The principle is applied in this paper to the ISO/IEC 15408 Common Criteria IT Security Evaluation standard, software quality evaluation standards and the Capability Maturity Model Integ
Trang 1Analogies between complex systems are useful for helping those familiar with one of them to better understand the other one, and for establishing cost and resource effective unified systems The principle is applied in this paper to the ISO/IEC 15408 (Common Criteria) IT Security Evaluation standard, software quality evaluation standards and the Capability Maturity Model Integration (CMMI)
Keywords
Security, Quality, Assessment, Evaluation, Capability, Maturity, Classification, Categorization
Common Criteria for IT Security Evaluation - SPI Analogies
Prof Dr Miklos Biro Budapest University of Economic Sciences and Public Administration
miklos.biro@informatika.bke.hu
Trang 2Security is naturally present in all systems of software product quality criteria, and plays a significant role in the approporiate implementation of many software and systems engineering process areas The development of the Information Society made this criterion of even higher significance, which resulted in the distinguished attention of international standardization bodies for example, resulting in the ISO/IEC 15408 (Common Criteria) standard
Certification needs and the constraints of the standardization process led to the flexibility in both the product standards (ISO/IEC 9126, ISO/IEC 14598) and the process methodologies (CMMI, ISO/IEC 15504) which allows for evaluation modules based on a more elaborated background (ISO/IEC 15408, ISO/IEC 12207) as well as other modules based on simpler measurements
Even if some of the underlying standards evolved independently of each-other, the discovery of analogies between their structure can contribute to the establishment of a cost and resource effective multiple certification process [Taylor, Alves-Foss, Rinker, 2002]
The combination of software process and product quality standards has already been studied in [Boegh, Régo, 2000] In this paper we examine the analogies between the ISO/IEC 15408 (Common Criteria) standard and software quality and process capability evaluation methodologies
The Common Criteria
The history of the ISO/IEC 15408 (Common Criteria~CC) standard goes back to the 80's with the following non-exhaustive list of milestones:
• 1980- TCSEC: Trusted Computer System Evaluation Criteria (USA)
• 1991 ITSEC: Information Technology Security Evaluation Criteria v 1.2
(France, Germany, the Netherlands, U.K.)
• 1993 CTCPEC: Canadian Trusted Computer Product Evaluation Criteria v 3.0
• 1993 FC: Federal Criteria for Information Technology Security v 1.0 (USA)
• è CC Editorial Board
• 1996 CC v 1.0 è ISO Committee Draft (CD)
• 1998 CC v 2.0 è ISO Committee Draft (CD)
• 1999 CC v 2.1 = ISO/IEC 15408
CC v 2.1 consists of the following parts:
• Part 1: Introduction and general model
• Part 2: Security functional requirements
• Part 3: Security assurance requirements
Trang 3It is a common perception that understanding the Common Criteria (CC) evaluation process requires painstakingly inspecting multiple documents and cross referencing innumerable concepts and definitions [Prieto-Díaz, 2002] The first challenge is the digestion of the abbreviations of which here
is a brief extract for our immediate purposes:
• TOE: Target of Evaluation — An IT product or system and its associated administrator and user
guidance documentation that is the subject of an evaluation
• TSP: TOE Security Policy — A set of rules that regulate how assets are managed, protected and
distributed within a TOE
• TSF: TOE Security Functions — A set consisting of all hardware, software, and firmware of the
TOE that must be relied upon for the correct enforcement of the TSP
• PP: Protection Profile — An implementation-independent set of security requirements for a
category of TOEs that meet specific consumer needs
• ST: Security Target — A set of security requirements and specifications to be used as the basis for
evaluation of an identified TOE
• EAL: Evaluation Assurance Level — A package consisting of assurance components from Part 3
that represents a point on the CC predefined assurance scale
Here is an illustrative list of the classes of security functional requirements discussed in Part 2 of the CC:
• FAU Security audit
• FCO Communication
• FCS Cryptographic support
• FDP User data protection
• FIA Identification and authentication
• FMT Security management
• FPR Privacy
• FPT Protection of the TOE security functions
