Canadian Trusted Computer Product Evaluation Criteria

Last updated

The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) is a computer security standard published in 1993 by the Communications Security Establishment to provide an evaluation criterion on IT products. It is a combination of the TCSEC (also called Orange Book) and the European ITSEC approaches.

CTCPEC led to the creation of the Common Criteria standard. [1]

The Canadian System Security Centre, part of the Communications Security Establishment was founded in 1988 to establish a Canadian computer security standard. [2] The Centre published a draft of the standard in April 1992. [2] The final version was published in January 1993. [2]

Related Research Articles

<span class="mw-page-title-main">Information security</span> Protecting information by mitigating risk

Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

<span class="mw-page-title-main">Xenix</span> Discontinued Unix version published by Microsoft

Xenix is a discontinued version of the Unix operating system for various microcomputer platforms, licensed by Microsoft from AT&T Corporation in the late 1970s. The Santa Cruz Operation (SCO) later acquired exclusive rights to the software, and eventually replaced it with SCO UNIX.

<span class="mw-page-title-main">Intrusion detection system</span> Network protection device or software

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Tempest (codename)</span> Espionage using electromagnetic leakage

TEMPEST is a U.S. National Security Agency specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC).

<span class="mw-page-title-main">Communications Security Establishment</span> Canadas national cryptologic agency

The Communications Security Establishment, formerly called the Communications Security Establishment Canada (CSEC), is the Government of Canada's national cryptologic agency. It is responsible for foreign signals intelligence (SIGINT) and communications security (COMSEC), protecting federal government electronic information and communication networks, and is the technical authority for cyber security and information assurance.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In the case of operating systems, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications, permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of multilevel security. One is to refer to a system that is adequate to protect itself from subversion and has robust mechanisms to separate information domains, that is, trustworthy. Another context is to refer to an application of a computer that will require the computer to be strong enough to protect itself from subversion and possess adequate mechanisms to separate information domains, that is, a system we must trust. This distinction is important because systems that need to be trusted are not necessarily trustworthy.

The Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

<span class="mw-page-title-main">Rainbow Series</span>

The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.

A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.

David Elliott Bell is an American mathematician and computer security pioneer. While working at MITRE Corporation, he and Leonard J. LaPadula co-developed the highly influential Bell–LaPadula model. In 2012, Bell was interviewed as part of an effort by the National Science Foundation to document the “Building an Infrastructure for Computer Security History.” In recognition of his contributions to the computer security field, Bell was inducted into the Cyber Security Hall of Fame in 2013.

The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.

The Interactive Link is a suite of hardware and software products designed for application within areas where network separation is implemented for security reasons. Manufactured and marketed by Tenix Datagate, the Interactive Link hardware products have been evaluated to the highest level under international security criteria with a strong focus on maintaining the confidentiality of the secure network. The technology underlying the products is drawn from Starlight Technology, developed by the Australian Defence Science and Technology Group.

Addamax was an American software company that developed Trusted operating systems based on UNIX System V and Berkeley Software Distribution (BSD) variants of UNIX. The company was founded in 1986 in Champaign, Illinois by Dr. Peter A. Alsberg and had a sales and development office in Gaithersburg, Maryland.

Non-interactive zero-knowledge proofs are cryptographic primitives, where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the statement itself. This function of encryption makes direct communication between the prover and verifier unnecessary, effectively removing any intermediaries. The core trustless cryptography "proofing" involves a hash function generation of a random number, constrained within mathematical parameters determined by the prover and verifier.

The OECC, established in 1996, is an annual conference which publishes proceedings and scientific research articles as a result of its conferences. OECC stands for the OptoElectronics and Communications Conference, which has conducted annual meetings since its establishment up to the present year. With an international scope, the areas of focus for the OECC are annual meetings in the Asia Pacific region, centered on the optoelectronics and optical communications profession. The function of the meetings are to report, discuss, exchange, and generate ideas which advance the disciplines of optoelectronics and optical communications. Communicating current and future applications related to these disciplines are also a function of these meetings.

In information security, a guard is a device or system for allowing computers on otherwise separate networks to communicate, subject to configured constraints. In many respects a guard is like a firewall and guards may have similar functionality to a gateway.

Suhayya "Sue" Abu-Hakima is a Canadian technology entrepreneur and inventor of artificial intelligence (AI) applications for wireless communication and computer security. As of 2020, her company Amika Mobile has been known as Alstari Corporation as she exited her emergency and communications business to Genasys in October 2020. Since 2007, she had served as President and CEO of Amika Mobile Corporation; she similarly founded and served as President and CEO of AmikaNow! from 1998 to 2004. A frequent speaker on entrepreneurship, AI, security, messaging and wireless, she has published and presented more than 125 professional papers and holds 30 international patents in the fields of content analysis, messaging, and security. She has been an adjunct professor in the School of Information Technology and Engineering at the University of Ottawa and has mentored many high school, undergraduate, and graduate students in science and technology more commonly known as STEM now. She was named to the Order of Ontario, the province's highest honor, in 2011 for innovation and her work in public safety and computer security technology.

Edward G. Amoroso is an American computer security professional, entrepreneur, author, and educator based in the New York City area. His research interests have centered on techniques and criteria for measuring trustworthy software development. the application of these methods to secure software development for critical projects in the defense and aerospace industries, and redefining trust parameters for improved security in the cloud. Early on in his career, he was involved with the design of security protections for the Unix operating system in support of the US Government Orange Book security evaluation criteria. This research lead to real-time security design and trusted software protections for the United States Ballistic Missile Defense Program, also known as Star Wars. He has also pioneered concepts related to microsegmentation, a design strategy that allows for the creation of secure zones in data centers and cloud deployments.

References

  1. Debra S. Herrmann (27 December 2002). Using the Common Criteria for IT Security Evaluation. CRC Press. p. 6–. ISBN   978-1-4200-3142-3.
  2. 1 2 3 Mark S. Merkow; Jim Breithaupt (2014). Information Security: Principles and Practices. Pearson. p. 93–. ISBN   978-0-7897-5325-0.