|
|
Evaluation standards and frameworks can be powerful and valuable tools in the information security arsenal when well understood and properly applied. They may be used to prove a professional's mastery of his or her trade (professional certifications), a system's level of assurance (Common Criteria—see the next section), or an organization's compliance with standards. In this part of the chapter, we'll take a look at some evaluation standards to outline their benefits.
| Exam Watch |
The aim of the exam objectives covered in this chapter is to test your understanding of the security process life cycle approach. As mentioned previously, the topics covered in Part I of this guide are general security concepts that are universally applicable, even though particulars of their implementations may vary. Candidates should concentrate on their understanding of the spirit rather than the letter of these approaches. Although the Sun Certified Security Administrator for Solaris examination tests your mastery of the Solaris operating environment's security features and tools first and foremost, clear appreciation of information security as a vendor-neutral discipline is necessary to pass the exam. |
The Common Criteria for Information Technology Security Evaluation, or Common Criteria for short, is the product of the cooperation between national information systems security organizations of the United States, France, Germany, the United Kingdom, the Netherlands, and Canada. It builds upon the experience gained from preceding evaluation standards: the U.S. Trusted Computing Systems Evaluation Criteria (TCSEC), Canadian Trusted Computing Products Evaluation Criteria (CTCPEC), and the European Information Technology Security Evaluation Criteria (ITSEC). The Common Criteria defines seven levels of assurance that are granted to systems after they are evaluated against one or several of the "Common Criteria Protection Profiles" by an accredited evaluation body. The granted certification is intended to be valid in all countries recognizing Common Criteria certifications. In practice, this means, for example, that a Canadian product certified to a certain evaluation assurance level in France may be used by those organizations that require Common Criteria certification in the United States and the other previously mentioned countries without unnecessary and costly reevaluation.
Common Criteria defines seven evaluation assurance levels that aim to reflect trustworthiness of evaluated systems, ranging from EAL1, the lowest level, to EAL7, the highest level of assurance. Although they express the assurance level of evaluated systems, evaluation assurance levels are meaningless without knowing against which Protection Profile (PP) the systems have been evaluated. To understand the meaning and impact of a Common Criteria evaluation, it is necessary to know both the evaluation assurance level and the protection profile under which it was issued.
Functionally Tested (EAL1) EAL1 involves testing against a specification and review of system documentation. EAL1 certification provides evidence that the system functions in accordance with its documentation. This is the lowest evaluation assurance level.
Structurally Tested (EAL2) At EAL2, a more structured approach is applied to testing against specification and review of documentation than at EAL1.
Methodically Tested and Checked (EAL3) EAL3 is applicable in situations when there is a need for independently assured moderate security. EAL3 involves thorough examination of the system and its development environment and controls.
Methodically Designed, Tested, and Reviewed (EAL4) EAL4 is the highest practical level of assurance that may be gained using good commercial development practices. Higher levels (EAL5–7) require special development methodologies and procedures that are expensive and not commonplace.
| Exam Watch |
The Solaris operating system complies with EAL4. |
Semiformally Designed and Tested (EAL5) EAL5 requires analysis that includes all of the implementation. Assurance is provided by a formal model and a semiformal functional specification.
Semiformally Verified Design and Tested (EAL6) At EAL6, specialized security engineering techniques are required and a systematic search for vulnerabilities is performed.
Formally Verified Design and Tested (EAL7) EAL7 provides the highest level of assurance. At EAL7, white box testing and complete independent verification of test results are required. Because of extremely high costs associated with EAL7, it is appropriate only for systems requiring the highest level of assurance.
Protection Profiles (PPs) are the sets of requirements and definitions against which systems are evaluated and awarded EALs. Because different systems in different environments have distinct security requirements, different PPs are employed. In particular, Common Criteria PPs exist for the following types of systems:
Operating systems
Biometrics
Certificate management
Firewalls
Intrusion detection systems
Peripherals
Public key management infrastructures
Security tokens
Other protection profiles may be developed and used when no appropriate PPs exist.
