The Common Criteria Recognition Arrangement The Common Criteria Portal - http://www.commoncriteriaportal.org/ - Accessed 27 Jan 2012 SSE-CMM Home Page - http://www.sse-cmm.org/index.html - Accessed 27 Jan 2012 An Introduction To ISO 27001 /ISO27001 - http://27000.org/iso-27001.htm - Accessed 27 Jan 2012