Controls for Systems Security Requirements
Building secure software is critical to information security. Also the systems that software runs on must themselves be securely designed and built.
In order to evaluate any program or system, technical evaluation evaluates the performance and security-related capabilities. They are also compared with other competing products to evaluate different aspects.
In an information system, there are different evaluation models that are available to test them. Some of the product evaluation models are the following:
- TCSEC: The Trusted Computer System Evaluation Criteria (TCSEC) is the formal implementation of the Bell-LaPadula model. TCSEC was the first trusted computer system evaluation methodology. In this model, the emphasis was on confidentiality and the protection of government-classified information.
- ITSEC: Information Technology Security Evaluation Criteria (ITSEC) Security capabilities evaluation is a necessary procedure before enforcing it into an IT system. Accreditation ensures the capabilities, correctness, & effectiveness for an intended purpose in an information system. Unlike TCSEC, the European Information Technology Security Evaluation Criteria (ITSEC) addresses confidentiality, integrity, and availability, as well as evaluating an entire system, defined as a Target of Evaluation (TOE). ITSEC evaluates functionality (security objectives, or why; security-enforcing functions, or what; and security mechanisms, or how) and assurance (effectiveness and correctness) separately. There are ten functionality (F) classes and seven evaluation (E) (assurance) levels.
- Common Criteria: The Common Criteria, ISO/IEC 15408, Evaluation Criteria for Information Technology Security evaluates the security with the series of defined criteria for security assurance. Common Criteria is developed to assess the security products and systems. CC is an international effort to design the common methodology for IT security evaluation.
TCB: The trusted computer base (TCB) is the sum of all the protection mechanisms within a computer and is responsible for enforcing the security policy. This includes hardware, software, controls, and processes.
Read about TCSEC Evaluation Classes.
Read about ITSEC Evaluation Levels.
Evaluation Assurance Level (EAL)
The CC (Common Criteria) has provided 7 predefined assurance packages known as Evaluation Assurance Levels (EALs):
- EAL 1: This assurance level have applications where the threat to security is not serious at now.
- EAL 2: This level is applicable when low to moderate level of independently assured security is required.
- EAL 3: It is suitable for places where a moderate level of security is required.
- EAL 4: Suitable for medium-high levels of security required.
- EAL 5: It is applicable where a high level of independently assured security is required.
- EAL 6: This evaluation level is applicable where assets are valuable, and risks are high. The additional requirements are on analysis, design, development, configuration management.
- EAL 7: This is applicable where assets are highly valuable, and the risks are extremely high. So, the assurance is gained through the application of methods include testing and formal analysis.