Information Technology Security Evaluation Criteria

from Wikipedia, the free encyclopedia

The Information Technology Security Evaluation Criteria ( ITSEC , German as criteria for assessing the security of information technology ) is a European standard for the evaluation and certification of software and computer systems in terms of their functionality and reliability with regard to the data and computer security . After France, West Germany and Great Britain each published their own criteria in 1989, the three countries and the Netherlands developed the common ITSEC standard. The first version was released in May 1990. The standard was then published in a revised version in June 1991 by the European Commission ; In terms of content, it is strongly based on the older German ITSK standard and thus offers a more differentiated classification than the American Orange Book (TCSEC) . The ITSEC and TCSEC standards were combined in 1996 in the international Common Criteria standard .

In Germany, certification according to ITSEC is carried out by the Federal Office for Information Security, among others . Evaluation is based on the Information Technology Security Evaluation Methodology ( ITSEM ; German for example: Method for evaluating the security of information technology ).

Functionality classes

In contrast to the American Orange Book, the ITSEC (like the ITSK standard before) differentiates between the assessment of functionality and trustworthiness ( quality ), while trustworthiness is further differentiated according to correctness and effectiveness . This results in three dimensions of the evaluation, whereby only the first 5 of the total of 10 functionality classes form a hierarchical order:

F-C1 F1 Simple security, cooperative users C1
F-C2 F2 Login mechanism, individual user data separated, (simple) logging C2
F-B1 F3 Security model, rule-based protection levels B1
F-B2 F4 Formal security model, secure data flow for authentication B2
F-B3 F5 Reference monitor properties, formally verifiable . B3 / A

Furthermore, there are functionality classes that relate to the consistency of data and the availability of services:

ITSEC F BSI ITS  F meaning
F-IN F6 Rules to maintain the integrity and consistency of the data, type concept (especially for database systems : constraints and transactions )
F-AV F7 Availability , error bridging , failure probability (precautions for power failure, redundant hardware , backups )

There are also three classes of functionality that relate to the transmission of data (especially in networks ):

ITSEC F BSI ITS  F meaning
F-DI F8 Securing the integrity and authenticity of messages ( electronic signature )
F-DC F9 Securing the confidentiality of messages ( encryption )
F-DX F10 Requirements for secure networks

Quality classes

When evaluating the quality (trustworthiness) of a computer system, a distinction is made between the effectiveness of the method and the correctness of the implementation .

The effectiveness describes the resistance of a protective mechanism against attempted circumvention. ITSEC distinguishes 3 levels, in the ITSK a more detailed distinction was made:

- not suitable no protection D.
low weak only protection against accidental, unintentional violations of the security rules (easy to bypass)
medium medium strength Protection against intentional violations by attackers with limited opportunity and resources C1-C2
strong strong good protection, only to be dealt with with great effort B1-B2
very strong very good protection, can only be circumvented with a great deal of effort B3-A
not surmountable currently cannot be overcome, no known weak point

The correctness of the implementation is assessed in 6 stages. In particular, a check is made for program errors and the extent to which the implementation actually implements the previously evaluated method. In contrast to the BSI guideline ITSK, ITSEC does not summarize the effectiveness and trustworthiness, but treats the values ​​separately.

E0 - Q0 ineffective D.
E1 EAL2 Q1 informal specification of the architecture, functional test, targeted attacks C1
E2 EAL3 Q2 Additional informal description of the detailed design (detailed specification) C2
E3 EAL4 Q3 Analysis of the source code or the hardware layout B1
E4 EAL5 Q4 Formal security model, semi-formal detailed specification B2
E5 EAL6 Q5 Detailed specification must be reproducible on the source code B3
E6 EAL7 Q6 additional formal specification and analysis of the architecture (verification) A.

Web links


  1. ^ Richard A. Kemmerer: Computer Security. (PDF; 135 kB) 2001, accessed on June 13, 2013 (English).