Effective Design of Trusted

Information Systems

Luděk Novák, novak@isaca.cz

CATE 2001 - Security and Protection of Information 2May 2001

Content

• Brief Introduction into Security Design

• Five Steps of Security Design• General Description• Security Environment• Security Objectives• Security Requirements• Rationale

• Conclusion

CATE 2001 - Security and Protection of Information 3May 2001

International Standards

• ISO/IEC PDTR 15446:2000– Information technology – Security

techniques – Guide for the production of protection profiles and security targets

• ISO/IEC 15408:1999 – Information technology – Security

techniques – Evaluation criteria for IT security

CATE 2001 - Security and Protection of Information 4May 2001

Basic Term

• Target of Evaluation - TOE– IT product or system and its associated

administrator and user guidance documentation that is the subject of an evaluation

– A formal evaluation is not necessity

CATE 2001 - Security and Protection of Information 5May 2001

Structure of Design

Target of Evaluation

General Description

SecurityEnvironment

SecurityObjectives

SecurityRequirements

Rationale

CATE 2001 - Security and Protection of Information 6May 2001

General Description

• Background information on TOE and its purpose, usage, operation etc.

– Document Identification

– General TOE Functionality

– TOE Boundary

– TOE Operational Environment

CATE 2001 - Security and Protection of Information 7May 2001

Security Environment

Assumptions Threats OrganisationalSecurity Policies

Security Needs

Assets

CATE 2001 - Security and Protection of Information 8May 2001

Security Environment

• Asset – information or a resource, which needs to

be protected by TOE countermeasures

– Data Objects– Software– Hardware

CATE 2001 - Security and Protection of Information 9May 2001

Security Environment

• Threat – undesirable event

characterised by:

• threat agent• attack method• vulnerability• assets under the

attack

• Threat Agent– source of event,

which can be:

• human• non-human

CATE 2001 - Security and Protection of Information 10May 2001

Security Environment

• Assumption – potential threat to assets not relevant to or

not involved in TOE security

• Organisational Security Policy – rules, procedures, practices, etc. imposed

by organisation or other authorities

CATE 2001 - Security and Protection of Information 11May 2001

Security Objectives

• Security Objectives for TOE – express what is the responsibility of the

TOE and its security functions

• Security Objectives for Environment – address aspects of the security needs the

TOE will not to do

CATE 2001 - Security and Protection of Information 12May 2001

Security Objectives

Security NeedsThreats OSPsAssumptions

SecurityObjectives

EnvironmentObjectives

TOEObjectives

IT Security RequirementsIT EnvironmentTOE Non-IT Security

Requirements

CATE 2001 - Security and Protection of Information 13May 2001

Security Objectives• Preventative Objectives

– measures prevent a threat from being carried out

• Detective Objectives

– means detect/monitor events

• Corrective Objectives

– actions take in response

CATE 2001 - Security and Protection of Information 14May 2001

Security Requirements

Environment SecurityObjectives

TOE SecurityObjectives

Security AssuranceRequirements

Security FunctionalRequirements

Environment SecurityRequirements

ISO/IEC 15408-2 ISO/IEC 15408-3

CATE 2001 - Security and Protection of Information 15May 2001

Functional Requirements

Security Functional Requirements identify demands for the security functions

which the TOE must provide to fulfil the security objectives for the TOE

It can be based on:– ITSEC’s Generic Headings– ISO15408 – Common Criteria

CATE 2001 - Security and Protection of Information 16May 2001

Functional Requirements

• Identification and Authentication

• Access Control• Audit• Integrity• Availability• Privacy• Data Exchange

• Security Audit

• Communication

• Cryptographic Support

• User Data Protection

• Identification and Authentication

• Security Management

• Privacy

• Protection of TOE Security Functions

• Resource Utilisation

• TOE Access

• Trusted Path/Channels

CATE 2001 - Security and Protection of Information 17May 2001

Assurance Requirements

Security Assurance Requirements prescribes clear objective criteria which

express quality of the TOE development

Evaluation Assurance Level – EAL– EAL1 up to EAL4 – Commercial Security– EAL5 up to EAL7 – Special Security Tools

CATE 2001 - Security and Protection of Information 18May 2001

Requirements on Environment

Security Requirements on Environment bring up the claims which would not be under a direct control of any IT security

function within the TOE.

– Personnel Security– Physical Security– Procedural Security

CATE 2001 - Security and Protection of Information 19May 2001

Rationale

• Security Objectives Rationale – demonstrates the identified security

objectives are suitable to cover all aspects of the security needs

• Security Requirements Rationale – makes evident the identified security

requirements are suitable to meet the security objectives

CATE 2001 - Security and Protection of Information 20May 2001

RationaleSecurity Needs

Threats OSPsAssumptions

SecurityObjectives

EnvironmentObjectives

TOEObjectives

IT SecurityRequirements

SOFClaims

mutually supportive

suitableto meet

consistentwith

suitableto meetuphold

SecurityRequirements

CATE 2001 - Security and Protection of Information 21May 2001

Conclusions

Advantages• Clear, Transparent

and Effective Way• Simple Sharing of

Know-How• Based on Well-

Known Common Criteria Project

Disadvantages• Not Officially

Approved• No Direct

Connection to Special Security Tools