标准号:ISO/IEC 15408-1-2005
实施状态:作废
中文名称:信息技术.安全技术.IT安全的评价标准.第1部分:介绍和一般模型
英文名称:Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model
发布日期:2005-10
被替代标准:ISO/IEC 15408-1-2009
代替标准:ISO/IEC 15408-1-1999;ISO/IEC FDIS 15408-1-2005
采用标准:DIN ISO/IEC 15408-1-2007,IDT;DIN ISO/IEC 15408-1-2006,IDT;ANSI/INCITS/ISO/IEC 15408-1-2008,IDT;BS ISO/IEC 15408-1-2005,IDT;CAN/CSA-ISO/IEC 15408-1-06-2006,IDT;GOST R ISO/IEC TR 15446-2008,MOD;GOST R ISO/IEC 15408-1-2008,IDT;GOST R ISO/IEC 15408-2-2008,MOD;GOST R ISO/IEC 15408-3-2008,MOD;GOST R ISO/IEC 18045-2008,MOD
起草单位:ISO/IEC JTC 1/SC 27
标准简介:ISO/IEC 15408 is meant to be used as the basis for evaluation of security properties of IT products and
systems. By establishing such a common criteria base, the results of an IT security evaluation will be
meaningful to a wider audience.
Certain topics, because they involve specialized techniques or because they are somewhat peripheral to IT
security, are considered to be outside the scope of ISO/IEC 15408. Some of these are identified below:
a) ISO/IEC 15408 does not contain security evaluation criteria pertaining to administrative security
measures not related directly to the IT security measures. However, it is recognised that a significant part
of the security of a TOE can often be achieved through administrative measures such as organisational,
personnel, physical, and procedural controls. Administrative security measures in the operating
environment of the TOE are treated as secure usage assumptions where these have an impact on the
ability of the IT security measures to counter the identified threats.
b) The evaluation of technical physical aspects of IT security such as electromagnetic emanation control is
not specifically covered, although many of the concepts addressed will be applicable to that area. In
particular, ISO/IEC 15408 addresses some aspects of physical protection of the TOE.
c) ISO/IEC 15408 addresses neither the evaluation methodology nor the administrative and legal framework
under which the criteria may be applied by evaluation authorities. However, it is expected that ISO/IEC
15408 will be used for evaluation purposes in the context of such a framework and such a methodology.
d) The procedures for use of evaluation results in product or system accreditation are outside the scope of
ISO/IEC 15408. Product or system accreditation is the administrative process whereby authority is
granted for the operation of an IT product or system in its full operational environment. Evaluation focuses
on the IT security parts of the product or system and those parts of the operational environment that may
directly affect the secure use of IT elements. The results of the evaluation process are consequently a
valuable input to the accreditation process. However, as other techniques are more appropriate for the
assessments of non-IT related product or system security properties and their relationship to the IT
security parts, accreditors should make separate provision for those aspects.
e) The subject of criteria for the assessment of the inherent qualities of cryptographic algorithms is not
covered in ISO/IEC 15408. Should independent assessment of mathematical properties of cryptography
embedded in a TOE be required, the evaluation scheme under which ISO/IEC 15408 is applied must
make provision for such assessments.
Information technology — Security techniques — Evaluation
criteria for IT security —
Part 1:
Introduction and general model
This part of ISO/IEC 15408 defines two forms for expressing IT security functional and assurance
requirements. The protection profile (PP) construct allows creation of generalized reusable sets of these
security requirements. The PP can be used by prospective consumers for specification and identification of
products with IT security features which will meet their needs. The security target (ST) expresses the security
requirements and specifies the security functions for a particular product or system to be evaluated, called the
target of evaluation (TOE). The ST is used by evaluators as the basis for evaluations conducted in
accordance with ISO/IEC 15408.
文件格式:PDF
文件大小:856.27KB
文件页数:50
(以上信息更新时间为:2019-11-22)
ISO_IEC 15408-1-2005 信息技术.安全技术.IT安全的评价标准.第1部分_介绍和一般模型.pdf
(856.27 KB)
|
|
