This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: 12/19/2010 Unit 8: Assurances
Part 1 Click Here to Start Audio Assurance
Define Expectation Justification through assurance evidence and approvals Executable entities designed to meet requirements Assurance Mechanisms “Computer Security: Art and Science”, Matt Bishop Implementations Don’t Always Reflect Intent
Flaws in Implementation Overlooked Requirements Unintentional Side-Effects Intentional Deviations Operation Errors Incomplete Fixes 1 12/19/2010 TCSEC Fundamental Security Requirement 5: Assurance
“The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces requirements 1-4 *. ….must be clearly documented such that it is possible to independently examine the evidence to evaluate their sufficiency.” *1)Security Policy, 2)Marking, 3)Identification, 4)Accountability. Common Criteria Model CC Focus on Vulnerabilities
Eliminated - Active steps to expose, remove or neutralize. Minimize - Active steps to reduce to acceptable level the impact of exercise of a vulnerability Monitored - Exercise of the vulnerability will be detected to limit damage [CC Part 3 Section 1.2.2] 2 12/19/2010 CC Causes of Vulnerabilities
Requirements - Design Phase Construction - Doesn’t meet specs and/or introduced as a result of poor constructional standards Operation: Inadequate Controls upon the operation. [CC Part 3 Section 126.96.36.199] 3 ...
View Full Document
- Spring '11