Security Evaluation and Testing — Past, Present and Future
IT Security Evaluation started with the US DoD Trusted Computer Security Evaluation Criteria — commonly known as ‘The Orange Book’ — in 1983. This was the original and seminal work in this field. Even though it was based on research conducted in the late 1970s (The Bell-Lapadula Model), it remained the predominant standard for some 10 years until overtaken by the European IT Security Evaluation Criteria (ITSEC). The need for a common international standard drove the development of the Common Criteria, which has now been the predominant standard for 10 years.
CC has never penetrated the non-Defence marketplace and, with the growing interest in Information Security in relation to corporate governance, there is an increasing need for independent commercial assurance. In the UK this gap has been filled by the CSIA Claims Tested (CCT) Mark.
In the future it is expected that the trend will be towards holistic, through-life assurance, rather than a specific concentration on product evaluation, possibly in line with the evolving UK Assurance model.
KeywordsCorporate Governance Intrusion Detection National Security Penetration Testing Common Criterion
Unable to display preview. Download preview PDF.
- Bell-LaPadula Model: Secure Computer Systems: Mathematical foundations (1973), Secure Computer Systems: Unified Exposition and MULTICS Interpretation (1976) MITR-2997 by David E. Bell and Leonard J LaPadulaGoogle Scholar
- Biba Integrity Model: Integrity Considerations for Secure Computer Systems MITR-3153 by K. J. Biba (1977)Google Scholar
- Brewer and Nash Model: The Chinese Wall Security Policy by D. F. C Brewer and M. J. Nash (IEEE Symposium of Security and Privacy, 215–228 (1989)Google Scholar
- Clark-Wilson Model: A Comparison of Commercial and Military Computer Security Policies by David D. Clark and David R. Wilson (1987 IEEE Symposium on Security and Privacy)Google Scholar
- CSIA Claims Tested (CCT) Mark: www.cctmark.gov.ukGoogle Scholar
- ITSEC: Information Technology Security Evaluation Criteria (ITSEC): Preliminary harmonised Criteria COM (90)314, Version 1.2 (1991)Google Scholar
- TCSEC: Department of’ Defence Trusted Computer Security Evaluation Criteria DoD 5200-28-STD (1985) TigerScheme: www.tigerscheme.orgGoogle Scholar
- UKAS: United Kingdom Accreditation Service — www.ukas.comGoogle Scholar