A Security Evaluation Scheme and Method for Intergrated Functional System

2006. 11.

2006

11 30

:
:

( )

: ( )
( )
( )
( )

1. :

2.

(KISSES; Korean
Information System Security Evaluation Scheme) . KISSES

ISO/IEC 19791-TR(2006 5) .
CC
,
.
, KISSES .

3.

- i -

 KISSES , ,
, ,

: SPP/SST, ,
:

SPP/SST, , ,

PP/ST

4.

.
,
.

(1)

ISO/IEC 15443-2

(, , , )

: FISMA, NIST SP 800-37 (C&A), FAA

SPP
: SYS, FTA, TAS(Tailored Assurance
: PP/ST ,

- ii -

Scheme)

 : ISIA
: (TSS)

19791: 2WD(2003 7), PDTR(2004 12), DTR(2005 5),

TR(2006 5)
Enhanced CC/CEM: ( )
: CC 3.1 , ITSEM , 19791

, PP/ST TOE
PP, CCEVS

(2)

KISSES , ,

KISSES
,

, ,
UK-ITSEC

(3)

( 19791-TR )
19791-TR SPP/SST
19791-TR
19791-TR

( 19791-TR NIST SP 800-53A

- iii -

)
SPP/SST ( G)


NIST SP 800-53A

(4)

PP/ST
SPP/SST

SRS
SPP/SST

CC 3.1 ACO CAP
TSEM (ITSEM V1.0, 1993.9), 19791

, CC 3.1 (ADV ), PP/ST

TOE PP, CCEVS

2
CC 3.1 TOE 3
19791-TR TOE 7 5

- iv -


(scoping)
3 : , ()

()
O-TOE

5.

.
, 19791-TR, SP 800-53A
, , ,
. , 4 PP/ST
, ,
.

6.

.
,
.

- v -

SUMMARY
1. Title
A Security Evaluation Scheme and Method for Intergrated Functional
System

1. R&D Objectives and Importance

The "information assurance(IA)" is obtained by means of security testing and
evaluation scheme such as CC, CMVP, SSE-CMM, ISO/IEC 17799 and so on.
CMVP scheme is used for cryptographic module, CC is used for information
security product such VPN and Smart-card OS.
assurance of management of system.

ISO/IEC 17799 is used for

Researches and developments for IA

methods of information "system"(not product) is beginning by using CC

paradigm such as ISO/IEC 19791 and CC 3.1.
In this research, we survey system IA methods (i.e., criteria, scheme) and
develop a new KISSES (Korean Information System Security Evaluation
Scheme) that is based on ISO/IEC 19791-TR(2006). Deliverables, activity for
each evaluation phase, structure of scheme, as well as core technologies for
system security evaluation, are proposed.

2. R&D Results
Survey and analysis on operational system security evaluation method,
scheme, criteria
- classification of IA mthods
- schemes in U.S.A, UK, Japan, China, Germany
- 19791, Enhanced CC

Design

of

Korean

Information

Scheme(KISSES)

- vi -

System

Security

Evaluation

- organization, sponsor's duty, develops and operation's duty

- preparation, conduction, authentication stages
Evaluation criteria and methodology for KISSES
- evaluation criteria: SPP/SST, system security function and control, assurance
class
- evaluation methodology: SPP/SST, assurance, deliverable
Core elementary technology
- system PP/ST development method
- composed TOE evaluation method
- composed and System evaluation duration and cost estimation method
- scoping rule for system type TOE

3. Utilization of R&D Results

R&D Resultst are useful for development of a new Information System
Security Evaluation Scheme(KISSES) as well as for researchers who are
interested in evaluation technology on composed TOE and operational TOE.

- vii -

1 1
2 3
1 3
1. 3
2 8
1. 8
2. 46
3. ICCC 56
4. 64
69

3 17
1 71
2 75
1. 75
2. KISSES 79
3. 81
4. 85
5. 89
6. 95
7. 97
99

- viii -

 4 100
1 100
2 101
1. SPP/SST 101
2. 118
3. 120
3 123
1. (EWP) 123
2. 125
3. 139
4. 144

5 149
1 PP/ST 149
1. 149
2. SPP SST 150
3. 162
4. SPP/SST 167
5. 170
2 171
1. 172
2. 183
3 191
1. 191
2. TOE 193

- ix -

3. TOE 203
4. TOE (19791-TR ) 209
4 221
1. 221
2. 230
3. 236
238

6 241
A. 243
A.1 Tailored Assurance Scheme(TAS) 243
A.2 SYSn Assurance Packages Framework(SYSn) 246
A.3 Fast Track Assessment(FTA) 251

B. 263
B.1 (ISIA) 263
B.2 273
B.3 ISIA 273
B.4 (Engineering Criteria) 279

C. 287
D. CC 3.1 351
E.1 351
E.2 (CAP) 352
E.3 (ACO) 356
E.4 367

- x -

 E. 375
E.1 ITSEM 375
E.2 ISO/IEC 19791 379
E.3 CC 3.0 (ADV ) 381
E.4 PP/ST PP/ST 388
E.5 CCEVS 392

F. 396
F.1 (TOE) 396
F.2 (TOE) 403

G. 417

- xi -

Table of Contents
Chapter 1. Introduction 1
Chapter 2. Survey and analysis on operational system
security evaluation method, scheme, criteria 3
Section 1. System Information Assurance Paradigm 3
1. Information Assurance Scheme 3

Section 2. System Evaluation and Analysis Authentication Scheme

8
1. U.S 8
2. Japan 46
3. Survey and analysis of ICCC 56
4. Analysis of System Evaluation Scheme 64

References 69

Chapter 3. Information System Security Evaluation Scheme

71
Section 1. Analysis of Information Assurance Scheme 71
1. Structure of Scheme 75
2. Management and Organization of KISSES 79
3. Responsibility of Evaluation Proposer 81
4. Responsibility of Developer 85
5. Phase Stage of Evaluation 89
6. Evaluation Execution Stage and Evaluation Result 95
7. Authentication Stage 97

References 99

- xii -

Chapter 4. System Evaluation Scheme and Methodology 100

Section 1. Introduction 100
Section 2. Evaluation Criteria 101
1. SPP/SST 101
2. Security Control(functional) Requirement 118
3. Security Assurance Requirement 120

Section 3. Evaluation Methodology 123

1. Evaluation Work Program(EWP) 123
2. Content of Evaluation Production 125
3. Evaluation Methodology of each Control 139
4. Assurance Methodology 144

Chapter 5. System Evaluation Element Technology 149

Section 1. System PP/ST 149
1. Introduction 149
2. Evolution of SPP/SST 150
3. Comparison and Analysis 162
4. SPP/SST Technology of Korea 167
5. Conclusion 170

Section 2. Method of Composed System Evaluation 171

1. Documentation of Composed Component 172
2. Extended Evaluation of Non-Evaluation Product 183

Section 3. Calculation of System Evaluation Period 191

1. Definition of Problem 191
2. Calculation of Product Type TOE Evaluation 193
3. Calculation Model of Composed TOE Evaluation 203
4. Evaluation period of Operation TOE 209

Section 4. System Evaluation Extent 221

- xiii -

1. Evaluation Extent Model 221

2. Definition of Evaluation Extent 230
2. Domain model 236

References 238

Chapter 6. Summary and Conclusion 241

Appendix A. System Evaluation Scheme of U.K 243
Appendix B. System Evaluation Scheme of China 263
Appendix C. Survey of Security Functional Schema 287
Appendix D. Compose Assurance Class and Package of CC
3.1 351
Appendix E. Composed Component and Evaluation Criteria
375
Appendix F. Evaluation Extend Criteria 396
Appendix G. Risk Analysis 417

- xiv -


( 1-1) 2
( 2-1) CC 7
( 2-2) 10
( 2-3) DITSCAP 14
( 2-4) DITSCAP 15
( 2-5) FISMA 27
( 2-6) 28
( 2-7) (risk assessment) 31
( 2-8) , 33
( 2-9) (C&A) 37
( 2-10) PP TOE 51
( 2-11) ST 53
( 2-12) TOE(EAL 3+) 54
( 2-13) STOE 55
( 3-1) 73
( 3-2) KISSES 76
( 3-3) KISSES 76
( 3-4) SST KISSES 77
( 3-5) KISSES 78
( 3-6) KISSES (O-TOE
) 92
( 4-1) 100
( 4-2) 101
( 5-1) CCPP 153

