Security Evaluation and Testing — Past, Present and Future

  • Peter Fischer


IT Security Evaluation started with the US DoD Trusted Computer Security Evaluation Criteria — commonly known as ‘The Orange Book’ — in 1983. This was the original and seminal work in this field. Even though it was based on research conducted in the late 1970s (The Bell-Lapadula Model), it remained the predominant standard for some 10 years until overtaken by the European IT Security Evaluation Criteria (ITSEC). The need for a common international standard drove the development of the Common Criteria, which has now been the predominant standard for 10 years.

CC has never penetrated the non-Defence marketplace and, with the growing interest in Information Security in relation to corporate governance, there is an increasing need for independent commercial assurance. In the UK this gap has been filled by the CSIA Claims Tested (CCT) Mark.

In the future it is expected that the trend will be towards holistic, through-life assurance, rather than a specific concentration on product evaluation, possibly in line with the evolving UK Assurance model.


Corporate Governance Intrusion Detection National Security Penetration Testing Common Criterion 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Bell-LaPadula Model: Secure Computer Systems: Mathematical foundations (1973), Secure Computer Systems: Unified Exposition and MULTICS Interpretation (1976) MITR-2997 by David E. Bell and Leonard J LaPadulaGoogle Scholar
  2. Biba Integrity Model: Integrity Considerations for Secure Computer Systems MITR-3153 by K. J. Biba (1977)Google Scholar
  3. Brewer and Nash Model: The Chinese Wall Security Policy by D. F. C Brewer and M. J. Nash (IEEE Symposium of Security and Privacy, 215–228 (1989)Google Scholar
  4. Clark-Wilson Model: A Comparison of Commercial and Military Computer Security Policies by David D. Clark and David R. Wilson (1987 IEEE Symposium on Security and Privacy)Google Scholar
  5. CSIA Claims Tested (CCT) Mark: Scholar
  6. ITSEC: Information Technology Security Evaluation Criteria (ITSEC): Preliminary harmonised Criteria COM (90)314, Version 1.2 (1991)Google Scholar
  7. TCSEC: Department of’ Defence Trusted Computer Security Evaluation Criteria DoD 5200-28-STD (1985) TigerScheme: www.tigerscheme.orgGoogle Scholar
  8. UKAS: United Kingdom Accreditation Service — www.ukas.comGoogle Scholar

Copyright information

© Friedr. Vieweg & Sohn Verlag | GWV Fachverlage GmbH, Wiesbaden 2007

Authors and Affiliations

  • Peter Fischer
    • 1
  1. 1.Vizuri LtdLondon

Personalised recommendations