Page 512 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 512

that the CISSP exam focuses on the “why” of security more than
                  the “how”—in other words, it focuses on the concepts and theories

                  more than the technologies and implementations. Thus, some of
                  this historical information could be present in questions on the
                  exam.



               Regardless of whether the evaluations are conducted inside an
               organization or out of house, the adopting organization must decide to
               accept or reject the proposed systems. An organization’s management
               must take formal responsibility if and when a system is adopted and
               be willing to accept any risks associated with its deployment and use.

               The three main product evaluation models or classification criteria

               models addressed here are TCSEC, Information Technology Security
               Evaluation Criteria (ITSEC), and Common Criteria.


               Rainbow Series

               Since the 1980s, governments, agencies, institutions, and business
               organizations of all kinds have faced the risks involved in adopting and

               using information systems. This led to a historical series of
               information security standards that attempted to specify minimum
               acceptable security criteria for various categories of use. Such
               categories were important as purchasers attempted to obtain and
               deploy systems that would protect and preserve their contents or that
               would meet various mandated security requirements (such as those

               that contractors must routinely meet to conduct business with the
               government). The first such set of standards resulted in the creation of
               the Trusted Computer System Evaluation Criteria (TCSEC) in the
               1980s, as the U.S. Department of Defense (DoD) worked to develop
               and impose security standards for the systems it purchased and used.
               In turn, this led to a whole series of such publications through the
               mid-1990s. Since these publications were routinely identified by the

               color of their covers, they are known collectively as the rainbow series.

               Following in the DoD’s footsteps, other governments or standards
               bodies created computer security standards that built and improved
               on the rainbow series elements. Significant standards in this group
   507   508   509   510   511   512   513   514   515   516   517