A Mechanism for Deriving Specifications of Security Functions in the CC Framework

At the first stage of the Common Criteria process for evaluating the security of information systems, organizational objectives for information security are translated into the specification of all relevant security functions of a becoming system. These specifications are then assessed to specify the subset to be implemented, and further evaluated. The second stage involves risk analysis or related technologies, and the evaluation phase is the major contribution of the common criteria. The derivation of security function specifications from security objectives is the area where further research is needed to provide pragmatic tools for supporting the task. This paper describes a mechanism, harmonization of information security requirements, that aids in this process.

[1]  Dennis Longley,et al.  Security modelling for organisations , 1994, CCS '94.

[2]  C. Meadows,et al.  Using traces based on procedure calls to reason about composability , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[4]  Daniel F. Sterne,et al.  On the buzzword 'security policy' , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Yuliang Zheng,et al.  Organizational Modeling for Efficient Specification of Information Security Requirements , 1999, ADBIS.

[6]  Jean-Jacques Quisquater,et al.  Computer Security — ESORICS 92 , 1992, Lecture Notes in Computer Science.

[7]  Eric Dubois,et al.  A framework for dealing with and specifying security requirements in information systems , 1996, SEC.

[8]  Marek Sergot,et al.  Formal Specification of Security Requirements using the Theory of Normative Positions , 1992, ESORICS.

[9]  Gurpreet S. Suri,et al.  Using Traces of Procedure Calls to Reason About Composability , 1992, S&P 1992.

[10]  S. H. Banks,et al.  Security policy , 1990, Comput. Secur..

[11]  Rüdiger Grimm A Model of Security in Open Telecooperation , 1992, ULPAA.

[12]  Jan H. P. Eloff,et al.  A common criteria framework for the evaluation of information technology systems security , 1997, SEC.

[13]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[14]  Steven Furnell,et al.  ODESSA - a new approach to healthcare risk analysis , 1997, SEC.