- xv -

( 5-2) NIST PP 154

( 5-3) SRS 156
( 5-4) SSP/SST 168
( 5-5) SRS-Tool 170
( 5-6) , TOE 172
( 5-7) 177
( 5-8) 179
( 5-9) 185
( 5-10) 190
( 5-11) 191
( 5-12) 192
( 5-13) , TOE 193
( 5-14) 03 194
( 5-15) 05 200
( 5-16) TOE 224
( 5-17) 2 225
( 5-18) SW HW 226
( 5-19) 3 231
( 5-20) O-TOE 233
( 5-21) O-TOE (19791 ) 233
( 5-22) () 233
( 5-23) () 236

- xvi -


[ 2-1] (ISO/IEC TR 15443-2
) 3
[ 2-2] (ISO/IEC TR 15443-3) 5
[ 2-3] 5
[ 2-4] CMVP 6
[ 2-5] SSAA 15
[ 2-6] 16
[ 2-7] 17
[ 2-8] 17
[ 2-9] 17
[ 2-10] NIST SP 800-18 (SSP) 20
[ 2-11] NIST SP 800-26 20
[ 2-12] DIACAP - 22
[ 2-13] DIACAP (IAC) 24
[ 2-14] DIACAP 24
[ 2-15] (IAC) 25
[ 2-16] NIST 30
[ 2-17] 36
[ 2-18] ICCC 64
[ 2-19] 19791, , , ISMS 68
[ 3-1] 71
[ 3-2] 74
[ 3-3] KISSES 88
[ 3-4] 89

- xvii -

[ 3-5] KISSEC (19791-TR) 93

[ 4-1] 19791-TR

119

[ 4-2] 19791-TR 121

[ 4-3] 124
[ 4-4] 125
[ 4-5] 126
[ 4-6] 127
[ 4-7] 129
[ 4-8] 131
[ 4-9] 132
[ 4-10] 133
[ 4-11] 134
[ 4-12] 136
[ 4-13] 137
[ 4-14] 137
[ 4-15] 138
[ 4-16] NIST SP 800-53A 138
[ 4-17] NIST SP 800-53A 140
[ 4-18] 145
[ 5-1] PP SPP 158
[ 5-2] ST 161
[ 5-3] ST SST 162
[ 5-4] SPP/SST 163
[ 5-5] SPP 163
[ 5-6] SST 166
[ 5-7] SRS-Tool 169

- xviii -

[ 5-8] SRS-Tool 170

[ 5-9] CC 3.1 (CAP) 174
[ 5-10] CC 3.1 CAP 175
[ 5-11] 186
[ 5-12] 4 187
[ 5-13] CC 2.2 194
[ 5-14] 195
[ 5-15] , 196
[ 5-16] , 196
[ 5-17] 197
[ 5-18] () 199
[ 5-19] () 200
[ 5-20] CC 2.3 201
[ 5-21] CC 2.3 () 202
[ 5-22] 203
[ 5-23] C-TOE (IF) 204
[ 5-24] (FUN) 204
[ 5-25] (CAP) 205
[ 5-26] CC 3.1 (CAP) 207
[ 5-27] CC 3.1 CAP 208
[ 5-28] TOE (IF) 211
[ 5-29] TOE () (FUN)
211
[ 5-30] 7 TOE (EAL)
211
[ 5-31] 5 TOE (EAL)

- xix -

 211
[ 5-32] (OPE) 212
[ 5-33] 19791-TR 213
[ 5-34] 19791-TR 218

[ 5-35] 3 O-TOE
231

- xx -

, , ,
, (Information Assurance: IA)
. , . ,
CMVP, CC,
ISO/IEC 19977 ISMS
.
,
, (operational)
(application) .
, COTS (, )
, (composed)
.

ISO/IEC 19791-TR(2006 5)
, CC 3.1 ACO
. CCRA

CC

,
.

.
,

(KISSES; Korean Information System Security Evaluation
Scheme) . KISSES ISO/IEC 19791-TR(2006 5)

. KISSESS

- 1 -

. KISSESS 19791-TR ,
19791-TR . , PP/ST
, ,
. ( 1-1)
.
2
. 3 KISSES
, 4 KISSES
. 5 4 .
19791-TR , SP 800-53A ,
. .

, , ,
,

Enhanced-CC,
19791-TR,

KISSES

(KISSES)

19791-TR

KISSES SPP/SST

SP800-53A

PP/ST

( 1-1)

- 2 -

CC3.1

1
(=/ )
,
.

.

1.

.

.
.
[ 2-1]
. , [ 2-2] [ 2-3]
.

[ 2-1] (ISO/IEC TR 15443-2 )

ISO/IEC 14598 Software product evaluation

X/Open Branding
SCT Strict Conformance Testing
IT Baseline Protection Manual

/ /

- 3 -

Penetration Testing
TTAP Trust Technology Assessment Program
TPEP Trusted Product Evaluation Program
CTCPEC Canadian Trusted Product Evaluation Criteria
TCSEC Trusted Computer System Evaluation Criteria
RAMP Rating Maintenance Phase
ERM Evaluation Rating Maintenance (in general)
ITSEC/ITSEM Information Technology Security
Evaluation Criteria and Methodology
KISEC/KISEM Korea Information Security Evaluation
Criteria and Methodology
ISO/IEC 15408 Evaluation criteria for IT security (CC)
ISO/IEC 12207 Software Life Cycle Processes
ISO/IEC 15288 System Life Cycle Processes
VModel
SdoC Suppliers declaration of Conformity
SA-CMM Software Acquisition Capability Maturity Model
ISO/IEC 17799 Code of practice for information security
management
BS 7799.2 Information security management systems
Specification with guidance for use
CMM Capability Maturity Model (for Software)
SE-CMM Systems Engineering Capability Maturity Model
TSDM Trusted Software Development Methodology
TCMM Trusted Capability Maturity Model
FR Flaw Remediation (in general)
ISO/IEC 13335 Guidelines for the management of IT
Security (GMITS)
CMMI Capability Maturity Model
ISO/IEC 21827 Systems Security Engineering Capability
Maturity Model (SSE-CMM)
ISO/IEC 15504 Software Process Assessment
ISO 13407 Human Centered Design (HCD)
Developers Pedigree (in general)
Personnel Assurance (in general)
CISSP Certified Information Systems Security
Professionals
SO 9000 Series Quality Management
ISO/IEC 17025 Accreditation Assurance
Rational Unified Process (RUP)
C&A(Certification and Accreditation) - SP 800-37, NIACAP,
DITSCAP, DIACAP

( : (, ) , : , : (, ) )

- 4 -

[ 2-2] (ISO/IEC TR 15443-3)

HW
SW

()
(mgmt.)

IT

IT
(adm.)

CC

FIPS 140

SSECMM

S
P

P
P
S
S

P
P

P
P
S

P
P
S

P
P
S

ISO
13335

ISO
17799

S
S
P
P
P

P
P
P
P

IT
Baseline
CobiT Protection
Manual
S
S
S
S
P
P
P
P

P
P
P
P
S
S

P
P
S
P
S
P

ISO
9000
X
X
X
X
X
X

S
P
P
P
P
S

P
P
S
S
S
S

(P: , S: , X: )

[ 2-3]

FIPS 140

FIPS 140

CC 2.3

CEM 2.3

ISO/IEC
19791,
C&A

CMVP
CCRA

CC

FIPS 140

CC 2.3

19791,
19791,
C&A C&A C&A

CC 3.0

CEM 3.0

CCRA

CC

SSE-CMM

SSE-CMM

ISO 9000

ISO/IEC
17799

BS 7799-2

ISO 9000

ISO 9000

ISO 9000

ISO/IEC
17799,
BS 7799-2

ISO Guide
62 EA
7/03

- 5 -

CobiT, IT
Baseline

(1)

CC 3.0

SSE-CMM SSE-CMM

SSO

CC 3.0

CMVP(cryptographic module validation program)

, KAT (known answer test) MCT(The modes test)

.

Level 1, Level 2(CC EAL 2), Level 3(CC EAL 3

) Level 4 (CC EAL 4) ,

[ 2-4] .

