【英文标准名称】:Informationtechnology-Securitytechniques-EvaluationcriteriaforITsecurity-Introductionandgeneralmodel
【原文标准名称】:信息技术.安全技术.IT安全性评价准则.介绍和一般模式
【标准号】:BSISO/IEC15408-1-1999
【标准状态】:作废
【国别】:英国
【发布日期】:2000-02-15
【实施或试行日期】:2000-02-15
【发布单位】:英国标准学会(GB-BSI)
【起草单位】:BSI
【标准类型】:()
【标准水平】:()
【中文主题词】:消费者;验收(鉴定);数据存储保护;信息交流;质量保证;资产;选择;数据处理;数据安全
【英文主题词】:definitions;informationexchange;datasecurity;definition;informationtechnology;dataprotection;datatransmission;models;confidenceintervals;dataprocessing;levelofconfidence;safety;informationinterchange
【摘要】:ThismultipartstandardISO/IEC15408definescriteria,whichforhistoricalandcontinuitypurposesarereferredtohereinastheCommonCriteria(CC),tobeusedasthebasisforevaluationofsecuritypropertiesofITproductsandsystems.Byestablishingsuchacommoncriteriabase,theresultsofanITsecurityevaluationwillbemeaningfultoawideraudience.TheCCwillpermitcomparabilitybetweentheresultsofindependentsecurityevaluations.ItdoessobyprovidingacommonsetofrequirementsforthesecurityfunctionsofITproductsandsystemsandforassurancemeasuresappliedtothemduringasecurityevaluation.Theevaluationprocessestablishesalevelofconfidencethatthesecurityfunctionsofsuchproductsandsystemsandtheassurancemeasuresappliedtothemmeettheserequirements.TheevaluationresultsmayhelpconsumerstodeterminewhethertheITproductorsystemissecureenoughfortheirintendedapplicationandwhetherthesecurityrisksimplicitinitsusearetolerable.TheCCisusefulasaguideforthedevelopmentofproductsorsystemswithITsecurityfunctionsandfortheprocurementofcommercialproductsandsystemswithsuchfunctions.Duringevaluation,suchanITproductorsystemisknownasaTargetofEvaluation(TOE).SuchTOEsinclude,forexample,operatingsystems,computernetworks,distributedsystems,andapplications.TheCCaddressesprotectionofinformationfromunauthoriseddisclosure,modification,orlossofuse.Thecategoriesofprotectionrelatingtothesethreetypesoffailureofsecurityarecommonlycalledconfidentiality,integrity,andavailability,respectively.TheCCmayalsobeapplicabletoaspectsofITsecurityoutsideofthesethree.TheCCconcentratesonthreatstothatinformationarisingfromhumanactivities,whethermaliciousorotherwise,butmaybeapplicabletosomenon-humanthreatsaswell.Inaddition,theCCmaybeappliedinotherareasofIT,butmakesnoclaimofcompetenceoutsidethestrictdomainofITsecurity.TheCCisapplicabletoITsecuritymeasuresimplementedinhardware,firmwareorsoftware.Whereparticularaspectsofevaluationareintendedonlytoapplytocertainmethodsofimplementation,thiswillbeindicatedwithintherelevantcriteriastatements.Certaintopics,becausetheyinvolvespecialisedtechniquesorbecausetheyaresomewhatperipheraltoITsecurity,areconsideredtobeoutsidethescopeoftheCC.Someoftheseareidentifiedbelow.a)TheCCdoesnotcontainsecurityevaluationcriteriapertainingtoadministrativesecuritymeasuresnotrelateddirectlytotheITsecuritymeasures.However,itisrecognisedthatasignificantpartofthesecurityofaTOEcanoftenbeachievedthroughadministrativemeasuressuchasorganisational,personnel,physical,andproceduralcontrols.AdministrativesecuritymeasuresintheoperatingenvironmentoftheTOEaretreatedassecureusageassumptionswherethesehaveanimpactontheabilityoftheITsecuritymeasurestocountertheidentifiedthreats.b)TheevaluationoftechnicalphysicalaspectsofITsecuritysuchaselectromagneticemanationcontrolisnotspecificallycovered,althoughmanyoftheconceptsaddressedwillbeapplicabletothatarea.Inparticular,theCCaddressessomeaspectsofphysicalprotectionoftheTOE.c)TheCCaddressesneithertheevaluationmethodologynortheadministrativeandlegalframeworkunderwhichthecriteriamaybeappliedbyevaluationauthorities.However,itisexpectedthattheCCwillbeusedforevaluationpurposesinthecontextofsuchaframeworkandsuchamethodology.d)TheproceduresforuseofevaluationresultsinproductorsystemaccreditationareoutsidethescopeoftheCC.ProductorsystemaccreditationistheadministrativeprocesswherebyauthorityisgrantedfortheoperationofanITproductorsysteminitsfulloperationalenvironment.EvaluationfocusesontheITsecurityparts
【中国标准分类号】:L70
【国际标准分类号】:35_040
【页数】:64P.;A4
【正文语种】:英语