ISO 17799, Code of Practice for Information Security Management, is an international standard published by the International Organization for Standardization (ISO). It is based on British Standard 7799 Part 1. To describe ISO 17799, it is best to refer to the official description:
It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium, and small organizations. The term organization is used throughout the standard to mean both profit and non-profit making organizations such as public sector organizations.
Not all of the controls described in this document will be relevant to every situation. It cannot take account of local system, environmental, or technological constraints. It may not be in a form that suits every potential user in an organization.
Consequently the document may need to be supplemented by further guidance. It can be used as a basis from which, for example, a corporate policy or an inter- company trading agreement can be developed.
As a code of practice this standard takes the form of guidance and recommendations. It should not be quoted as if it were a specification, and particular care should be taken to ensure that claims of compliance are not misleading.
Despite its limitations, ISO 17799 is a useful and widely used framework for information security management. Its popularity has only increased with time. ISO 17799 covers the following ten domains of information security:
Security policy
|
1.1 |
Information security policy |
Security organization
|
2.1 |
Information security infrastructure |
|
2.2 |
Security of third-party access |
|
2.3 |
Outsourcing |
Asset classification and control
|
3.1 |
Accountability for assets |
|
3.2 |
Information classification |
Personnel security
|
4.1 |
Security in job definition and resourcing |
|
4.2 |
User training |
|
4.3 |
Responding to security incidents and malfunctions |
Physical and environmental security
|
5.1 |
Secure areas |
|
5.2 |
Equipment security |
|
5.3 |
General controls |
Communications and operations management
|
6.1 |
Operational procedures and responsibilities |
|
6.2 |
System planning and acceptance |
|
6.3 |
Protection against malicious software |
|
6.4 | |
|
6.5 |
Network management |
|
6.6 |
Media handling and security |
|
6.7 |
Exchanges of information and software |
Access control
|
7.1 |
Business requirement for access control |
|
7.2 |
User access management |
|
7.3 |
User responsibilities |
|
7.4 |
Network access control |
|
7.5 |
Operating system access control |
|
7.6 |
Application access control |
|
7.7 |
Monitoring system access and use |
|
7.8 |
Mobile computing and teleworking |
Systems development and maintenance
|
8.1 |
Security requirements of systems |
|
8.2 |
Security in application systems |
|
8.3 |
Cryptographic controls |
|
8.4 |
Security of system files |
|
8.5 |
Security in development and support processes |
Business continuity management
|
9.1 |
Aspects of business continuity management |
Compliance
|
10.1 |
Compliance with legal requirements |
|
10.2 |
Reviews of security policy and technical compliance |
|
10.3 |
System audit considerations |
As you can see, ISO 17799 covers different security areas that are essential for effective information security management. It is currently being revised by an international working group, and it is expected that a new release of the standard will be published in 2005 or 2006.
Certification is the technical evaluation of systems and issuance of an opinion regarding their compliance with a defined set of requirements, usually (but not necessarily) for the purpose of accreditation. During evaluation, the evaluating body may look at the requirements, specifications, design, and implementation of the system in question to ascertain whether it meets the particular requirements. The certifying body, usually an independent and qualified third party, audits a system for compliance with an established set of security requirements. Accreditation, in contrast, is the formal acceptance of the adequacy of the system's overall security by the management of a particular organization, according to that organization's formal requirements for accreditation, which may in particular cover questions such as how closely the system follows system specifications and whether the security controls are well implemented. Certification is a basis for accreditation, but the responsibility for the accredited system lies mainly with the management of the organization that accredits the system. Certification and accreditation are particularly important in government, military, and financial services industries.
| Exam Watch |
It is important that you know and understand the difference between certification, evaluation, and accreditation for the exam. An evaluating body evaluates requirements, specifications, design, and implementation of the system; the system can then be certified to be in compliance; and accreditation comes last and is the formal acceptance of the organization's requirements, specifications, design, and implementation. |
|
|