- Trusted Computer System Evaluation Criteria
Trusted Computer System Evaluation Criteria (TCSEC) is a
United StatesGovernment Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer securitycontrols built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.
The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD "
Rainbow Series" publications. Initially issued by the National Computer Security Center(NCSC) an arm of the National Security Agencyin 1983 and then updated in 1985, TCSEC was replaced with the development of the Common Criteriainternational standard originally published in 2005.
TCSEC Fundamental Objectives/Requirements
The security policy must be explicit, well-defined and enforced by the computer system. There are two basic security policies:
* Mandatory Security Policy - Enforces
access controlrules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived.
** Marking - Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
* Discretionary Security Policy - Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.
Individual accountability regardless of policy must be enforced. A secure means must exist to ensure the access of an authorized and competent agent which can then evaluate the accountability information within a reasonable amount of time and without undue difficulty. There are three requirements under the accountability objective:
* Identification - The process used to recognize an individual user.
* Authentication - The verification of an individual user's authorization to specific categories of information.
* Auditing - Audit information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.
The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the above requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements:
* Assurance Mechanisms
** Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management and Trusted Recovery
** Life-cycle Assurance : Security Testing, Design Specification and Verification, Configuration Management and Trusted Distribution
* Continuous Protection Assurance - The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes.
Within each class there is additional documentation set which addresses the development, deployment and management of the system rather than its capabilities. This documentation includes:
* Security Features User's Guide, Trusted Facility Manual, Test Documentation and Design Documentation
Divisions and Classes
The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
D — Minimal Protection
* Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division.
C — Discretionary Protection
* C1 — Discretionary Security Protection
** Separation of users and data
** Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis
* C2 — Controlled Access Protection
** More finely grained DAC
** Individual accountability through login procedures
** Audit trails
** Resource isolation
** Required System Documentation and user manuals.
B — Mandatory Protection
* B1 — Labeled Security Protection
** Informal statement of the security policy model
** Data sensitivity labels
** Mandatory Access Control (MAC) over select subjects and objects
** Label exportation capabilities
** All discovered flaws must be removed or otherwise mitigated
* B2 — Structured Protection
**Security policy model clearly defined and formally documented
** DAC and MAC enforcement extended to all subjects and objects
** Covert storage channels are analyzed for occurrence and bandwidth
** Carefully structured into protection-critical and non-protection-critical elements
** Design and implementation enable more comprehensive testing and review
** Authentication mechanisms are strengthened
** Trusted facility management is provided with administrator and operator segregation
** Strict configuration management controls are imposed
* B3 — Security Domains
** Structured to exclude code not essential to security policy enforcement
** Significant system engineering directed toward minimizing complexity
** A security administrator is supported
** Audit security-relevant events
** Automated imminent
intrusion detection, notification, and response
** Trusted system recovery procedures
** Covert timing channels are analyzed for occurrence and bandwidth
** An example of such a system is the XTS-300, a precursor to the
A — Verified Protection
* A1 — Verified Design
** Functionally identical to B3
** Formal design and verification techniques including a formal top-level specification
** Formal management and distribution procedures
** An example of such a system is SCOMP, a precursor to the
* Beyond A1
** System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the
Trusted Computing Base(TCB).
** Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
** Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
** Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.
Matching classes to environmental requirements
[http://www.fas.org/irp/doddir/army/r380_19.pdf Army Regulation 380-19] is an example of a guide to determining which system class should be used in a given situation.
* AR 380-19 superseded by AR 25-2
Trusted Platform Module
* [http://nsi.org/Library/Compsec/orangebo.txt National Security Institute - 5200.28-STD "Trusted Computer System Evaluation Criteria"]
* [http://www.fas.org/irp/nsa/rainbow/std001.htm FAS IRP DOD Trusted Computer System Evaluation Criteria DOD 5200.28 ]
Wikimedia Foundation. 2010.
Look at other dictionaries:
Trusted Computer System Evaluation Criteria — TCSEC (Trusted Computer System Evaluation Criteria; im Allgemeinen als Orange Book bezeichnet), ist ein von der US Regierung herausgegebener Standard für die Bewertung und Zertifizierung der Sicherheit von Computersystemen. TCSEC wurde vor allem… … Deutsch Wikipedia
Trusted Computer System Evaluation Criteria — Les Trusted Computer System Evaluation Criteria, ou TCSEC, sont un ensemble de critères énoncés par le Département de la Défense américain, et permettant d évaluer la fiabilité de systèmes informatiques centralisés. On parle parfois de l Orange… … Wikipédia en Français
System High Mode — (also referred to simply as System High) is a mode of using an automated information system (AIS) that pertains to an environment that contains restricted data that is classified in a hierarchical scheme, such as Top Secret, Secret and… … Wikipedia
Trusted system — In the security engineering subspecialty of computer science, a trusted system is a system that is relied upon to a specified extent to enforce a specified security policy. As such, a trusted system is one whose failure may break a specified… … Wikipedia
Trusted computing base — The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs occurring inside the TCB might jeopardize the security properties of… … Wikipedia
Evaluation Assurance Level — Die Common Criteria for Information Technology Security Evaluation (kurz auch Common Criteria oder CC; deutsch etwa: Gemeinsame Kriterien für die Bewertung der Sicherheit von Informationstechnologie) sind ein internationaler Standard über die… … Deutsch Wikipedia
Evaluation Assurance Level — The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing… … Wikipedia
Computer security — This article is about computer security through design and engineering. For computer security exploits and defenses, see computer insecurity. Computer security Secure operating systems Security architecture Security by design Secure coding … Wikipedia
Security-evaluated operating system — A security evaluated operating system is an operating system that has achieved a certification from an external security auditing organization, such as a B2 or A1 CSC STD 001 83 Department of Defense Trusted Computer System Evaluation Criteria or … Wikipedia
Operating system — Operating systems … Wikipedia