• FRU Resource utilisation
• FTA TOE access
• FTP Trusted path / channels
The following are classes of security assurance requirements discussed in Part 3:
• ACM Configuration Management
• ADO Delivery and Operation
• ADV Development
• AGD Guidance Documents
• ALC Life Cycle Support
Trang 4And finally, table B.1 from Appendix B of Part 3 of CC v 2.1 which describes the relationship between the evaluation assurance levels and the assurance classes, families and components
Table 1
Trang 5Enlightening Analogies
The above sample from the CC naturally raises a lot of questions whose answers would require the already mentioned inspection and cross referencing of multiple documents including hundreds of pages As an introductory alternative approach, the analogies below offer a shortcut to those who already have a basic understanding of models of software quality and process capability
CC certification is performed after the system is developed In this sense, CC is closer to the software product quality evaluation standards ISO/IEC 9126, ISO/IEC 14598, and their follow-up being developed under the acronym SQUARE (ISO 25000 Software Quality Requirements and Evaluation)
As far as the ISO/IEC 9126 standard is concerned, the classes of security functional requirements and the classes of security assurance requirements are analogous to the high-level quality characteristics, while the requirement families to the subcharacteristics Evaluation Assurance Levels (EAL) can be simply interpreted as measurement results on an ordinal scale analogously to
measurements of subcharacteristics in ISO/IEC 9126
A key concept of ISO/IEC 14598 is that of the evaluation module "An evaluation module specifies
the evaluation methods applicable to evaluate a quality characteristic and identifies the evidence it needs It also defines the elementary evaluation procedure and the format for reporting the measurements resulting from the application of the techniques." It also defines its own scope of applicability In other words, an ISO/IEC 14598 evaluation module defines a consistent set of requirements and procedures for evaluating a quality characteristic independently from the concrete
product, but depending on its application environment If we consider the concept of Protection Profile (PP) as an implementation-independent set of security requirements for a category of TOEs
that meet specific consumer needs, as introduced above, we can immediately see the analogy Even-though CC certification is performed after the system is developed, its structure shows a striking analogy with the system of continuous and staged representation structures of the Capability Maturity Model Integration (CMMI) In order to highlighting the analogy, let us consider the table in Appendix F
of version 1.1 of the CMMI Continuous Representation showing the process area capability level (CL) target profiles of the Continuous Representation making an organization's maturity level equivalent to
a maturity level (ML) defined in the Staged Representation
Trang 6Name Abbr ML CL1 CL2 CL3 CL4 CL5
Requirements Management REQM 2
Target Profile 2
Measurement and Analysis MA 2 Project Monitoring and Control PMC 2
Process and Product Quality
Supplier Agreement Management
Configuration Management CM 2 Decision Analysis and
Resolution
Target Profile 3
Product Integration PI 3 Requirements Development RD 3
Organizational Process Definition
Organizational Process Focus OPF 3 Integrated Project Management
(IPPD)
Organizational Training OT 3
Organizational Environment for Integration
Organizational Process Performance
Target Profile 4
Quantitative Project Management QPM 4 Organizational Innovation and
Deployment
Target Profile 5
Causal Analysis and Resolution CAR 5
Table 2 Let us equivalently transform this table so that the last columns contain maturity levels instead of capability levels, and the cells underneath contain the capability level of the given process area necessary for achieving the given maturity level
Trang 7Name Abbr ML ML1 ML2 ML3 ML4 ML5
Project Monitoring and Control PMC 2 - 2 3 3 3
Process and Product Quality Assurance
Supplier Agreement Management
Decision Analysis and Resolution
Organizational Process Definition
Organizational Process Focus OPF 3 - - 3 3 3 Integrated Project Management
(IPPD)
Organizational Environment for Integration
Organizational Process Performance
Quantitative Project Management QPM 4 - - - 3 3 Organizational Innovation and
Deployment
Causal Analysis and Resolution CAR 5 - - - - 3