[ 2-4] CMVP
< >
y
y
y
y
y
y

//

y
y
y
y
y

(2)

FIPS 140-1(1995), FIPS 140-2(2002) FIPS 140-3()

, FIPS 46-3(DES), FIPS 186(DSS) FIPS
180-1(SHS) . , MOVS(modes of operation
validation system, NIST SP 800-17, DES Skipjack ), TMOVS(NIST
SP

800-20,

RSAVS(RSA

),

3DES

),

),

AESAVS(AES

rDSAVS(ECDSA),

DSAVS(DSA),

),

RNGVS(SHS

SHAVS(SHA-1, SHA-256, 384, 512 ) .

(3)

accrediation

program)

CMT(cryptographic

NIST

module

NVLAP(national
Atlan

voluntary

Laboratories

testing).

laboratory

10

(KCMV) Cryptography Research & Evaluation Committees"

- 6 -

(CRYPTREC) CMVP

.
(1)
TCSEC(), FC(), ITSEC(), CTCPEC(),

(), ()
, CC 2.3( ), CC 2.4(PP ST
), CC 3.1(2006 7, ) . , CC 3.1 CC 2.3
, ,
. , ISO/IEC 19791
CC 2.3 (, - ) ,
ISO/IEC CC 3.1 2006 9 , CCRA 2008 CC
v3.1 . ( 2-1) CC

( 2-1) CC

(2)
ITSEM CEM , (,

PP/ST ) .

- 7 -

CC

3.1

ACO(Composition) (CC 3.1

. E ). CC 3.1
composite . (operational)

, ,
() -
. ISO/IEC TR 19791 Enhanced-CC .

2
1.

.
(1)

.

,
(Certification and Accreditation, C&A) .

.
- (: CMVP), (:
CC ), (Information Security Management System; ISMS)

(: ISO/IEC 17799 ) (,
) .

- 8 -

.
o :

, ,

o : ,

(,

Designated Approving Authority; DAA)

, ,
.

,
-
. , - (
) , 3 6
.

(2)
() -

- .
o DITSCAP (Defense Information Systems Certification and Accreditation
regulation): 1997 DoDI 5200.40

- -
- . DIACAP
.
o DIACAP (Defense Information Assurance Certification and Accreditation
Process): 2002 e-Government Act (, Federal Information Security
Management Act; FISMA) 2002

DoDI 8500-1

-.
o NIACAP (National Information Assurance Certification and Accreditation

- 9 -

Process):

2000

NSTISSI(National

Information System Security Instruction)

Security

Telecommunications

and

No. 1000

- DITSCAP -
.
o FISMA(Federal Information Security Management Act): 2002

(e-Government Act) 3(Title III)

.
( 2-2) .

( 2-2) -

. -
(1) - ( )

,
. (FISMA, DITSCAP, DIACAP,
NIACAP) .

, ,
.
o

- 10 -

o
o
o SW HW
o
o
o (contingency plan)
o
o
NIST -

.
.

(2) -

. .
o (Authority to Operation; ATO):

.
o (Interim Authority to Operation; IATO):

,
(;
) .
3 .

(3)

(, )
.
.

. - -

- 11 -

. 4,
.
Level 4 .

(4) -

- -
.
Federally Funded Research and Development Centers (FFRDC)

. FFRDC ,
.
, , FFRDC
.

. DITSCAP
(1)
DITSCAP (Defense Information Systems Certification and Accreditation
Regulation) DoDI 5200.40 (December 30, 1997)

,
- , ,

DoD

Directive

5200.28,

Computer Security Act(Pub. L. 100-235, 1987), OMB Circular A-130(1996

), DCID 1/16, DoD Directive 5220.22

. DITSCAP DIACAP .

,
.
o DAA
o
o -

- 12 -

o
o

(2)
() (Designated Approving Authority; DAA)

,
.


.
() (program manager)

, , , , ,

.
() (certification authority)
SSAA

, DAA
.
() (User Representative)

- ,
, , , , .
() -
DITSCAP - ( 2-3) 4 .
( 2-4) DITSCAP - .

(3)
() (System Security Authorization Agreement; SSAA)
CC- PP ST - SSAA
SSAA PP/ST . DITSCAP

- 13 -

- . , , ,
,
. , -
, . , SSAA (INFOSEC)
- .
SSAA .
o DAA, ,

,
1.

No

SSAA

2.

No

No

3.

No

No

4.

No

No

Yes

( 2-3) DITSCAP

- 14 -

Yes

(1 ~ n)

( 2-4) DITSCAP -

o
o
o SSAA (; , , , )

o DITSCAP
SSAA -

.
o
o (Security Test and Evaluations; ST&E)
o ,
o
SSAA [ 2-5] .

[ 2-5] SSAA
1.
1.1
1.2
1.3
1.4 CONOPS

4.6
4.7
5. 5.1
5.2
5.3
5.4

2.

- 15 -

6. DITSCAP
6.1

2.1
2.2 SW
2.3
3.
3.1
3.2
3.3
3.4 (boundary)
4.
4.1
4.2 (governing) (requisite)
4.3
4.4 CONOPS
4.5

E -
F - /
G - ( )
H -
I - (artifact)
J -
K -
L -
M -
N - (Memorandums of Agreement)
O - ,
P -
Q -
R -

()

( ) [ 2-6] . -
(, , , , -
, , ) [ 2-7]
. [ 2-8]
. [ 2-9]
.

[ 2-6]

- 16 -

[ 2-7]

Benign (w=0), Passive (w=2), Active (w=6)

Dedicated (w=1), System High (w=2), Compartmented (w=5), Multilevel

(w=8)

None (w=0), Rudimentary (w=1), Selected (w=3) Comprehensive (w=6)

None(w=0), Cursory (w=1), Partial (w=3), Total (w=7)

Reasonable (w=1), Soon (w=2), ASAP (w=4) Immediate (w=7)

Not-applicable (w=0), Approximate (w=3), Exact (w=6)

Unclassified (w=1), Sensitive (w=2), Confidential (w=3), Secret (w=5), Top

Secret (w=6), Compartmented/Special Access Classified (w=8)

[ 2-8]

Level 1

< 16

Level 2

12 ~ 32

Level 3

24 ~ 44

Level 4

38 ~ 50

[ 2-9]

Active

System High

Basic

Total

ASAP

Approximate

Sensitive

2
27
, Level 3

() (Security Test and Evaluation, ST&E)

ST&E DITSCAP 3.2.1 , -

- 17 -

, .
,
.
ST&E , , ,

SW, HW FW SSAA

. , , , , ,
.
SSAA , ,
,
.
.

() ,

2 3 . IT,
,
.

. ,
.

. ,
. ,

() (Security Assessment Reports, SAR)

IT ,

.
- 18 -

. NIACAP
(1)
NIACAP (National Information Assurance Certification and Accreditation
Process)

2000

NSTISSI

(National

Security

Telecommunications

and

Information Systems Security Instruction) No. 1000

-. DITSCAP
, . Computer Security Act (1987)
Circular A-130 (1996)
(sensitivity) ,

.
NIACAP DITSCAP -
FIPS SP 800-37 .
NIACAP OMB A-130 (1996) (

)
. .
o
o
o
o

(2) -
NIACAP - DITSCAP ( 2-3, 2-4).

(3)
NIACAP (SSP) 1998 NIST

NIST SP 800-18 (Guide for Developing Security Plans for

Information Technology Systems) SSP [ 2-10]

- 19 -

[ 2-10] NIST SP 800-18 (SSP)

1.
1.1
1.2
1.3
1.4 /
1.5
1.6 /
1.7
2.
2.1
2.2
2.3
2.4
2.5
3
3.MA. -
3.MA.1
3.MA.2
3.MA.3 ,
3.MA.4
3.MA.5
3.MA.6 /
3.MA.7
3.MA.8

3.GSS -
3.GSS.1
3.GSS.2
3.GSS.3 , /
3.GSS.4
3.GSS.5

3.GSS.6
3.GSS.7
3.GSS.8
3.GSS.9
4
4.MA -
4.MA.1
4.MA.2
(/)
4.MA.3 (public)
4.MA.4
4.GSS -
4.GSS.1
4.GSS.2
4..GSS.3

, NIACAP 2001 NIST NIST

SP 800-26 (Security Self-Assessment Guide for Information Technology
Systems) ([ 2-11] ).

[ 2-11] NIST SP 800-26

I.
1.
2.
3.
4. (authorize) (&)
5.
II.
6.
7.
8. , /

9.
10.
11.
12.
13. ,
14.
III.
15.
16.
17.

