3.3 Select controls based upon systems security requirements

How do we determine the best system to use for each scenario?  We must select a system that that has been thoroughly tested.  How can it be tested?

  • We perform a technical evaluation that shows how the system performs in comparison with its intended use

  • We compare the actual performance of the system with its design guidelines

  • These tests should be performed by third parties that are not biased

Some evaluation procedures

  • Trusted Computer System Evaluation Criteria (TCSEC) – US Department of Defense developed this system to evaluate technology purchases

    • Also known as the Orange Book – Developed by the National Computer Security Center, it allows evaluators to measure a system’s functionality and trustworthiness.  It is used when evaluating vendor products.  The Orange Book was only intended to evaluate standalone computer systems.

    • The Red Book was developed to provide security to computer networks.  It is also known as the Trusted Network Interpretation of the TCSEC.

    • The Green Book was developed to cover password creation and management.  It is also known as the Department of Defense Password Management Guidelines.

    • The TCSEC is bad because it does not protect the data after users have been granted access

    • It also does not provide a way to control the accuracy or integrity of the data

  • Information Technology Security Evaluation Criteria (ITSEC) – developed by European governments to evaluate technology.  It has three parts

    • We measure how functional the system is – how well it works for users

    • We also measure the assurance – how well the system will work consistently

    • We use a Target of Evaluation – the product that is subject to the evaluation

  • Common Criteria – replaced TCSEC and ITSEC, and jointly developed by USA, Canada, France, Germany, and UK.  Also known as the Arrangement on the Recognition of Common Criteria Certificates in the Field of IT Security

TCSEC has four categories

  • Category A – Verified protection

    • Category A1 – Verified Protection

      • Each phase of the system’s development is controlled formally, documented, and verified

      • We must verify each step in the development against the security policy

  • Category B – Mandatory Protection

    • Category B1 – Labelled Security

      • Each subject and each object is given a label

      • We match the subject and object labels to determine whether there is permission for a subject to access an object

    • Category B2 – Structured Protection

      • Like Category B1, but without any covert channels

      • Operator and administrator functions must be separate

    • Category B3 – Security Domains

      • More separation and isolation than Category B2

      • B3 systems must be secure even during the boot process

  • Category C – Discretionary Protection

    • Category C1 – Discretionary Security Protection

      • Access is controlled by user ID and groups

      • Weak protection only

    • Category C2 – Controlled Access Protection

      • Users must be identified individually to access objects

      • Media cleansing between use

      • Strict login procedures

  • Category D – Minimal Protection


  • The TCSEC only provides confidentiality – it makes sure that the data is protected from unauthorized access, but it doesn’t protect it from changes

  • When we make changes to a system, we must re-evaluate the entire system


  • The ITSEC provides Confidentiality, Integrity, and Availability

  • Does not require a TCB (a trusted computing base)

  • We can make changes to a system without having to re-evaluate the entre system to verify that it has remained secure

Common Criteria (CC)

  • Global task force that was established to create criteria that adhere to TCSEC, ITSEC and other standards

  • Products can be certified to be CC Compliant, but that does not guarantee that they are TCSEC or ITSEC compliant

  • CC is represented by Arrangement on the Recognition of Common Criteria Certificates in the Field of IT Security – and is considered an international standard – ISO 15408, Evaluation Criteria for Information Technology Security

  • Sections of the Common Criteria

    • Part 1 – Introduction and General Model – the concepts that we use to evaluate our security

    • Part 2 – Security Functional Requirements – audits, communications security, cryptography, data protection, IAM, security management, TOE Security Functions, system access

    • Part 3 – Security Assurance – configuration management, delivery, guidance, lifecycle support

  • Why should we use products that have been certified to Common Criteria Compliant?

    • Provides assurance that the products we use are secure

    • Ensures that vendors do not need to obtain multiple certifications for their products (a product certified under Common Criteria meets many other standards automatically)

    • Makes security evaluations efficient

    • Provides consistency for security evaluations

    • Allows more manufacturers to evaluate/certify their products, which allows for a larger range of certified products to be available in the market

    • Allows us to evaluate not just security, but functionality of the product

  • Protection Profiles (PPs) – this tells us the required security specifications that the customer wants.  A customer creates a PP for each type of product and security level combination that it requires.