Table 3 The analogy between table 1 and table 3 is immediately apparent if we consider the following
Trang 8Common Criteria CMMI
Evaluation Assurance Level (EAL) Maturity Level
Classification of Security Requirements Categorization of Process Areas
Table 4 This analogy not only helps those already familiar with CMMI to better understand the Common Criteria, but provides a new perspective on CMMI itself as well
Conclusion
The analogies discovered between the complex standards and methodologies described in the paper help those familiar with one of the systems of concepts better understanding the other system of concepts on the one hand, contribute to the potential establishment of a cost and resource effective multiple certification process on the other hand
Literature
Biró,M.; Tully,C The Software Process in the Context of Business Goals and Performance Chapter in the book entitled Better Software Practice for Business Benefit (ed by R Messnarz, C Tully) (IEEE Computer Society Press, Washington, Brussels, Tokyo, 1999) (ISBN 0-7695-0049-8)
Biró,M.; Messnarz,R Key Success Factors for Business Based Improvement Software Quality Professional (ASQ, American Society for Quality) Vol.2, Issue 2 (March 2000) pp.20-31 ( http://www.asq.org/pub/sqp/past/vol2_issue2/biro.html )
Boegh,J.; Rêgo,C.M Combining software process and product quality standards Presented at the 2nd World Conference on Software Quality, Japan, September 2000
Prieto-Díaz,R Understanding the Common Criteria Evaluation Process Commonwealth Information Security Center Technical Report CISC-TR-2002-003, September 2002
Taylor,C.; Alves-Foss,J.; Rinker,B Merging Safety and Assurance: The Process of Dual Certification for Software.
In Proc Software Technology Conference, March 2002
Trang 92 Author CV
Dr Miklós Biró
Dr Miklós BIRÓ (miklos.biro@bkae.hu) is a professor at the Department of Information Systems of the Budapest University of Economic Sciences and Public Administration.with 26 years of software engineering and university teaching (including professorship in the USA), and 16 years of management experience He has a Ph.D in mathematics (operations research) from the Loránd Eötvös University in Budapest, an Executive MBA (Master of Business Administration) degree from ESC Rouen, France, and a Master of Science in Management degree from Purdue University, USA
He is fluent in Hungarian, English, and French
He is a Bootstrap and SPICE (Software Process Improvement and Capability dEtermination - ISO/IEC 15504) assessor He gives Ph.D courses and company training courses on software quality management, and on the Capability Maturity Model - Integrated (CMMI - service mark of Carnegie Mellon University, USA)
He initiated and managed the Hungarian participation in numerous European multinational projects and organisations committed to software process impovement (European Software Institute, Bootstrap Institute) He was the initiator and head of the Information Society Technologies Liaison Office in Hungary for the European Union's 5th Framework Programme He is invited as expert consultant by Hungarian and international organizations (European Commission; Irish National Policy and Advisory Board for Enterprise, Trade, Science, Technology & Innovation~Forfás; Communications Authority of Hungary; Hungarian Committee for Technological Development; Investment and Trade Development Agency of Hungary; Hungarian Airlines; United Nations Industrial Development Organization~UNIDO; International Software Consulting Network; )
He has numerous publications in international scientific and professional journals (Software Process Improvement and Practice, Software Quality Professional (1, 2), Software Process Newsletter, European Journal of Operational Research, Zeitschrift für Angewandte Mathematik und Mechanik, Optimization, Information Processing Letters, Discrete Mathematics, Journal of Advanced Transportation, Acta Cybernetica) and conference proceedings He is the co-author of Hungarian and English language books on operations research models, software engineering, software process improvement and business motivations
He is member of the Editorial board of the journal Software Process Improvement and Practice published by Jonh Wiley & Sons, and founding president of the professional division for Software Quality Management of the John von Neumann Computer Society He is the Hungarian member of Technical Committee 2 (TC-2) Software: Theory and practice of the International Federation for Information Processing (IFIP) He is member of several other professional bodies and societies