Select Page

Product Evaluation Models

CISSP

TCSEC (Trusted Computer System Evaluation Criteria)

  • Also Known As: The Orange Book.
  • Developed By: U.S. Department of Defense (DoD).
  • Focus: Evaluates operating systems, applications, and systems, with an emphasis on confidentiality. It does not address network security.
  • Evaluation Levels:
    • D: Minimal protection; systems that fail higher levels.
    • C1: Discretionary Access Control (DAC) with identification, authentication, and resource protection.
    • C2: DAC with controlled access protection, object reuse, and protection of the audit trail.
    • B1: Mandatory Access Control (MAC) with security labels, based on the Bell-LaPadula model. Includes process isolation and device security.
    • B2: MAC with structured protection, including trusted paths, covert channel analysis, and separate operator/admin roles. Includes configuration management.
    • B3: MAC with security domain features, trusted recovery, and event monitoring.
    • A: MAC with formal, verified protection.
  • Operational Assurance Requirements:
    • System Architecture
    • System Integrity
    • Covert Channel Analysis
    • Trusted Facility Management
    • Trusted Recovery
  • Rainbow Series: A series of related documents, each identified by a different color:
    • Red Book: Trusted Network.
    • Orange Book: TCSEC Evaluation.
    • Brown Book: Trusted Facilities Management.
    • Tan Book: Audit.
    • Aqua Book: Glossary.
    • Green Book: Password Management.

ITSEC (Information Technology Security Evaluation Criteria)

  • Usage: Primarily in Europe; not used in the USA.
  • Focus: Addresses confidentiality, integrity, and availability (CIA).
  • Distinct Features:
    • Evaluates: Functionality and assurance separately.
    • Assurance Levels: Range from E0 (lowest) to E6 (highest).
    • Functionality Levels: Range from F1 (lowest) to F10 (highest).
    • Flexibility: A system can have high functionality with low assurance or vice versa.

These models are essential for understanding how different systems are evaluated for security, with TCSEC focusing primarily on confidentiality and ITSEC providing a broader evaluation of CIA with separate assessments of functionality and assurance.

Latest Post:

Pin It on Pinterest