Unified information technology security criteria
The Common Criteria for Information Technology Security Evaluation (hereinafter referred to as the Common Criteria) are the result of joint efforts by the authors of the European Information Technology Security Criteria, Federal Information Technology Security Criteria and Canadian Computer System Security Criteria aimed at combining the main provisions of these documents and creating a single International Information Technology Security Standard. Work on this project, the largest in the history of the information security standard, began in June 1993 in order to overcome the conceptual and technical differences between these documents, harmonize them and create a single international standard. Version 2.1 of this standard was approved by the International Organization for Standardization (ISO) in 1999 as the International Information Security Standard ISO/IEC 15408. In the Russian Federation, the standard is valid under the GOST R ISO/IEC 15408 number.
The unified criteria maintain compatibility with existing standards and develop them by introducing new concepts that correspond to the current level of information technology development and integration of national information systems into a single global information space.
This document was developed based on the achievements of numerous studies in the field of information technology security in the 1990s and on the results of an analysis of the experience of applying the standards underlying it. The unified criteria operate on the concept of an information technology product, or IT product, already familiar according to Federal Criteria, and use the concept of a Protection Profile proposed in them.
Uniform criteria were developed in order to satisfy the requests of three groups of specialists who are equally users of this document: manufacturers and consumers of information technology products, as well as experts on the qualification of their security level.
Stakeholders can define the product's security functionality using standard security profiles and independently select an estimated level of security confidence from a set of seven increasing estimated levels of security confidence from 1 to 7.
Consumers consider IT product security level qualification as a method of determining whether an IT product meets their needs. These requests are usually based on the results of a risk analysis and the selected security policy. Uniform criteria play an essential role in the process of forming consumer requests, as they contain mechanisms that allow these requests to be formulated in the form of standardized requirements. This allows consumers to make an informed decision about the possibility of using certain products. Finally, Uniform Criteria provide consumers with a mechanism for Protection Profiles, through which they can express their specific requirements without worrying about the mechanisms for their implementation.
Manufacturers should use Uniform criteria during the design and development of IT products, as well as to prepare for qualification analysis and certification.
This document allows manufacturers, based on an analysis of consumer requests, to determine a set of requirements that the product they are developing should meet.
Manufacturers use the technology proposed by Uniform Criteria to substantiate their claims that the IT product they supply successfully resists security threats, based on the fact that it meets the functional requirements put forward and their implementation is carried out with a sufficient level of adequacy. To implement this technology, Uniform Criteria offer manufacturers a special mechanism called the Protection Project, which complements the Protection Profile and allows you to combine descriptions of the requirements that the developer was guided by, specifications of mechanisms for implementing these requirements.
In addition, manufacturers can use Common Criteria to determine the boundaries of their responsibility, as well as the conditions that must be met for successful qualification analysis and certification of the product they have created.
Qualification experts use this document as the main criteria for determining the compliance of IT product security tools with the requirements imposed on it by consumers and the threats operating in its operating environment.
The uniform criteria describe only the general scheme of qualification analysis and certification, but do not regulate the procedure for their implementation. A separate document is devoted to the methodology of qualification analysis and certification - "General methodology for assessing the security of information technologies".
Thus, Uniform criteria provide regulatory support for the process of selecting an IT product, which is required to function under certain threats, serve as guidance for developers of such systems, as well as regulate the technology of their creation and the procedure for assessing the level of security provided.
Unified criteria consider information security as a set of confidentiality and integrity of information processed by an IT product, as well as the availability of aircraft resources, set the task of countering threats relevant to the environment of operation of this product and the implementation of the security policy adopted in this operating environment.
Uniform criteria regulate all stages of development, qualification analysis and operation of IT products using a scheme of Federal criteria. Unified criteria offer a rather complex process of development and qualification analysis of IT products, requiring consumers and manufacturers to compile and execute very voluminous and detailed regulatory documents.
Protection objectives are the basic concept of Uniform Criteria that expresses the need of consumers of an IT product to confront a given set of security threats or the need to implement a security policy.
The protection profile is a special regulatory document that represents a set of protection Tasks, functional requirements, adequacy requirements and their justification. It serves as a guide for the IT product developer when creating a Security Project.
The protection project is a special regulatory document that represents a set of Protection Tasks, functional requirements, adequacy requirements, general specifications of protective equipment and their justification.
