Protection Profile for System, Research Paper Example
Words: 1035Research Paper
The information given below is in preparation for an IT security network meeting. We will soon be updating our security criteria. From experience, failings in the Orange Book and DITSCAP Book are apparent. For this reason, I will be making a case for moving to the Common Criteria for security needs.
Part 2 and part 3 of the CC serve to provide information on the security components. In the CC, the security components are separated into two books; part 2 contains all the security functional components and part 3 contains all the security assurance components. The content between the CC and the Orange Book are very similar, however the Orange Book keeps all of the security content within one book.
Separating part 2 and part 3 will make it easier for the organization to develop a Profile Protection Plan, since organization of the components has already been begun in the separation of assurance and functional components. The separation relates to the Orange Book only in terms of it being a less convenient resource than the re-organized CC.
The Common Criteria improves on the concept of the Orange Book. Besides making it easier to reference functional and assurance security components, the CC includes valuable additions regarding security that the Orange Book does not. The CC is more detailed with information regarding consumers, developers, and evaluators.
The meaning, purpose, and content are all linked to each other. A protection profile is to express an organization’s security needs. A security target specific to those needs will guide the developer in meeting the target of evaluation for accreditation of certification.
The separation of functional and assurance security components, combined with the additional detail present increases the beneficial use of the Common Criteria above and beyond the Orange Book or the DITSCAP Book. The process of using the Protection Profile, Security Target, and Target of Evaluation is simplified when we remember that the ST used depends on the PP and leads directly to the TOE. Any questions concerning the CC will be answered.
|C-2 Orange Book Protection Profile table|
|Security Policy||FAU: Security Audit
Class FCS: Cryptographic Support
Class FDP: user Data Protection
Class FMT: Security Management
Class FPR :Privacy
|Security audit entails policies and security strategies, which identify, store, record, and analyze information that concerns pertinent security issues. The outcome of audit report can be utilized to establish which security appropriate events were undertaken at particular time and by whom (Benantar, 2006).
These class uses cryptographic technologies to enable them fulfill a variety of hi-tech security concerns. The cryptographic does the following roles: verification and identification; trusted cryptographic functionalities; data and channel separation; and trusted path.
The User Data Protection (UDP) contains four well-designed families that address user data within a TOE, during export, storage and import of data as well as security issues during data handling.
This class consists of families with explicit necessities that deal with data protection (Bidgoli, 2006).
This kind of security class identify the type of security management of a number of elements of TSF: management of security issues, which consist of, for instance, and Access Control Lists Capability Lists; management of functions that encompass, for instance, laws and regulations that influence behavior of TSF and selection criterion for functionalities of system; definition of security functions; and management of TSF data, which consist of, banners (Merkow & Breithaupt, 2005).
The class privacy makes sure that the system has all prerequisites that would improve security of the system. These security conditions will facilitate user to be cosseted against mishandling and hacking the system by technology criminals. This in turn enhances data security and safety of user during the use data.
|Marking||Class FAU : Security Audit||This class enables any change in data use; and allows terminal user to be informed of any changes during interactive session.|
|Identification||Class FIA: Identification and Authentication||The identification element in FIA ensures that data handlers and users to be connected with appropriate security information concerning the system (Bidgoli, 2006).
The specific identification of authorized data for users and legitimate association of security aspects with data handlers and subjects are critical enforcement of security needs.
Identification is employed to definitely recognize the user undertaking particular operations in TOE. These involve not only ascertaining the claimed user of the data, but also authenticate that fact that each user is essentially the one who claims to be.
|Accountability||Class FPT : Protection of the TSF
Class: Trusted Path/Channels
|The class offers capacity of connecting the identity with all auditable events by individual data handlers and users (Merkow & Breithaupt, 2005).
The class promotes system’s accountability by making sure that each data user and handler in the system uses explicit details acknowledged by the system (Benantar, 2006).
In this class, users are required to have direct connection with TSF. Trusted path or channel presents confidence to the data users and handlers. This also focuses at making communication more secure between IT product and TSF users.
|Assurance||Class FMT: Security Management
Class FDP : User Data Protection
|The class guarantees administrators assurance on management of responsibilities of TSF.
This class makes sure that data in the systems is protected and its security is assured in using the system.
This class encompasses of families that assure there is greatest TSF’s integrity and management approaches (Bidgoli, 2006).
|Continuous Protection||Class FDP: User Data Protection
Class FCO : Communication
|The class makes sure data in the systems is endlessly secured from any exterior attack or exploitation (Merkow & Breithaupt, 2005).
The class makes sure that there is constant flow of communication and at the same time offering security to type of data being transferred via the system. This makes sure that the sender is accountable to any security issues, which deals with security of information.
Benantar, M. (2006). Access control systems: Security, identity management and trust models. New York: Springer Science+Business Media.
Bidgoli, Hossein.(2006). Handbook of Information Security, Volume 3. Hoboken: John Wiley & Sons, 2006. Internet resource.
Kim, T., & International Conference on Future Generation Information Technology, FGIT. (2011). Future generation information technology: Third international conference, FGIT 2011 FGIT 2011 in conjunction with GDC 2011, Jeju Island, Korea, December 8-10, 2011 : proceedings. Heidelberg [etc.: Springer.
Merkow, M. S., & Breithaupt, J. (2005). Principles of information security: Principles and practices. Upper Saddle River, NJ: Pearson Prentice Hall.
Time is precious
don’t waste it!