Information Technology Security Evaluation Criteria
The Information Technology Security Evaluation Criteria ( ITSEC , German as criteria for assessing the security of information technology ) is a European standard for the evaluation and certification of software and computer systems in terms of their functionality and reliability with regard to the data and computer security . After France, West Germany and Great Britain each published their own criteria in 1989, the three countries and the Netherlands developed the common ITSEC standard. The first version was released in May 1990. The standard was then published in a revised version in June 1991 by the European Commission ; In terms of content, it is strongly based on the older German ITSK standard and thus offers a more differentiated classification than the American Orange Book (TCSEC) . The ITSEC and TCSEC standards were combined in 1996 in the international Common Criteria standard .
In Germany, certification according to ITSEC is carried out by the Federal Office for Information Security, among others . Evaluation is based on the Information Technology Security Evaluation Methodology ( ITSEM ; German for example: Method for evaluating the security of information technology ).
In contrast to the American Orange Book, the ITSEC (like the ITSK standard before) differentiates between the assessment of functionality and trustworthiness ( quality ), while trustworthiness is further differentiated according to correctness and effectiveness . This results in three dimensions of the evaluation, whereby only the first 5 of the total of 10 functionality classes form a hierarchical order:
|ITSEC F||BSI ITS F||meaning||TCSEC|
|F-C1||F1||Simple security, cooperative users||C1|
|F-C2||F2||Login mechanism, individual user data separated, (simple) logging||C2|
|F-B1||F3||Security model, rule-based protection levels||B1|
|F-B2||F4||Formal security model, secure data flow for authentication||B2|
|F-B3||F5||Reference monitor properties, formally verifiable .||B3 / A|
Furthermore, there are functionality classes that relate to the consistency of data and the availability of services:
|ITSEC F||BSI ITS F||meaning|
|F-IN||F6||Rules to maintain the integrity and consistency of the data, type concept (especially for database systems : constraints and transactions )|
|F-AV||F7||Availability , error bridging , failure probability (precautions for power failure, redundant hardware , backups )|
There are also three classes of functionality that relate to the transmission of data (especially in networks ):
|ITSEC F||BSI ITS F||meaning|
|F-DI||F8||Securing the integrity and authenticity of messages ( electronic signature )|
|F-DC||F9||Securing the confidentiality of messages ( encryption )|
|F-DX||F10||Requirements for secure networks|
When evaluating the quality (trustworthiness) of a computer system, a distinction is made between the effectiveness of the method and the correctness of the implementation .
The effectiveness describes the resistance of a protective mechanism against attempted circumvention. ITSEC distinguishes 3 levels, in the ITSK a more detailed distinction was made:
|-||not suitable||no protection||D.|
|low||weak||only protection against accidental, unintentional violations of the security rules (easy to bypass)|
|medium||medium strength||Protection against intentional violations by attackers with limited opportunity and resources||C1-C2|
|strong||strong||good protection, only to be dealt with with great effort||B1-B2|
|very strong||very good protection, can only be circumvented with a great deal of effort||B3-A|
|not surmountable||currently cannot be overcome, no known weak point|
The correctness of the implementation is assessed in 6 stages. In particular, a check is made for program errors and the extent to which the implementation actually implements the previously evaluated method. In contrast to the BSI guideline ITSK, ITSEC does not summarize the effectiveness and trustworthiness, but treats the values separately.
|ITSEC E||CC EAL||BSI ITS Q||meaning||TCSEC|
|E1||EAL2||Q1||informal specification of the architecture, functional test, targeted attacks||C1|
|E2||EAL3||Q2||Additional informal description of the detailed design (detailed specification)||C2|
|E3||EAL4||Q3||Analysis of the source code or the hardware layout||B1|
|E4||EAL5||Q4||Formal security model, semi-formal detailed specification||B2|
|E5||EAL6||Q5||Detailed specification must be reproducible on the source code||B3|
|E6||EAL7||Q6||additional formal specification and analysis of the architecture (verification)||A.|
- ^ Richard A. Kemmerer: Computer Security. (PDF; 135 kB) 2001, accessed on June 13, 2013 (English).