Abstract
This paper presents the results of five key European Union-sponsored projects in the field of information security within the framework of the EC’s INFOSEC programme, and on the basis of findings within those projects takes a critical look at evaluation criteria in the context of their rôle in supporting overall service and system security assessment and assurance.
A proposed model for System Accreditation and its developments towards a general solution for assessing complex systems are described. Both desk studies and practical application of the concepts to real problems are considered.
The ITSEC is examined in the light of the defined commercial requirements for system accreditation and against the assurance needs of complex services and systems as exemplified by telecommunications services in particular. These examine, inter alia the scoping of ITSEC, the suitability of its outputs for re-use in other Evaluations or assessment processes (e.g. System Accreditation), and its flexibility for use in a commercial domain.
The authors offer the tenet that whilst Evaluation may be a valuable process for assessing simple products, it is insufficiently flexible for the evaluation of complex subjects/targets and has too restricted a scope for being the basis for any true system or service assessment, for which broader and more flexible processes are required, principally System Accreditation. Evaluation criteria as presently conceived can, at best, support and contribute to these process.
The paper concludes with a short review of some available options for realisation of a practical and commercially acceptable assurance scheme incorporating ITSEC, and of actions which could stimulate progress in this area.
Chapter PDF
References
E2307, (1995) EC ENS PROJECT “LEGAL and SECURITY ISSUES in TRANS-BORDER TELEMATIC APPLICATIONS”.
ITSEC, (1991) INFORMATION TECHNOLOGY SECURITY EVALUATION CRITERIA, VERSION 1.2, Provisional Harmonised Criteria.
ITSEM, (1993) INFORMATION TECHNOLOGY SECURITY EVALUATION MANUAL, VERSION 1.0, Provisional Harmonised Methodology.
S2012, (1993) EC INFOSEC PROJECT “ITSEC - COMMERCIAL ACCREDITATION of IT SYSTEMS”: FINAL REPORT.
S2109, (1994) EC INFOSEC PROJECT “SECURITY EVALUATIONS and COMMUNICATIONS SYSTEMS”: FINAL REPORT.
S2114, (1994) EC INFOSEC PROJECT “EAGLE - RE-USE and RE-EVALUATIONS”: FINAL REPORT.
S2301, (1995) EC INFOSEC PROJECT “ebridge”: FINAL REPORT
S2302, (1995) EC INFOSEC PROJECT ‘BOLERO’: “IDENTIFICATION OF TARGETS OF ASSESSMENT”.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1996 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Wilsher, R.G., Kurth, H. (1996). Security Assurance in Information Systems. In: Katsikas, S.K., Gritzalis, D. (eds) Information Systems Security. SEC 1996. IFIP Advances in Information and Communication Technology. Springer, Boston, MA. https://doi.org/10.1007/978-1-5041-2919-0_7
Download citation
DOI: https://doi.org/10.1007/978-1-5041-2919-0_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-5041-2921-3
Online ISBN: 978-1-5041-2919-0
eBook Packages: Springer Book Archive