Share on Facebook Share on Twitter Email
Answers.com

ITSEC

 
Computer Desktop Encyclopedia: NCSC
Home > Library > Technology > Computer Encyclopedia

(National Computer Security Center) The arm of the U.S. National Security Agency that defines criteria for trusted computer products, which are embodied in the Orange Book and Red Book. Published in the 1980s and 1990s and known as the Rainbow Series because of their colored covers for each topic, they have been largely superseded by the Common Criteria. See also NCSA.

Orange Book

The Orange Book contains the "Trusted Computer Systems Evaluation Criteria" (TCSEC), DOD Standard 5200.28.

Red Book (for networks)

The Red Book contains the "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria" (NCSC-TG-005) and "Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation" (NCSC-TG-011).

Level D

Systems are rated on a scale starting from D, which is not secure, to A, which is the most secure.

Level D is a non-secure system.

Level C

Level C provides discretionary access control (DAC). The owner of the data can determine who has access to it.

C1: Requires user login, but allows group ID.

C2: Requires individual user login with

password and an audit mechanism.

Levels B and A

Levels B and A provide mandatory access control (MAC). Access is based on standard DOD clearances. Each data structure contains a sensitivity level, such as top secret, secret and unclassified, and is available only to users with that level of clearance.

B1: DOD clearance levels.

B2: Guarantees path between user and the

security system. Provides assurances

that system can be tested and clearances

cannot be downgraded.

B3: System is characterized by a mathematical

model that must be viable.

A1: System is characterized by a mathematical

model that can be proven. Highest

security. Used in military computers.

European Ratings

The European Information Technology Security Evaluation Criteria (ITSEC) is similar to TCSEC, but rates functionality (F) and effectiveness (E) separately.

        Orange
        Book
        TCSEC   ITSEC
        D       E0
        C1      F-C1, E1
        C2      F-C2, E2
        B1      F-B1, E3
        B2      F-B2, E4
        B3      F-B3, E5
        A1      F-B3, E6

Download Computer Desktop Encyclopedia to your iPhone/iTouch

Search unanswered questions...

Enter a question here...
Search: All sources Community Q&A Reference topics

Wikipedia: ITSEC
Top
Home > Library > Miscellaneous > Wikipedia

The Information Technology Security Evaluation Criteria (ITSEC) is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective countries. Following extensive international review, Version 1.2 was subsequently published in June 1991 by the Commission of the European Communities for operational use within evaluation and certification schemes.

Since the launch of the ITSEC in 1990, a number of other European countries have agreed to recognize the validity of ITSEC evaluations.

The ITSEC has been largely replaced by Common Criteria, which provides similarly-defined evaluation levels and implements the target of evaluation concept and the Security Target document.

Concepts

The product or system being evaluated, called the target of evaluation, is subjected to a detailed examination of its security features culminating in comprehensive and informed functional and penetration testing. The degree of examination depends upon the level of confidence desired in the target. To provide different levels of confidence, the ITSEC defines evaluation levels, denoted E0 through E6. Higher evaluation levels involve more extensive examination and testing of the target.

Unlike earlier criteria, notably the TCSEC developed by the US defense establishment, the ITSEC did not require evaluated targets to contain specific technical features in order to achieve a particular assurance level. For example, an ITSEC target might provide authentication or integrity features without providing confidentiality or availability. A given target's security features were documented in a Security Target document, whose contents had to be evaluated and approved before the target itself was evaluated. Each ITSEC evaluation was based exclusively on verifying the security features identified in the Security Target.

External links

References

ITSEC (June 1991). Information Technology Security Evaluation Criteria (ITSEC): Preliminary Harmonised Criteria. Document COM(90) 314, Version 1.2. Commission of the European Communities. http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf. Retrieved on 2006-06-02. 


This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

 
 
Learn More
Common Criteria (technology)
CTCPEC
VIRTE

Post a question - any question - to the WikiAnswers community:

 

Copyrights:

Computer Desktop Encyclopedia. THIS COPYRIGHTED DEFINITION IS FOR PERSONAL USE ONLY.
All other reproduction is strictly prohibited without permission from the publisher.
© 1981-2009 Computer Language Company Inc.  All rights reserved.  Read more
Wikipedia. This article is licensed under the Creative Commons Attribution/Share-Alike License. It uses material from the Wikipedia article "ITSEC" Read more