- 20 -

. DIACAP
(1)
DIACAP (Defense Information Assurance Certification and Accreditation
Process)1996 OMB Circular A-130, 2002 E-Government Act (Federal
Information Security Management Act; FISMA) 2002 DoD Directive
8500.1 , ,

, ,
DIACAP -. , FISMA

Computer Security Act of 1987 , DoD Directive 8500.2

(2003) .
DITSCAP FISMA

. .
DIACAP GIG
(Global

Information

Grid)

(defense-in-depth) (IA)

. , (
) , ,
.
DIACAP ,

FISMA DoD Directive 8500.1 ,

-
. DIACAP DITSCAP
. DIACAP .

(2) -
DIACAP
(: , , ) .

, DIACAP ,
. DIACAP
- 21 -

- . DIACAP NIACAP

. [ 2-12] DIACAP -
.

[ 2-12] DIACAP -
[ 1]

[ 2]

1.1
1.2 (IAC)
1.3 DIACAP
1.4 DIACAP
1.5

2.1
2.2
2.3

[ 3]

[ 4] /

3.1 : 4.1
DAA

3.2
4.2
3.3
4.3
[ 5] (decommission)
y

DIACAP .

(3)
() (Mission Assurance Category; MAC)
MAC

, . 3
MAC 3 .
o MAC I ( ):

(deployed and contingency force)

o MAC II ( ):

o MAC III ( (basic)):

,

() (Confidentiality Level; CL)

- 22 -

MAC CL CL

.
o Classified:
o Sensitive:
o Public:

, MAC I , MAC III

. MAC CL 9
Global Information
Grid (GIG) .
o MAC I, Classified
o MAC I, Sensitive
o MAC I, Public
o MAC II, Classified
o MAC II, Sensitive
o MAC II, Public
o MAC III, Classified
o MAC III, Sensitive
o MAC III, Public
() (Information Assurance Control; IAC)
IAC DoD 8500.2 ,

BS 7799
. , CC ,
(--) .
DoD 8500.2 MAC CL IAC

.
o IAC: (

, ) , MAC .
o IAC: .

- 23 -

IAC MAC
IAC CL IAC .
IA (; , , )
IAC . IAC
.
, , IAC
, .

[ 2-13]

DIACAP IAC , [ 2-14] DIACAP

[ 2-13] DIACAP (IAC)

DC
IA
EC
EB
PE
PR
CO
VI

31
9
48
8
27
7
24
3

IAC
(Security Design & Configuration)
(Identification and Authentication)
(Enclave and Computing Environment)
(Enclave Boundary Defense)
(Physical and Environmental)
(Personnel)
(Continuity)
(Vulnerability and Incident Management)

[ 2-14] DIACAP

MAC
(Mission Assurance Category control)

(confidentiality control)

I
II
III
CLASSIFIED
SENSITIVE
PUBLICLY RELEASED

32
32
27
7
3
2

38
38
37
0
0
0

45
34
10

IAC .
o : IAC

- 24 -

8
o : , ,
o : IAC
o : IA IAC

o : 4- . 2

, 2 IAC .
[ 2-15] (IAC) .

[ 2-15] (IAC)

: ; DoD Instruction O-8530.2 CND Service Provide

Provider , , INFOCON
, ,
.

:: VIIR-11

(a) (MAC)
:

: .

:: IAGA-12

PKI DAA .
(b)

() (IA Testing; IAT)

&(T&E)
. DoD Instruction 5000.2 Developmental Test and
Evaluation (DT&E) Operational Test and Evaluation (OT&E)

(IAT) . ,

- 25 -

, .
,
IAT
. IAT .
.
National Security Agency
, OT&E .

. FISMA

(Federal Information Security Management Act, FISMA)
. FISMA 2002
(e-Government Act) 3(Title III)

, ,
.
NIST

.

.
FISMA (NIST)

,
FISMA SP 800-53A( 2nd 2006

12 ) . ( 2-5)
FISMA

- 26 -

( 2-5) FISMA

(1)
() (FIPS 199, SP 800-60)
FISMA

, FIPS 199
, , 3
.

1) FIPS 199

(type)
(potential impact)
. FISMA 3
, , .
FIPS 199 3 (, , ) .
o : ,
.
o : ,

o : ,

- 27 -

2) NIST SP 800-60
NIST SP 800-60 FIPS 199

, 2 . 1

/ 2
.
1 FIPS 199
,

.
( 2-6) .

( 2-6)

o : , ,

,

o : , , ,

o : 2 C D
- 28 -

o : , ,

, ,

o :

, ,

2 ( C), (
D) ,

( E) .
() (FIPS 200, SP 800-53)
1) FIPS 200
FIPS 199 200

, , .
NIST SP 800-53
.
800-53
(low baseline)
,
(moderate baseline) ,

(high baseline)
.

2) NIST SP 800-53
FIPS 200

. NIST SP 800-53
. 3 (,
- 29 -

, ) 17 (family)
. 17
[ 2-16] .

[ 2-16] NIST
(Class

(Family)

(Risk Assessment)
(Planning)
(System and Services Acquisition)
(Certification, Accreditation, and Security Assessments)
(Personnel Security)
, (Physical and Environment Protection)
(Contingency Planning)
(Configuration Management)
(Maintenance)
(System and Information integrity)
(Media Protection)
(Incident Response)
(Awareness and Training)
(Identification and Authentication)
(Access Control)
(Audit and Accountability)
(System and Communications Protection)

RA
PL
SA
CA
PS
PE
CP
CM
MA
SI
MP
IR
AT
IA
AC
AU
SC

() (SP 800-30)
1) NIST SP 800-30
NIST SP 800-30

.
.
3 :
o (risk assessment)
o (risk mitigation)
o (ongoing risk evaluation)

- 30 -

) (risk assessment)
( 2-7) 6 .
o : ,
o : , ,
o : ,
o : , ,

CIA ,

o () : /
o : .

( 2-7) (risk assessment)

) (risk mitigation)

( , , , ) .

7
.
o
o
o
o

- 31 -

o
o
o

) (ongoing risk evaluation)

.

.
o
o IT
o
o
o IT
() (SP 800-18 Rev. 1)
1) NIST SP 800-18 Rev. 1
FIPS 199 200 SP 800-53
800-30 ,

.
( 2-8) /
,
3 ( , , POA&M)
.

- 32 -

( 2-8) ,

.
o ,
o
o
o
o
o
o
o
o ,
o
o ,
o , ,
o
o
o

() (NIST SP 800-35, 36, 70, 50, 16)

- 33 -

1) NIST SP 800-35
SP 800-35 IT
IT , .

.
o
-
-
-
o
- ( )
-
-
o
-
-
-
o
-
-
o
- ,
-
-
o
-
-

2) NIST SP 800-36
NIST SP 800-36 , ,

- 34 -

, , ,
.
3) NIST SP 800-70
NIST SP 800-70 (configuration
checklist)

.
4) NIST SP 800-50, SP 800-16
NIST SP 800-50

, NIST SP 800-16 , ,
,
, SP 800-50
.

() (SP 800-53A, 26. 26 Rev. 1)

1) NIST SP 800-53A
SP 800-53A 2006 4 , 2nd ,

.
.
o
o
o
o

, ,
-

FISMA

.
o (FIPS 199 SP 800-53 )
o
o

(, , ) E ,
. [ 2-17]

- 35 -

[ 2-17]

--

--

--

2) NIST SP 800-26
NIST SP 800-26 ,

5 (Federal IT Security Assessment Framework: FITSAF)

17

.

3) NIST SP 800-26 Revision 1

SP 800-26 Revision 1

,
,
.

() (NIST SP 800-37)
1) NIST SP 800-37
NIST SP 800-37

(C&A) . 44
U.S.C. Section 3542

- 36 -

.

. (critical)
,
.
SP 800-37 .
o

o ,

o ,

)
( 2-9) 4
.

( 2-9) (C&A)

- 37 -

o [ 1]

1:
(SSP)

, - .
y

1.1 [ ]: SSP
.

1.2 [ ]: SSP
.

1.3 [ ()]:
SSP,
.

1.4 [ ()]:
SSP,
.

1.5 [ ()]:
( ) SSP,

.
y

1.6 [ ]: ,
SSP,
.

