Organizations around the world often assess their IS security mechanisms and pra

Question

Organizations around the world often assess their IS security mechanisms and practices by using the Trusted Computer System Evaluation Criteria (TCSEC) or Information Technology Security Evaluation Criteria (ITSEC). The two standards are similar, though there are distinctions. Assume that you are the security manager for an organization that writes software. You are reviewing the proposal for a new chat program to be sold for use within an organization. Members of the organization can be physically located anywhere around the world, and your company is promising that all chat communications will be secure. In a 3- to 4-page report, perform the following:

1.Compare and contrast the TCSEC and the ITSEC standards.

2.Determine what features and practices should be included in the design and development of the chat program to qualify it for each of the four TCSEC classes.

3.Determine what your company would have to do to be considered in each of the seven ITSEC classes.

4.Identify where the models overlap.

Explanation / Answer

TCSEC (Trusted Computer System Evaluation Criteria)         

ITSEC was developed by US. This evaluation criterion focuses on addressing the confidentiality of the system. It does not focus on the integrity and other requirements. This method is used to check whether the system’s security properties are in accordance with the vendor claims or not. It evaluates whether the given product is appropriate to function or can be used in a specific application. This method focuses on reviewing the effectiveness of the product. It makes use of several classes to address the confidentiality of the product and assurance of security requirements.

It supports a classification system as shown here:

·         A - Verified protection

·         B - Mandatory protection: Variants- B1<B2<B3

·         C - Discretionary protection: Variants-C1<C2

·         D - Minimal security

These four assurance levels are concentric and A represents the highest level while D represents the lowest level.

ITSEC (Information Technology Security Evaluation Criteria)

It was created by the European Union. This evaluation criterion is used to address all the issues related to security evaluation. There are two main attributes of evaluation which are associated with ITSEC as follows:

·         Functionality- during evaluation of the functionality of system security, different services such as auditing, access control mechanism, authentication and others are also tested and measured.

·         Assurance- it refers to the degree of confidence. It addresses the confidentiality of the system’s protection mechanisms. It refers to the effectiveness of the system to perform consistently. It is examined by testing several configurations, documentation, development practices and other security mechanism.

The evaluation criterion of ITSEC evaluates functional requirements by using 10 classes as shown here:

·         F00 - Authentication

·         F01 - Audit

·         F02 - Resource utilization

·         F03 - Trusted paths

·         F04 - User data protection

·         F05 - Security management

·         F06 - Product access

·         F07 - Communications

·         F08 - Privacy

·         F09 – Functionality of system

·         F10 - Cryptographic support

To examine the assurance requirements, ITSEC uses 7 classes as given below-

·         E00 - Documentation

·         E01 - Configuration management

·         E02 - Vulnerability assessment

·         E03 - Delivery

·         E04 - Life-cycle support

·         E05 - Assurance maintenance

·         E06 – Development

Difference between TCSEC and ITSEC-

                          TCSEC

                                      ITSEC

In order to qualify for each of the four TCSEC classes, the chat program of the company should verify its protection mechanism. It should qualify the mandatory protection clause through its different variants. It must have discretion protection by evaluating its individual user authentication and safer use.

The company required to go through all the 7 classes of ITSEC. It should perform proper documentation, evaluate development practices, configuration management, test protection mechanism, carry out auditing process and assess product life cycle.

Both TCSEC and ITSEC evaluation methods are used for assessing the system’s security test. These methods overlap in evaluating the assurance requirements of the system’s protection mechanism. These criteria examine the security related parts of the system.

                          TCSEC

                                      ITSEC

• Addresses only confidentiality

• Addresses integrity, confidentiality and availability

• Less flexible

• More flexible

• Addresses stand-alone systems

• Addresses networked systems

• Evaluates functionality and assurance combine

• Evaluates functionality and assurance separately

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.