Раздел: Документация

0 1 2 3 4 5 6 ... 73

1.2.1ISO/IEC 15408 philosophy

The ISO/IEC 15408 philosophy is that the threats to security and organisational security policy commitments should be clearly articulated and the proposed security measures be demonstrably sufficient for their intended purpose.

Furthermore, measures should be adopted that reduce the likelihood of vulnerabilities, the ability to exercise (i.e. intentionally exploit or unintentionally trigger) a vulnerability, and the extent of the damage that could occur from a vulnerability being exercised. Additionally, measures should be adopted that facilitate the subsequent identification of vulnerabilities and the elimination, mitigation, and/or notification that a vulnerability has been exploited or triggered.

1.2.2Assurance approach

The ISO/IEC 15408 philosophy is to provide assurance based upon an evaluation (active investigation) of the IT product or system that is to be trusted. Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents. In aligning the existing approaches, ISO/IEC 15408 adopts the same philosophy. ISO/IEC 15408 proposes measuring the validity of the documentation and of the resulting IT product or system by expert evaluators with increasing emphasis on scope, depth, and rigour.

ISO/IEC 15408 does not exclude, nor does it comment upon, the relative merits of other means of gaining assurance. Research continues with respect to alternative ways of gaining assurance. As mature alternative approaches emerge from these research activities, they will be considered for inclusion in the standard, which is so structured as to allow their future introduction.

1.2.2.1 Significance of vulnerabilities

It is assumed that there are threat agents that will actively seek to exploit opportunities to violate security policies both for illicit gains and for well-intentioned, but nonetheless insecure actions. Threat agents may also accidentally trigger security vulnerabilities, causing harm to the organisation. Due to the need to process sensitive information and the lack of availability of sufficiently trusted products or systems, there is significant risk due to failures of IT. It is, therefore, likely that IT security breaches could lead to significant loss.

IT security breaches arise through the intentional exploitation or the unintentional triggering of vulnerabilities in the application of IT within business concerns.

Steps should be taken to prevent vulnerabilities arising in IT products and systems. To the extent feasible, vulnerabilities should be:

a)eliminated - that is, active steps should be taken to expose, and remove or neutralise, all exercisable vulnerabilities;

b)minimised - that is, active steps should be taken to reduce, to an acceptable residual level, the potential impact of any exercise of a vulnerability;

c)monitored - that is, active steps should be taken to ensure that any attempt to exercise a residual vulnerability will be detected so that steps can be taken to limit the damage.

---

1.2.2.2Cause of vulnerabilities

Vulnerabilities can arise through failures in:

a)requirements - that is, an IT product or system may possess all the functions and features required of it and still contain vulnerabilities that render it unsuitable or ineffective with respect to security;

b)construction - that is, an IT product or system does not meet its specifications and/or vulnerabilities have been introduced as a result of poor constructional standards or incorrect design choices;

c)operation - that is, an IT product or system has been constructed correctly to a correct specification but vulnerabilities have been introduced as a result of inadequate controls upon the operation.

1.2.2.3ISO/IEC 15408 assurance

Assurance is grounds for confidence that an IT product or system meets its security objectives. Assurance can be derived from reference to sources such as unsubstantiated assertions, prior relevant experience, or specific experience. However, the standard provides assurance through active investigation. Active investigation is an evaluation of the IT product or system in order to determine its security properties.

1.2.2.4Assurance through evaluation

Evaluation has been the traditional means of gaining assurance, and is the basis of the ISO/IEC 15408 approach. Evaluation techniques can include, but are not limited to:

a)analysis and checking of process(es) and procedure(s);

b)checking that process(es) and procedure(s) are being applied;

c)analysis of the correspondence between TOE design representations;

d)analysis of the TOE design representation against the requirements;

e)verification of proofs;

f)analysis of guidance documents;

g)analysis of functional tests developed and the results provided;

h)independent functional testing;

i)analysis for vulnerabilities (including flaw hypothesis); j)penetration testing.

---

1.2.3 The ISO/IEC 15408 evaluation assurance scale

The ISO/IEC 15408 philosophy asserts that greater assurance results from the application of greater evaluation effort, and that the goal is to apply the minimum effort required to provide the necessary level of assurance. The increasing level of effort is based upon:

a)scope - that is, the effort is greater because a larger portion of the IT product or system is included;

b)depth - that is, the effort is greater because it is deployed to a finer level of design and implementation detail;

c)rigour - that is, the effort is greater because it is applied in a more structured, formal manner.

0 1 2 3 4 5 6 ... 73