Abstract
IT security certification and IT security evaluation criteria have changed their character compared with the first efforts ca. 20 years ago. They have also gained more interest within civilian and commercial application areas. Therefore this paper compares them with earlier criticism and with the new challenges in IT security. After an introduction into the concept of security certification the established IT security certification schemes and the related criteria are presented. Then their weaknesses and problems are described, in particular with regard to nowadays security requirements. Improvements of the criteria and the certification systems are presented, and suggestions for using current certification and evaluation schemes despite their shortcomings are made.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35515-3_53
Chapter PDF
Similar content being viewed by others
References
Common Criteria Implementation Board: Common Criteria for IT Security Evaluation, V. 2.1, August 1999; http://csrc.nist.gov/cc
Canadian System Security Centre: The Canadian Trusted Computer Product Evaluation Criteria, V. 3. 0e; Jan. 1993
European Commission: IT Security Evaluation Criteria, V. 1.2; 1991–06–28; Office for Official Publications of the EC; also www.itsec.gov.uk/docs/pdfs/formal/ITSEC.PDF
C. Corbett: ITSEC in Operation — an Evaluation Experience, Proc. 4th Annual Canadian Computer Security Conference, May 1992, Ottawa, Canada, pp. 439–460
Bundesamt fir Sicherheit in der Informationstechnik: German IT Security Certificates; BSI 7148E; September 1999; www.bsi.de/aufgaben/ii/zert
Deutscher Bundestag: Gesetz zur digitalen Signatur vom 22. 7. 1997; Bundesgesetzblatt I, S. 1870; in english www.iid.de/rahmen/iukdgebt.html
German Information Security Agency: IT-Security Criteria, Criteria for the Evaluation of Trustworthiness of Information Technology ( IT) Systems; Jan. 1989, Bundesanzeiger
ISO/IEC JTC1/SC27: Evaluation Criteria for IT Security, Part l-3, Working Drafts 199512–15; ISO/IEC JTC1/SC27/N1269–71
Evaluation Criteria for IT Security, Parts 1–3; International Standard 15408; 1999–12–01 [10] D. Parker: A new Framework for Information Security to avoid Information Anarchy; in
J. Eloff, S. v. Solms: Proc. TC11 11th Int. Conf. on Inform. Security; Chapman and Hall [Il] K. Rannenberg: Zertifizierung mehrseitiger IT-Sicherheit — Kriterien und organisatorische Rahmenbedingungen; Vieweg
K. Rannenberg, A. Pfitzmann, G. Müller: IT Security and Multilateral Security; in G. Müller, K. Rannenberg: Multilateral Security in Communications — Technology, Infrastructure, Economy; Addison–Wesley–Longman, 1999; ISBN 3–8273–1360–0
R. Schützig: Prüfung und Zertifizierung von IT-Installationen; Datenschutz und Datensicherheit, Vol. 22(4), pp. 207–210
Department of Defense Trusted Computer System Evaluation Criteria; December 1985, DOD 5200.28-STD, www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this paper
Cite this paper
Rannenberg, K. (2000). IT Security Certification and Criteria. In: Qing, S., Eloff, J.H.P. (eds) Information Security for Global Information Infrastructures. SEC 2000. IFIP — The International Federation for Information Processing, vol 47. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35515-3_1
Download citation
DOI: https://doi.org/10.1007/978-0-387-35515-3_1
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5479-7
Online ISBN: 978-0-387-35515-3
eBook Packages: Springer Book Archive