Page 526 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 526
perfect. As with other evaluation criteria, the CC guidelines do nothing
to make sure that how users act on data is also secure. The CC
guidelines also do not address administrative issues outside the
specific purview of security. As with other evaluation criteria, the CC
guidelines do not include evaluation of security in situ—that is, they do
not address controls related to personnel, organizational practices and
procedures, or physical security. Likewise, controls over
electromagnetic emissions are not addressed, nor are the criteria for
rating the strength of cryptographic algorithms explicitly laid out.
Nevertheless, the CC guidelines represent some of the best techniques
whereby systems may be rated for security. To conclude this
discussion of security evaluation standards, Table 8.4 summarizes
how various ratings from the TCSEC, ITSEC, and the CC can be
compared. Table 8.4 shows that ratings from each standard have
similar, but not identical evaluation criteria.
TABLE 8.4 Comparing security evaluation standards
TCSEC ITSEC CC
description
D F-D+E0 EAL0, EAL1 Minimal/no protection
C1 F-C1+E1 EAL2 Discretionary security
mechanisms
C2 F- EAL3 Controlled access protection
C2+E2
B1 F- EAL4 Labeled security protection
B1+E3
B2 F- EAL5 Structured security protection
B2+E4
B3 F- EAL6 Security domains
B3+E5
A1 F- EAL7 Verified security design
B3+E6
Industry and International Security Implementation
