Organizations around the world often assess their IS security mechanisms and pra

Question

Organizations around the world often assess their IS security mechanisms and practices by using the Trusted Computer System Evaluation Criteria (TCSEC) or Information Technology Security Evaluation Criteria (TSEC). The two standards are similar, though there are distinctions. Assume that you are the security manager for an organization that writes software. You are reviewing the proposal for a new chat program to be sold for use within an organization. Members of the organization can be physically located anywhere around the world, and your company is promising that all chat communications will be secure. In a 3- to 4-page report, perform the fllowing: Compare and contrast the TCSEC and the ITSEC standards. Determine what features and practices should be included in the design and development of the chat program to qualify it for each of the four TCSEC classes. Determine what your company would have to do to be considered in each of the seven ITSEC classes. .Identify where the models overlap.

Explanation / Answer

Please find the answer below:

End users expect security and a sense of trust while using applications like chat programs. Users can be physically located anywhere around the world. Users share sensitive information during chatting.

Security is expected by the users of the chat application. Security can be provided using both the standards ITSEC and TCSEC. Meeting the security standards increases users feel a sense of security. ITSEC assures data integrity and availability while TCSEC assures confidentiality and access control. Meeting both standards provides confidence to the chat users.

TCSEC Standard

(Trusted Computer System Evaluation Criteria)

TCSEC is a US Government Department of Defence (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive information.

The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally, divisions C, B and A are broken into a series of hierarchical subdivisions called classes. It is built around security and access restrictions to data, with less focus given to data integrity.

ITSEC Standard

(Information Technology Security Evaluation Criteria)

The Information Technology Security Evaluation Criteria (ITSEC) is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in European countries.

ITSEC defines seven classes or evaluation levels, denoted E0 through E6. Higher evaluation levels involve more extensive examination and testing of the target. The degree of examination depends upon the level of confidence desired in the target. Unlike TCSEC, this standard is built with a greater focus on integrity, but also ensuring confidentiality and availability.

Application Security Requirements (Chat Application)

Security Evaluation Criteria

Comparison:

At ITSEC level E0 and TCSEC D, no security is present, or whatever security is available does not meet any higher security requirements. This is a basic application without any thought behind security.

TCSEC and ITSEC Compliance Requirements

tcsec

Minimal D - No Security

itsec

E0- No Security

tcsec

Discretionary Access Control C1- chat application should have user authentication and allow authorized user access security functions.

itsec

E1 -Requires security target and informal architecture.

tcsec

Controlled Access Protect C2- security restrictions of the program are implemented as ACL's

itsec

E2 - Test documentation should be created, develop user audit logs from application start to stop.

tcsec

Label security B1- Chat program should adhere to OS (operating system) constraints. Documentation of the product should be supplied.

itsec

E3- Evidence of security testing and source code as per security policy.

tcsec

Structed Protection B2- Clearly defined product security policy and user login requirements.

itsec

E4 - Formal model of security and statement to the chat users.

tcsec

Security domains B3- All chat user session pass through a monitor. Clean up source code as per the security constraints.

itsec

E5- Provide documented evidence of how the security policy encounters threats.

tcsec

Verified Design A1- proof of evidences that the product functions as per the security policy.

itsec

E6 - Provide proof of evidence which proves the under lying security model.

References:

https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

https://en.wikipedia.org/wiki/ITSEC

Hope this is helpful.

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.