2: ()
(i) IS -

; (ii) ; (iii)
, -
y

2.1 []: , ,
,
-

2.2 [ ]: ( )
- 38 -

3: SSP ,
(i) FIPS 199 , (ii)

SSP ; (iii) SSP

, (iv)
SSP .
- .
y

3.1 [ ]: ,
,
, SSP FIPS 199

3.2 [SSP ]: IS

SSP

3.3 [SSP ]: ,

SSP

3.4 [SSP ]:

SSP
o [ 2]

. (i) ; (ii)
.

.

.
, ,

.
- 39 -

4:
(i) IS , (ii)

. ,
, , ,
.

. ,
, ,
.
,

,
.
y

4.1 [ ]:
(material) .
, ,

4.2 [ ]: ,
,

4.3 []:
, ,

4.4 []:
5:

5.1 [ ]: I

5.2 [SSP ]:
SSP
- 40 -

5.3 [ ]:

5.4 [ ]:

o [ 3]

. (i) ; (ii)
.
,
. ,
. (i) ; (ii)
; (iii)
.

6:
: (i)

; (ii) .
,


.
.
y

6.1 [ ]:

, ,

6.2 [ ]: ,
,

7:
, (i)
- 41 -

; (ii) SSP .
- .
y

7.1 [ ]: (
)
(,
)

7.2 [SSP ]: ,
SSP

o [ 4]

3 . (i) ; (ii)
; (iii) .

.
.
,
.

8:
: (i)

; (ii) .
HW, SW FW
.

.
y

8.1 [ ]:
, (SW, HW, FW
)

8.2 [ ]: ,
(SW, HW, )

- 42 -

9:
: (i)

; (ii)
;
,
.
y

9.1 [ ]:

9.2 [ ]:
, ,

10:
(i)

SSP ; (ii)
; (iii)
.
, FISMA
.
y

10.1 [SSP ]:
(SW, HW, )

SSP
y

10.2 [ ]:
(SW, HW, )

10.3 []:

)
- 43 -

(SSP) 1998 NIST NIST SP 800-18

(Guide for Developing Security Plans for Information Technology Systems)

SSP [ 2-10] .

. SSP
. SSP
.

() (SP 800-55, 80)

1) NIST SP 800-55
NIST SP 800-55 NIST SP 800-26 17

37
. 3 .
o :
o / :
o :

2) NIST SP 800-80
NIST SP 800-80

,
.

.
SP 800-53
17 1
18
.
- 44 -

FISMA 3 .
y

[ 1] (2003 ~ 2006):

FISMA .
y

[ 2]: (2006 ~ 2008):

(, - )
, .
y

[ 3] (2008 ~ 2009): (COTS)

(GOTS) ,
CMVP

FIPS 199, 200, NIST SP 800-37, 53, 59 FISMA

, NIST SP 800-53A 12
. , (Automated Security Support Tools)
2006 9 .

.
- DIACAP, FISMA
.
(SSAA) PP/ST .

, , .

,
.
.
o

.
- 45 -

o , OS, IT ,

NIST NIST

.
o NIST

,
(C&A) . C&A

,
,
.
o NIST

(NIST SP 800-65),
(NIST SP 800-64)
.
o SP 800

100 ,
.

,
.

2.

.
(1)
() (IT Strategic Headquarters)
20011 (Promotion
of an Advanced Information and Telecommunications Network Society)

.
- 46 -

() IT (IT Security Office)

2000 2

, , , .

(IT

Security

Promotion

Committee) (Special Examiners Committee) .

, (National Incident Response Team; NIRT)

. NIRT .
o : (, ), (,

, ), ( )
o

() (METI)

.
Information-technology Promotion Agency (IPA) Japan Computer
Emergency Response Coordination Center (JPCERT/CC) ,

.
SW IT ,
.
o
o ISO/IEC 17799 (ISMS)
o CC (JISEC)
o (Encryption Technology Evaluation)
o CRYPTREC

, IT
- 47 -

, ,
,
. (Information Security Committee) (Study
Group) .

() (Japan IT Promotion, IPA)

IPA

. ,
SW (ISEC,

) IT .
, , ,
, ,
.
o
o IT (JISEC)
o (JPCERT/CC )
o : (CRYPTREC)
o , , , : S/MIME

(2)
() CC (Japanese Information Technology Security Evaluation
and Certification Scheme; JISEC) - 20014

IPA JIS X 5070 (=ISO/IEC 15408)

NITE (National Institute
of Technology and Evaluation). 3

.
o ()
o ()
o ()

- 48 -

() ST

CC ASE ST CC
. NITE ST chief
.

() (Information Security Management Standards; ISMS)

ISO/IEC 17799
. 1967 12 JIPDEC (Japan Information
Processing Development Corporation)

Information-Processing Accreditation

Scheme (IAS:

) 2002 4 .

. 1)
(1)

2000

,
IPA JEITA
.
IPA 2000 3
3 .
o PP . CC 2.1 PP
5 2002 .
o ST (confirmation) : JEITA ECSEC
5 ST
CC 2.1
o ,
: CC 2.1

1) 2006 KISA 2
2006 ICCC

- 49 -

2002
2003 ISO/IEC JTC1 SC27 TR 19791
, 2004 JEITA 19791

(2) PP
()
2001 6 2002 2 CC V2.1 EAL 3+

PP,
PP,

PP,

PP,

PP (EAL4) .

PP SPP .

() PP : PP
o TOE :

o : (JEITA), 2001.6.21
o : CC V2.1, EAL3+
o TOE : , ,

- 50 -

( 2-10) PP TOE

o TOE : , (Validation Authority)

,
/ , , ,
, , ()
o TOE

FAU : FAU_ARP.1 8

FCO : FCS_COP.1 5

FDP : FDP_ACC.1 8

FIA : FIA_ATD.1 5

FMT : FMT_MOF.1 6

FPT : FPT_ITI.1 6

o TOE

EAL3 ACM_CAP.4, ALC_LCD.1, ALC_FLR.1, AVA_VLA.2

(3) ST /(STEC)2)
()

2) Kai Kai Naruki Naruki, Strategic ST Evaluation/Confirmation Evaluation/Confirmation,

ICCCC 2006.

- 51 -

o (, , )

(, ST) (confirmation) 3).
o (

, 2005 12) SW ST
(confirmation) () .
o EAL1
o 06 5 ASE (29/ )
o 06 6 ASE, ADV_FSP.1 and ADV_RCR.1
o ISO/IEC TR 19791
1004 2005 JEITA ECSEC

(C-S),

, ST .
() ST : ST
o TOE : ForceSecure-Filing V01R21(())
o TOE :

o : (ECSEC), 2005.2.21
o : CC V2.1, EAL3
o TOE

3) SW 42% / 24%

- 52 -

( 2-11) ST

o TOE : , , , TOE

/ , TOE
o TOE

FAU : FAU_GEN.1 6

FDP : FDP_IFC.1 3

FIA : FIA_ATD.1 5

FMT : FMT_MSA.1 6

FPT : FPT_RVM.1 3

TOE : EAL3

()
1) : (IPA)
2) : (JEITA)
3) :

4)

- 53 -

o (SST)

/, , , 4

STOE

( STOE
)

, ,

o : 19791
o

, ,

ISO/IEC TR 19791 TR(Technical Report)

ISO/IEC 15408
o : (EAL 3+)

( 2-12) TOE(EAL 3+)

- 54 -

() JEITA
1)
o ISO/IEC 19791
o
2) : 2004 ~
3) : IDC( )
o IDC
o Vault Box, DB ,

o STOE

( 2-13) STOE

4)
o (SST)

/, , , 4

- 55 -

STOE

( STOE
)

, ,

3. ICCC( )

. ICCC
ICCC 2000 CC

, CCRA . 2000 5
1 ICCC(International Common Criteria Conference)
98 10, 5 6 CC (CCMRA :
Common Criteria Mutual Recognition Arrangement)
CCRA(Common Criteria Recognition Arrangement)

. 2000 5 23 25
1 ICCC CCMRA CCRA
.

(1) 1 ICCC
o : 2000. 5. 23 ~ 25
o :
o : NIAP
o :

General, Technical, Protection Profiles and Guidance, Tutorial 4

CC

(2) 2 ICCC

- 56 -

o : 2001. 7. 18 ~ 19
o :
o : CESG
o :

Tutorial, Policy and International, New Dimensions, The Common

Criteria and Smart Card Applications 4 CC

(3) 3 ICCC
o : 2002. 5. 13 ~ 14
o :
o : CSE
o : CC(Delivering Information Assurance
Solutions)
o :

General,

Tutorial,

New

Dimensions,

Evaluator/Certifier

Workshop,

Technical 5 CC ,

(4) 4 ICCC
o : 2003. 9. 7 ~ 9
o :
o : SWEDAC
o : (Trust for Economic Growth)
o :

, 20 400 , 30
, CCRA
.

