Abstract
At the first stage of the Common Criteria process for evaluating the security of information systems, organizational objectives for information security are translated into the specification of all relevant security functions of a becoming system. These specifications are then assessed to specify the subset to be implemented, and further evaluated. The second stage involves risk analysis or related technologies, and the evaluation phase is the major contribution of the common criteria. The derivation of security function specifications from security objectives is the area where further research is needed to provide pragmatic tools for supporting the task. This paper describes a mechanism, harmonization of information security requirements, that aids in this process.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Information technology security evaluation criteria (ITSEC). provisional harmonized criteria, version 1.2. Commossion of the European Communities COM(92) 298 final, Brussels, Belgium, Sept. 1992.
A. Anderson, D. Longley, and L. F.K. Security modelling for organizations. In Proceedings of the 2nd ACM Conference on Computer and Communications Security, pages 241–250. ACM Press, 1994.
J. Backhouse and G. Dhillon. Structures of responsibility and security of information systems. European Journal of Information Systems, 5(1):2–9, 1996.
D. L. Brinkley and R. R. Schell. Concepts and terminology for computer security. In M. D. Abrams, S. Jajodia, and H. J. Podell, editors, Information Security, An Integrated Collection of Essays, pages 40–97. IEEE Computer Society Press, 1995.
E. Dubois and S. Wu. A framework for dealing with and specifying security requirements in information systems. In Proceedings of the IFIP TC11 11th International Conference on Information Systems Security. Chapmann & Hall, 1996.
R. Grimm. A model of security in open telecooperation. In Upper Layers, Protocols, Architectures and Applications, Proceedings of the IFIP TC6/WG6.5 International Conference, IFIP Transactions C: Communication Systems, pages 425–440. North-Holland, 1992.
A. J. I. Jones and M. Sergot. Formal specification of security requirements using the theory of normative positions. In Computer Security-ESORICS’92, number 648 in Lecture Notes in Computer Science, pages 103–121. Springer-Verlag, 1992.
C. G. Jussipekka Leiwo and Y. Zheng. Organizational modeling for efficient specification of information security requirements. In Advancaes in Databases and Information Systems, Proceedings of the 3rd East-European Conference, Lecture Notes in Computer Science, Maribor, Slovenia, September 1999. Springer-Verlag.
R. Kruger and J. H. P. Eloff. A common criteria framework for the evaluation of information technology systems security. In Information Security in Research and Business, Proceedings of the IFIP TC11 13th International Conference on Information Systems Security (SEC’97), pages 197–209, Copenhagen, Denmark, May 14-16 1997. Chapmann & Hall.
J. Leiwo, C. Gamage, and Y. Zheng. Harmonization of information security requirements. Informatica, 17, 1999. accepted, to appear.
D. McCullough. Specifications for multi-level security and a hook-up property. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 161–166, 1987.
C. Meadows. Using traces based on procedure calls to reason about composability. In Proceedings of the 1992 IEEE Symposium on Security and Privacy, pages 177–188, 1992.
D. F. Sterne. On the buzzword “security policy”. In 1991 IEEE Symposium on Research in Security and Privacy, pages 219–230. IEEE Computer Society Press, 1991.
M. J. Warren, S. M. Furnell, and P. W. Sanders. ODESSA-a new approach to healthcare risk analysis. In Information Security in Research and Business, Proceedings of the IFIP TC11 13th International Conference on Information Systems Security (SEC’97), pages 391–402, Copenhagen, Denmark, May 14-16 1997. Chapmann & Hall.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Leiwo, J. (1999). A Mechanism for Deriving Specifications of Security Functions in the Common Criteria Framework. In: Bench-Capon, T.J., Soda, G., Tjoa, A.M. (eds) Database and Expert Systems Applications. DEXA 1999. Lecture Notes in Computer Science, vol 1677. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48309-8_39
Download citation
DOI: https://doi.org/10.1007/3-540-48309-8_39
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66448-2
Online ISBN: 978-3-540-48309-0
eBook Packages: Springer Book Archive