  • Security Targets (STs) – this tells us the security specifications that are in the product, as stated by the vendor.  A vendor creates an ST for each product.

  • There are multiple EALs, or Evaluation Assurance Levels.  Our product can also have an EAL in addition to an ST.

    • EAL1 – Functionally Tested.  We know that the product operates correctly and there is no threat to security.  This is good when we are protecting personal information.

    • EAL2 – Structurally Tested.  We know that the product meets commercial standards.  This is good for older systems.

    • EAL3 – Methodically Tested and Checked.  We use this when we have a product that we are developing, so that we can evaluate it during the design.

    • EAL4 – Methodically Designed, Tested, and Reviewed.  We use this when we need good security during the engineering and development phases.  We can use this when we don’t need special knowledge to evaluate the system

    • EAL5 – Semi-Formally Designed and Tested.  We use this when we need good security during engineering and development and when we need special skills to evaluate the system.

    • EAL6 – Semi-Formally Verified, Designed, and Tested.  We use strong security techniques, especially when there is a high risk or where we are protecting a valuable asset.

    • EAL7 – Formally Verified, Designed, and Tested.  We use this for the highest risk scenarios.

  • When we are shopping for a product, we compare our PP (what we want the product to have) to the potential product STs (what the products offered have) and select a product that gives us the necessary PPs

  • We can choose a vendor based on an Evaluation Assurance Level (EAL) or Common Criteria.  This gives us vendors more flexibility to choose products.

  • We do not use the CC to evaluate people, physical security, or the organization.  Once the system is built and installed, the CC no longer applies.

Let’s compare the different security frameworks

DF-D + E0EAL0 or EAL1Minimal or No Protection
C1F-C1 + E1EAL2Discretionary Security
C2F-C2 + E2EAL3Controlled Access
B1F-B1 + E3EAL4Labelled Security
B2F-B2 + E4EAL5Structured Security
B3F-B3 + E5EAL6Security Domains
A1F-B3 + E6EAL7Verified Security

Other evaluation frameworks that are in use

  • Payment Card Industry Data Security Standard (PCI DSS)

    • Security of credit card systems

    • Developed by banks and credit card issuers to secure payment data

  • International Organization for Standardization (ISO)

    • Worldwide group that sets standards for many different areas

    • ISO standards are used by many industries and may be required by laws or regulations

    • You can select the ISO standards that apply to your organization.

Formal Evaluation has two processes: Certification and Accreditation.  The evaluation process depends on the requirements of the organization.

  • Certification

    • We evaluate the features of the system to ensure that they meet our security requirements

    • We first select the criteria, then we analyse each component to determine whether it meets the criteria

    • We must evaluate all controls in the system

    • Once we have completed the evaluation, we will know what security level our system supports.  We select a security level based on the evaluation of all the components (the security level of the overall system is based on the lowest security level of any component).

    • The security level is affected by the system’s location and physical security.  If we make any changes, the certification might change.

  • Accreditation

    • Once the certification is complete, we compare the system’s attributes to the organization’s needs.

    • We review the certification to determine if it meets the organization’s needs.  If it does, then it is accredited. 

    • A Designated Approving Authority (DAA) provides the formal accreditation.  The DAA is somebody who is experienced in evaluating systems in accordance with a specific standard.

    • That means that the system can operate in accordance with the standards

  • We might use an iterative process to certify and accredit our system.  Many systems are subject to constant changes.  We might specify that the system will need to be re-evaluated on a regular basis.

  • Department of Defence Certification Frameworks

    • Risk Management Framework – this is the current standard

    • DoD Information Assurance Certification and Accreditation Process (DIACAP) – previous standard

    • Defense Information Technology Security Certification and Accreditation Process (DITSCAP) – previous standard

    • Committee on National Security Systems Policy (CNSSP)

    • National Information Assurance Certification and Accreditation Process (NICAP) – previous standard

      • Phase 1 – Definition – assign people, document the purpose, create a System Security Authorization Agreement

      • Phase 2 – Verification – fine tune the SSAA

      • Phase 3 – Validation – further fine tune the SSAA

      • Phase 4 – Post Accreditation – maintain the SSAA

    • NICAP has three types of accreditation

      • System Accreditation – a major system is evaluated

      • Site Accreditation – applications at a specific location are evaluated

      • Type Accreditation – an application that is distributed to many locations is evaluated