(EU)
- 57 -

ENISA(The European
Network Information Security Agency) .

(5) 5 ICCC
o : 2004. 9. 28 ~ 30
o :
o : BSI
o : CC
o :

CC , / , /

, , CC ,
, , , , ,

(6) 6 ICCC
o : 2005. 9. 28 ~ 29
o :
o : IPA
o : CC IT
o :

Security Evaluation Practice and Business Value, Marketing, Common

Criteria Version 3.0 3 CC 3.0

, ISO/IEC 19791 ,
.

(7) 7 ICCC
o : 2006. 9. 19 ~ 21
o :

- 58 -

o : , CCN(Centro Criptologico Nacional)

o : CCRA
o :

CC/CEM 3.1

(8) 8 ICCC
o : 2007. 9. 26 ~ 27()
o :
o : ANS(Autorita Nazionale per la Sicurezza)

. ICCC
(1) 4 ICCC
o : K. Rogers(CygnaCom)
o : CC -

o : S. Katzke (NIST)
o : CC CC

o : N. Naaman()
o : , , -

, - ,
(provision) ,

(2) 5 ICCC
o : M. Donaldon (Decisive Analytics Corp.)
o :

y
y

-IT

- 59 -

y
y
y

( )

(3) 6 ICCC
1)
o : Evaluation of application systems by ISO/IEC TR 19791
o : Hirohisa Nakamura
o :
- ISO/IEC TR 19791 .
-

.
- ,
y
y
y
y

-IT

y
(catalogue)
y
y
y
y
o : ISMS Aspects in Common Criteria Certificates for Development
Sites
o : Dr. Bertolt Krger
o :
- CC ISMS .
- ISMS CC 3.0 ALC .
o : ACO Composition in v3.0
o : David Martin

- 60 -

o :
- CC v3.0 ACO .
- TOE ACO .
o : Deriving Security for Mixed IT System Architectures from
Evaluated Products
o : David Ochel
o :
- , , CC CC

.
o : Business value of the operational system security evaluation for
the integrator and service provider
o : Hiroyuki Kaneko
o :
- .
- CC
.
- CC .
2)
o : Naohisa Ichihara(NTTDATA Corporation, Japan)
o : Success of a smartcard composite TOE evaluation performed by
NTTDATA
o : David Martin(CESG, U.K.)
o : ACO Composition in v3.0, AVA updates in v3.0
o : Ronald Bottomly(U.S. Common Criteria Evaluation and Validation
Scheme, U.S.A.)
o : ADV - v3.0
o : David Martin(CESG, U.K.)
o : ACO Composition in v3.0, AVA updates in v3.0
o : Hirohisa Nakamura(Japan Electronics and Information Technology
Industries Association (JEITA), Japan)

- 61 -

o : Evaluation of application systems by ISO/IEC TR 19791

(4) 7 ICCC ( )
o : Dr.Albert Jeng(Taiwan Telecom Technology Center)
o : Analysis of the composition problems in CC v3.0 with some
suggested solutions
o :
- CC 3.1 ACO
, TOE augmentation

- CAP

-

-

o : Francoise Forge(Gemplus)
o : CCV3 Supporting document for composite product evaluation
o :
- CC 3.1

- ,

- (ETR_COMP)
y
y
y ( , , )
y
y
y , ,
y
o : Kai Naruki(IPA)
o : Strategic ST Evaluation/Confirmation

- 62 -

o :
- ST /(confirmation)
- ST / (
, 2005 12)
SW ST/

- SW 42% /
24%, ST
.
- EAL1 2006 5 ASE (29
/ ), 2006 6 ASE, ADV_FSP.1 ADV_RCR.1
.
- 3 ISO/IEC/TR
19791 .

. ICCC
2000 1 ICCC
CCMRA CCRA 2006

7 ICCC . ICCC
CCRA 2005 ICCC

2003

(CAP)

CCRA .

7 ICCC (2006

19~21), CC/CEM 3.1 .

CCRA 2008 CC v3.1

) . , CC 3.1
. 2005
2006 1 .
[ 2-18] ICCC (ICCC 2005, 2006 ) CC 3.x

- 63 -

[ 2-18] ICCC

ICCC 2005
ICCC 2006

CC 3.X

27
6
29
3

ISO/IEC 19791

3
1

65
61

CCRA CAP( ) , 8
ICCC (2007 9 26~27).

7 ICCC CC v3.1
(CC v3.1 ACO, ADV ),
,
. ,
,
. ,
, (STOE) .
, 5 9 (CCRA)
11 (CAP) .
4.

.
,
CC . CC IT

, IT
. CC IT
IT CC
.
( , , A, B )

- 64 -

FISMA, DIACAP, DISCAP, NIACAP

ISO/IEC TR 19791

.
(1) (ISMS, B)
GB/T 18336-2001(, CC) "IT, , IT "

, //
(CC) &
(C&A) . /
CC CC Part2
, SSE-CMM 5 ,
.

(2) (FTA/SYS, A)
() SYS

SYSn MoD
, HMG IS1 EAL2, EAL3, EAL4
CESG , ITSEC CC

, . SYSn
SYS
. CC/CEM ,
.
() FTA(Fast Track Assessment)
FTA Inforsec Inforsec

(CESG ) ,
- . CESG (, )

, (suitable)
.
- 65 -

FTA (, CC ) ,

.
, .
() (FAA, 5 )
2000 1 National Information Assurance Acquisition Policy, NSTISSP
#11 , 2002 7 (FAA)

CC .
, FAA 18 PP , ,
, CC - (C&A) (,
) .
FAA PP FAA ()

CC PP , System Protection Profile

(SPP) System Protection Profile Template (SPPT) .
() ()

(ISMS)

(KISA)

, , , , ,
.
, ,
, , 5
, .

.
(1)

.
o FISMA &(C&A)
() .
.
o
(ISMS)
.

- 66 -

o : CC, (CMM)
.
o : PP/ST
. 19791 .
(2)
o CMVP, CC
.
o (: ISP )
(ISMS), ,
(CIIP) .
o (: )
(SW) (integration) ,
.
o (operational) ,
.
o , ,
, , , , ,
().
o
(, ; SST) , SST ,
SST .
o SST
.
o : .
( )
, . ,
( SI)
. , CC
/ ,
. ,
/ . ,
.
(3) 19791
o CC
Enhanced CC 19791 .
o 19791 2006 5 TR .
o CC .
o .

- 67 -

o 19791 , SPP/SST,
.
o , 19791
.
o 19791 : (: ISO/IEC 17799, NIST SP
800-53A, )
. , (; SP 800-53A
19791 ).
. CEM
.
[ 2-19]

[ 2-19] 19791, , , ISMS

(
)

ISO/IEC TR 19791

(ISIA)

(ISMS) (KISA) FTA/SYS

FAA

- ()
:
,
, ,
,
,
,
,
- : ,
, - IT - IT
IS, , , - IT : CC
, : CC (CC
,
, ,
)
,
,
, ,
,
,
,
,

- : CC
- : ,
- : CC ,, ,
,

, ,
- : ,

, , , ,
CC CC
, , - ()
)

, , - :
, , ,
, , ,
, ,
)

(
)

PP/S System PP/ST ( ISPP/ISST: ,

- 68 -

FAA

N/A

ST

21

,
, ,

,
,
,
,
)

N/A

N/A

(PP

)
/

EAL1 ~
EAL4

EAL1 ~
EAL4

17799(),
13335()

CC

CC

N/A

N/A

N/A

ML1 ~ ML5 ()

CC, 17799(),
SP 800-53(FISMA),
17799(),
13335(),
13335(),
CMM(), 15443
()
CMM(), IATF

15446(PP/ST
Release 3.1
), IT-BaseLine
()

N/A
N/A

SSP

[1] NIST FIPS 199,

"Standards for Security Categorization of Federal

Information and Information Systems", 2004. 2.

