This page offers a brief overview of the ITSEC criteria. Rycombe offers a number of services to companies undertaking secure product evaluations. See our Certification Support page for details, or Contact Us for more information.
|
Table of Contents |
|
Overview |
The Information Technology Security Evaluation Criteria (ITSEC) are European-developed criteria. Its aim is to demonstrate conformance of a product or system (referred to in evaluation-speak as a target of evaluation, or TOE) against its Security Target. The TOE is evaluated as to whether it is both an effective and a correct implementation.
As can be seen from the summary requirements described here, achieving ITSEC certification can be a complex and time consuming process, so why bother? Well, in certain sensitive application areas, the UK government for one will not buy a product unless it carries an ITSEC certificate. So, certain markets may be closed to your product unless it is certified. In addition, as an ITSEC evaluation is carried out by a third party (a commercial licensed evaluation facility or CLEF), and as it is designed to demonstrate conformance to a set of security claims made about a product, it is an independent quality mark. Also, in some quarters, ITSEC certification is an effective marketing technique.
The process of an ITSEC evaluation is straightforward. The sponsor (typically the developer) of a TOE first appoints a CLEF. The CLEF then assesses the Security Target and produces a plan of work. A certifier is appointed and the evaluation can commence. The sponsor provides the evaluator with a complete set of deliverables and the evaluation assesses whether these satisfy the requirements of the criteria in terms of completeness, consistency and accuracy. If the evaluator is satisfied, a report is produced and this is submitted to the certifier for approval. If the certifier is satisfied, a certification report is produced and an ITSEC certificate is awarded.
The responsibilities of a Sponsor are several. The sponsor must fund the evaluation, paying for both the CLEF effort and that of the certifier. The sponsor must produce an appropriate set of deliverables and must provide the evaluator and certifier with any reasonable support that they require in the course of the evaluation.
|
Security Target |
The Security Target document is key to any evaluation. This document describes the security functionality offered by the TOE, along with a description of the environment that the TOE is intended to operate in. In the case of a system, the Security Target contains a System Security Policy (rules of operation tailored to a specific operating environment). In addition, the Security Target contains the target evaluation level. There are six evaluation levels, from E1 up to E6. The higher the level, the more detail and rigour are required in the deliverables. The purpose of the other deliverables is to demonstrate that the security claims made in the Security Target are correctly and effectively realised.
|
Effectiveness |
The effectiveness requirements are the same at all six evaluation levels. The Suitability Analysis demonstrates that the security functionality of the TOE is capable of satisfying the security claims. The Binding Analysis demonstrates that the security functions of the TOE are mutually supportive in satisfying the security claims of the TOE. The Ease of Use analysis demonstrates that it is not possible to operate the TOE in an insecure manner whilst believing it to be operating securely. The Construction Vulnerabilities analysis investigates vulnerabilities in constructing the TOE, and the Operational Vulnerabilities analysis similarly investigates vulnerabilities in operating the TOE.
|
Correctness |
The correctness deliverables may be more familiar to developers than the effectiveness deliverables. The Architectural Design is a top-level design document identifying the basic structure of the TOE, its external interfaces and its separation into major hardware and software components. It is particularly important that the Architectural Design describes the separation between security enforcing and other components. The Detailed Design is a refinement of the Architectural Design of the TOE to a level of detail that can be used as a basis for implementation. The Detailed Design identifies all security enforcing components. The Implementation deliverables test that the security claims refined in the Detailed Design are implemented correctly. They also include full source code and hardware drawings of the TOE.
Additional correctness deliverables include Development Environment deliverables (including Configuration Control, Programming Languages and Compilers and Developers Security); the Operational Documentation (User Documentation and Administration Documentation); and the Operational Environment (Delivery and Configuration, and Start-up and Operation).
|
Links |
There is a comprehensive ITSEC site at www.itsec.gov.uk.