Catalog of functional classes:
audit,
communication (confirmation of receipt/transmission of information),
cryptographic support,
user data protection (confidentiality, integrity, accessibility), •identification and authentication,
security management,
privacy (confidentiality of work in the system),
reliability of security tools,
control over the use of resources,
access control to the evaluation object,
trusted route/channel (direct interaction).
Security assurance (adequacy) requirements:
project management,
distribution,
development,
documentation,
development process,
testing,
protection analysis. The "uniform criteria" contain a set of predefined assessment levels of security confidence, made up of components of families of security assurance requirements.
These levels are designed to:
to achieve compatibility with the original criteria;
to provide the consumer with packages of general-purpose components.
To achieve specific goals, the level can be enhanced with additional components.
OUB1 - functional testing (corresponds to the American TCSEC - D, European ITSEC - E1).
OUB2 - structural testing (C1, E2).
OUB3 - methodical testing and verification (C2, E3).
OUB4 - methodical design, testing and review (B1, E4).
OUB5 - semi-formal design and testing (B2, E5).
OUB6 - semi-formal project verification and testing (B3, E6).
OUB7 - formal project verification and testing (A1, E7).
The equivalence is indicated in general, there is no exact match, because the approaches differ.
According to Uniform Criteria, information technology security can be achieved through the application of the proposed technology for the development, certification and operation of IT products.
Common criteria define a variety of standard requirements, which, together with the Protection Profile mechanism, allow consumers to create private sets of requirements that meet their needs. Developers can use the Security Profile as a basis for creating specifications for their products. The security profile and specifications of the security tools make up the Security Project, which represents the IT product during the qualification analysis.
Qualification analysis can be carried out both in parallel with the development of an IT product, and after its completion. To conduct a qualification analysis, the product developer must submit the following materials:
a protection profile describing the purpose of the IT product and characterizing its operating environment, as well as setting Protection Tasks and requirements that the product must meet;
a security project that includes specifications of security tools, as well as a justification for the compliance of the IT product with the protection tasks from the Protection Profile and the requirements of Uniform Criteria specified in it;
various justifications and confirmations of the properties and capabilities of the IT product received by the developer;
the IT product itself;
additional information obtained through various independent examinations.
The qualification analysis process includes three stages:
1. Analysis of the Protection Profile for its completeness, consistency, feasibility and the possibility of using it as a set of requirements for the analyzed product.
2. Analysis of the Protection Project for its compliance with the requirements of the Protection Profile, as well as completeness, consistency, feasibility and the possibility of using IT as a reference in the analysis of an IT product.
3. Analysis of the IT product for compliance with the Protection Project. The result of the qualification analysis is the conclusion that the analyzed IT product corresponds to the submitted Protection Project. The conclusion consists of several reports, differing in level of detail and containing the opinion of experts on qualifications about the IT product based on the qualification criteria of Uniform Criteria.
The use of qualification analysis and certification leads to an improvement in the quality of manufacturers' work in the process of designing and developing IT products. In products that have passed the security level qualification, the probability of errors and security flaws and vulnerabilities is significantly less than in conventional products. All this suggests that the application of Uniform Criteria has a positive and constructive impact on the process of requirements formation, IT product development, the product itself and its operation.
Thus, the Unified Criteria for information technology security are the result of a generalization of all the achievements of recent years in the field of information security. For the first time, a document of this level contains sections addressed to consumers, manufacturers and experts on the qualification of IT products.
The developers of the Unified Criteria continued to work on Federal Criteria aimed at eliminating a single safety scale, increasing the flexibility of the solutions proposed in them by introducing partially ordered scales, so that consumers and manufacturers have additional opportunities to select requirements and adapt them to their application tasks.
This standard pays special attention to the adequacy of the implementation of functional requirements, which is ensured both by independent testing and analysis of an IT product and by the use of appropriate technologies at all stages of its design and implementation.
Thus, the requirements of the Unified Criteria cover almost all aspects of the security of IT products and the technology of their creation, and also contain all the source materials necessary for consumers and developers to form Security Profiles and Projects.
In addition, the requirements of the Uniform Criteria are an almost comprehensive encyclopedia of information security, so they can be used as a reference for information technology security.
This standard marked a new level of standardization of information technologies, raising it to the interstate level. Behind this, there is a real prospect of creating a single secure information space in which the certification of the security of information processing systems will be carried out at the global level, which will provide opportunities for the integration of national information systems.