[2] NIST SP 800-60, "Guide for Mapping Types of Information and Information
Systems to Security Categories", 2004. 6.
[3] NIST FIPS 200, "Minimum Security Requirements for Federal Information
and Information Systems", 2006. 2.
[4] NIST SP 800-53, "Recommended Security Controls in Federal Information
Systems", 2005. 2
[5] NIST SP 800-30, "Risk Management Guide for IT Systems", 2002. 7.
[6] NIST SP 800-18, Revision 1, "Guide for Developing Security Plans for
Federal Information Systems", 2006. 2.
[7] NIST SP 800-35, "Guide to Information Technology Security Services",
2003. 10
[8] NIST SP 800-36, "Guide to Information Technology Security Products",

- 69 -

2003. 10
[9] NIST SP 800-70, "Security Configuration Checklists Program for IT
Products: Guidance for Checklists Users and Developers", 2005. 5.
[10] NIST SP 800-50, "Building an Information Technology Security Awareness
and Training Program", 2003. 10.
[11] NIST SP 800-16, "IT Security Training Requirements: A Role- and
Performance-Based Model", 1998. 4.
[12] NIST SP 800-53A second public draft, "Guide for Assessing the Security
Controls in Federal Information Systems", 2006. 5
[13] NIST SP 800-26, "Security Self-Assessment Guide for IT Systems", 2001.
11.
[14] NIST SP 800-26 Revision 1, "Guide for Information Security Program
Assessments and System Reporting Form", 2005.8.
[15] NIST SP 800-37, "Guide for the Security Certification and Accreditation of
Federal Information Systems", 2004. 5.
[16] NIST SP 800-55, "Security Metrics Guide for Information Technology
Systems", 2003. 7.
[17] NIST SP 800-80, "Guide for Developing Performance Metrics for
Information Security", 2006. 5,
[18] NIST SP 800-64, "Security Considerations in the Information System
Development Life Cycle", 2003. 10.
[19] NIST SP 800-65, "Integrating Security into the Capital Planning and
Investment Control Process", 2005. 1.
[20] http://csrc.nist.gov/publications/nistpubs/index.html
[21] http://csrc.nist.gov/publications/fips/index.html
[22] ISO/IEC TR 15443, Information technology - Security Techniques - A
Framework for it Security Assurance

- 70 -

1
[ 3-1] .
,

.

[ 3-1]

1 ~
4

EAL1
EAL4

- ,
(KCMV)
(FIPS 140-2)

- CC 2.3

- CEM 2.3
(KECS)
- 92

() (06.1

)
(CISSVP)
- ()

(
CC ),

- ISP
- , ,

,
-

-

(8)

- ISP
,

ISMS (02 5)
(ISMS)

- 71 -

7

-

,

3
( , ,

)
(

5 (
, ,
)
, ,
)

(CIIP)

.
o : , ,

()
o : , ,

,
( 3-1) .

.
o CC : ,

o :

(, ) ,
(, ,
). CC
.
o :

BS7799 ISMS
o : (CIIP)

- 72 -

"
'' "

PP

(
)

CC
(PP/ST = TOE ?)

(
)

(TOE)
()

(, )

X
(STOE)

(ISMS)
(ISMS, ICSC, CIIP,
)

( 3-1)

o , ,

, ()
.
o ( ,

, )

.
o -

,
. ,
-.

- 73 -

,
(verification) (,
)
( ) (validation)
. ,


(, ) .
2
. [ 3-2]
.

[ 3-2]

C&A

FISMA
FAA SSP
SYS
FTA

, ,

, , ,

CC , SSP, DID

CC , SYS

CC ,

TSS

ISIA

(CC), (ISMS), (CMM)

5 CMM

SRS

CC , PP

- 74 -

. .
o

o (, PP/ST) -

o .
o ISO/IEC 19791 ,
19791 ,
.
o - ( )
o CC(6 , )
, .
o CC
. , , , .
o .

2
1.

(KISSES;

Korean

Information

System

Security Evaluation Scheme)

( ) CC

(operational

system)

ISO/IEC 19791 CC . (TOE)

O-TOE .
KISSES , , (),

(sponsor), , ) /
. ( 3-2) ( 3-4) KISSES ,
SST( ) .

- 75 -

KISSES
/
(19791)

, &
,

( )

( )

(( ) )

( 3-2) KISSES

ST

(SST)

KISSES

(COTS)

(COTS)

(---

( )

(SST = O-TOE
)

()

(O-TOE)

( 3-3) KISSES

- 76 -

(COTS)

/
SPP

SST

TOE , ,

19791, CC, SP-53

(SST)

(O-TOE)

(KISSES)

SRS-Tool
,
FAA (SPP), FISMA
(SP-60(),
SP-53(),
SP-37(),
FIPS-199()

()

SP 800-53A(),
CEM, CC 3.0, 19791

( 3-4) SST KISSES

KISSES

/
.
o : (, O-TOE) (, ST SST)

.
o : (, O-TOE) (, ST)

.
o : O-TOE ( )

(risk) .
KISSES (; , ) ,

,
(KISA)
, /
.
KISA

- 77 -

() . CC
. KISSES
(: KOLAS )
, . KISSES
(,
) .
KISSES ,

. ,
. .
O-TOE (SST) , SST
. ( 3-5) / .

()

(KISA)

O-TOE

( 3-5) KISSES

O-TOE (
)
( 4) ).
.

4) 19791-DTR

- 78 -

()
.
.
.()
/ .

O-TOE / , /
. /
.

2. KISSES

KISSES .
, , , .

.
/ ,
.
/ .
,
.
.
o ( )
o
o
o

o KISSES
o : , ,

KISSES
o
o

- 79 -

o
o KISSES

.

O-TOE .
o

o KISSES

o 19791 KISSES
o
o ()
o (confirm)

o KISSES
o KISSES (certify)
o
o
o (, )
o ,
o (CC, 17799 )

.

, .
CC . KOLAS
.
,
.
.(

- 80 -

) ,
.


.

(,
). , O-TOE ,
.
.

3.
(sponsor) .

O-TOE
. , O-TOE ,
.
(, O-TOE
),
,
. ,
.
.

.
o (SST) . SST O-TOE

( G). , O-TOE
. , SST
.
o , , O-TOE

(, ) .
- 81 -

o ,

.
o ,

.
o KISSES .
o

.
o .
o , (, , )

.
o , SST /

.
o / /

.
o O-TOE /

.
o O-TOE .

O-TOE
.

.
o O-TOE .
o SST

.
o .
o O-TOE

.
o

.
- 82 -

o .
- SST
- 5) (,

, , , )
- O-TOE

- (, , , )
- (composed) O-TOE ,

O-TOE
6)
- O-TOE (effectiveness) (, , ,

)
- , ,

- , ,
-
o O-TOE
o O-TOE
o (,

) .
o

.
o (SEWP)

.
o SST
5) 19791-DTR .
6) CC 3.0 ACO .

- 83 -

.
o .
o .
o .
o O-TOE .
o (6

) .
o O-TOE , SST /

.
o , ,

. ()
o

.
o .
o .
o

.
o

.
-
-
-
- O-TOE
-
- O-TOE / .
o .

- 84 -

4.
O-TOE(, O-TOE )

. ,
(, ) .
O-TOE (, )
.
,
. .

.
o (19791) .
o ,

.
o , .
o /

.
o O-TOE /

.
o O-TOE O-TOE

.
o , O-TOE .
o ,

.
o O-TOE

.
o

- 85 -

.
o .
- (,

, , , ).
- O-TOE

- (, , , )
- O-TOE (effectiveness) (, , ,

)
- , ,

- , ,
-
o O-TOE
o (,

)
o ()

.
o .
o O-TOE .
o O-TOE , /

.
o , ,

.
o (6 )

- 86 -

. ()
o .
o O-TOE

.
o

.
-

O-TOE

O-TOE /

.
(accreditor) .
. O-TOE
,
. .
o ST
o O-TOE
o O-TOE

.
(appointment)

. ,
.

.
KISSES

- 87 -

.
o O-TOE /
o
o /
KISSES .

.
KISSES .

[ 3-3] .

[ 3-3] KISSES

ITSEC
.

O-TOE

O-TOE

,
, ,

O-TOE

O-TOE

O-TOE ,

, ,
,
,

KISSES

/
(,
19791)

KISSES .
,

, ,

(,

- 88 -

5.

KISSES .
SST , [ 3-4] (,

) O-TOE .
.
O-TOE , ,

( ) . ,
. O-TOE
. .

[ 3-4]

( O-TOE )

( O-TOE )

- ( - O-TOE
-
)



- ()
-

""

-


-
-



-
-

- ( -
-

)

-
,

-
- O-T

OE

-
- O-TOE
-

, .
o O-TOE :

- 89 -

- O-TOE

,

o :

o :
/
O-TOE KISSES

. ,
.

