ITSEC?

Jeremy Mineweaser Jeremym at area1s220.residence.gatech.edu
Thu Jan 18 07:03:33 PST 1996


At 10:32 AM 1/18/96 -0000, Juan D. Sandoval wrote:

>does anyone know where I can get info on Information Technology 
>Secure Evaluation Criteria (ITSEC)?

Here's what I found:

------------------------>
Excerpted from _Computer_Security_Handbook,_Third_Edition_ by Hutt,
Bosworth, & Hoyt
(C) 1995 by John Wiley and Sons:

(d) European and Canadian Security Standards.  
        Since its original publication in 1983, the TCSEC has greatly
influenced It security.  It is widely recognized as a yardstick for
evaluating products in relation to security features and assurances needed
to support security objectives.  TCSEC has also influenced the development
of other documents both in the US and abroad, forming a foundation of
second-generation requirements.
        In 1991, the European Community adopted the Information Technology
Security Evaluation Criteria (ITSEC) for a two year trial period.  The ITSEC
approach uses "Security Targets" for expressing security functionality
profiles.  ITSEC was builtin upon various national initiatives, including
the TCSEC, and represents a /harmonized/ effort among Franfce, Germany, the
Netherlands, and the United Kingdom.

------------------------>
A quick search of INSPEC (described below) turned up some useful results, as
well.

INSP (INSPEC) 
        Citations and abstracts of articles in physics, electronics,
engineering, computer and information technology journals. 

A keyword search for ITSEC revealed 30+ documents related to IT and systems
security measures.  The citation below seemed the most useful:

        Sizer, R.  "Information technology security evaluation criteria
(ITSEC)."  _Computer_Bulletin_, vol.5, pt.5, p.7.  Oct. 1993.   ISSN:
00104531 ;;gtec.  Keywords: data integrity. data privacy. security of data.
Class codes: C0310D. C6130S.  Date indexed: 12/93.

Abstract:
        The insecurity of IT systems (typified by unauthorised access) is a
complex and increasingly aggravating social problem. All sectors of
society-commerce, industry, government (local and national) and domestic are
at risk. People who have the responsibility for choosing, installing or
using IT systems have faced considerable difficulty in choosing IT security
products purporting to provide a 'secure environment' employing technical
security mechanisms in hardware and software. The problem has, in the main,
been the highly subjective claims for, and interpretation of, those security
mechanisms. The ITSEC criteria involve the independent evaluation of IT
products and systems (hardware and software) which claim security features.
Security includes confidentiality, integrity and availability

------------------------>

This citation may also be useful, but the text of the paper is in German.

        Peleska, J. and Reichel, H. of Deutsche Syst.-Tech. GmbH, Kiel,
Germany.  "Formal specification of generic ITSEC functionality classes."
_Informatik_-_Wirtschaft_-_Gesellschaft_ (Informatics - Economy - Society).
p.354-64, 1993.  ISSN: 3540571922;;gtec.  Conference: Informatik Wirtschaft
Gesellschaft (Informatics, Economy, Society), Dresden, Germany, 27 Sept.-1
Oct. 1993.  Keywords: formal specification. software quality. standards.
Class. Codes: C6110B.  Date Indexed:  10/94.

Abstract:
        On the basis of the formal specification, the consistency of
specification of a concrete product to the ITSEC standards is not only
informally motivatable, but also mathematically provable. In this way, the
objective visability, quality and efficiency of the evaluation process are
increased. For the evaluation of products at Stage E6, use of the described
concepts (or of comparable ones) is indispensable

------------------------>

I have access via my local library to the first document (the actual ITSEC
specification) but not to the second.  You should be able to find the
_Computer_Bulletin_ at most universities with CS majors.

Hope this helps,

Jeremy
---
   Jeremy Mineweaser     | GCS/E d->-- s:- a--- C++(+++)$ ULC++(++++)>$ P+>++$
 j.mineweaser at ieee.org   | L+>++ E-(---)  W++ N+  !o-- K+>++  w+(++++) O-  M--
                         | V-(--) PS+(--) PE++ Y++>$ PGP++>+++$ t+() 5 X+ R+()
    *ai*vr*vx*crypto*    | tv(+)  b++>+++ DI+(++)  D+  G++ e>+++  h-() r-@ !y-







More information about the cypherpunks-legacy mailing list