.
KISSES
. ,
.

. ,
.

. (SST)
O-TOE
. . ,
,
, , (SSP) .
SST 19791 .

SST .
(, CC)
(, ) .
SST .
.

.
O-TOE , ,

- 90 -

.
. O-TOE
, .
,
()
.
,
,
.

,
.
. ( 3-6) [
3-5] KISSES .

.
SST ,
.
.
.
.
SST
/ .

.

, RFP( ) .

- 91 -

( 3-6) KISSES (O-TOE )

O-TOE

-
-

SEWP

-


()

-
-
- (
)
-
SEWP
- EWP
( )
-

- SST,
-

-
</>


( )

-

-

- (determine)
<>
-
- -
(SST)
-

< >

- PR
- O-TOE

- SEWP
/

<>

-
- SETR

SETR
( )

- CCR

(PR)
CCR

- CCR

-
-

- 92 -

-
- SETR
SETR
- SETR
- ( ) (
)
(PR)
CCR
- CCR
- (PR )

-
-
-

-
SETR
- SETR
CCR
,
CCR

[ 3-5] KISSEC (19791-TR)

1.
2. SSF
3. SSF
,
1.
2.
3.
4.
5.
6.

1. SSF
2. SSF
3. SSF
4.
5.
6.
7.
8.

1.
2.

1.
2.
3. PP
4.

1. SSF
2. SSF
3. SSF
4.
5.
6.
8.
9.(1,2,3)

1.
2. (1,2,3,4)

1.
2. SSF
3. STOE

- 93 -

1.
2. SSF
3. SSF

1.
2.
3. PP
4.

1.

1.
2. SSF
3.

1. (1,2)
2. (1,2)
3. SSF
4.

1.

1.

1.

1.
2. (1,2,3,4)

4 .
.

.

(, , )
.

- 94 -

, SST,
(SEWP)
. ()
.
.
o

.
o

.
()
,
. ,
.

6.

, (SEPR) .
(, 19791) O-TOE SST
. , O-TOE
SST .
O-TOE SST .

.
,
.
.
(,
19791) 7). ,

O-TOE
- 95 -

.
. , O-TOE

.

.
(interaction)
, .
, .

, /

.
,

.
o : E0 .
o
o O-TOE

.

(, 19791) .
. (,
, , )
, .
KISSES

7) CEM, FIPS 53 .

- 96 -

, .

.
, /
. , , O-TOE

. .

7.

(certification)
.
(issue) .
.
SST
, SEWP .
.

. , KISSES
. , .
, , O-TOE
() .
, .
O-TOE SST , O-TOE

, O-TOE
. , O-TOE
.
O-TOE O-TOE
. ,
. .
- 97 -

, O-TOE
. .
, .( 19791
)
,
.
o SST
o
o
o

. O-TOE ()

. , (, )
.
,
,
. .
,

.
.

.
KISSES
. O-TOE
, .
, ,
.

- 98 -

[1] ISO/IEC TR 19791, "Information technology - security techniques - security

evaluation of Operational System", May. 2005
[2] 2006 , /, 2006 5.
[3] , 5 , , 2005
10.
[4] , http://www.kisa.or.kr/index.jsp.
[5] , ,
9 (SIS)-2004, pp. 477-498, 2004 7.
[6] , ,

NSRI , 2003 11

.
[7] ,

, 2004 11.
[8] CC, , 2.3, , 2005 8.

- 99 -

NSRI

1
3 (KISSES)
. KISSES ISO/IEC 19791-TR(2006 5
) NIST SP 800-53A . 19791 (SPP/SST,
, ) , 800-53A
.
H I 19791-TR
800-53A ,

KISSES . (
4-1) ( 4-2) .

19791

()

(
)

SST

SST

19791

- - - - - - :
:

(, )

, (SETR)

, ,

( 4-1)

- 100 -

SST

"Specification"
""

" "

""
/

" "

19791

CC

( 4-2)

KISSES SPP/SST ,

. H .

1. SPP/SST

. PP
SPP SPP SPP

SPP, (SPP SPP

) .

- 101 -

STOE SPP
. SSP .
o ASP_INT: SPP ;
o ASP_CCL: ;
o ASP_SPD: ;
o ASP_OBJ: ;
o ASP_ECD:
o ASP_REQ: ;
o ASP_DMI: ;
o ASP_DMC: ;
o ASP_DMP: ;
o ASP_DMO: ;
o ASP_DMR: .

(1) SPP (ASP_INT)

o ASP_INT.1 SPP

SPP SPP , STOE

.

SPP SPP , STOE , STOE , STOE

SPP SPP .

STOE STOE .

STOE STOE .

STOE STOE

- 102 -

(identification) ,

,

.

(2) (ASP_CCL)
o ASP_CCL.1

PP STOE CC CC

ISO/IEC TR 19791 ISO/IEC TR 19791

ISO/IEC TR 19791 SPP

ISO/IEC TR 19791 ISO/IEC TR 19791

ISO/IEC TR 19791 SPP

SPP SPP, PP, ST,

(-conformant) (-augmented)
SPP .

STOE SPP STOE

(demonstration) .

SPP
.

SPP

- 103 -

SPP
.

SPP SPP

PP
.

(3) (ASP_SPD)
o ASP_SPD.1

STOE .
(tolerated), (accepted), (avoiding), (transferred)
(unacceptable) .

.
, , (adverse) .

OSP .

(4) (ASP_OBJ)
o ASP_OBJ.1

ASP_OBJ.1.1C ' ' STOE

ASP_OBJ.1.2C ' ' STOE

ASP_OBJ.1.3C The ' '

ASP_OBJ.1.4C ' ' STOE

- 104 -

OSP
.

ASP_OBJ.1.5C

OSP
.

ASP_OBJ.1.6C

OSP
.

ASP_OBJ.1.7C

ASP_OBJ.1.8C OSP

(5) (ASP_ECD)
o ASP_ECD.1

CC , ,
.

CC , ,
.

-
.

(6) (ASP_REQ)

- 105 -

o ASP_REQ.1 (stated)

SSF SSA .

o ASP_REQ.2 (Derived)

SSF SSA .

SSF STOE
.

SSA STOE

STOE STOE
SSF SSA
.

(7) (ASP_DMI)
o ASP_DMI.1

, ,
.

- 106 -

/
.

(8) (ASP_DMC)
o ASP_DMC.1

SPP, PP,
.

(-conformant) (-augmented)
.

STOE SPP, PP, STOE

SPP, PP, .

SPP, PP,
.

SPP, PP,
.

SPP, PP,
SPP, PP, .

(9) (ASP_DMP)
o ASP_DMP.1

- 107 -

(accepted),

(unacceptable) .

.
, , .

OSP .

(10) (ASP_DMO)
o ASP_DMO.1

OSP .

OSP
.

OSP
.

OSP
.

- 108 -

(11) (ASP_DMR)
o ASP_DMR.1 (stated)

SSF SSA .

o ASP_DMR.2 Derived

SSF SSA .

,

.

SSF .

SSA .

SSF SSA

.

. ST
ST(SST : System Security Target)
. SST SST

- 109 -

SPP SST
. SST SPP .
STOE SST .
.
o ASS_INT: SST ;
o ASS_CCL: ;
o ASS_SPD: ;
o ASS_OBJ: ;
o ASS_ECD:
o ASS_REQ: ;
o ASS_TSS: STOE ();
o ASS_DMI: ;
o ASS_DMC: ;
o ASS_DMP: ;
o ASS_DMO: ;
o ASS_DMR: .

(1) SST (ASS_INT)

o ASS_INT.1 SST

SST , STOE , STOE , STOE

SST SST .

STOE STOE .

STOE STOE .

STOE STOE .

STOE STOE

- 110 -

STOE STOE .

STOE STOE .

STOE
STOE .

,
.

,

.

(2) (ASS_CCL)
o ASS_CCL.1

SST STOE ISO/IEC TR 19791

ISO/IEC TR 19791 ISO/IEC TR 19791

SST .

ISO/IEC TR 19791 ISO/IEC TR 19791 SST

SST SPP, PP, ST,

(-conformant) (-augmented)
SST .

STOE SPP, PP,

ST, STOE

- 111 -

SPP, PP, ST,

.

SPP, PP, ST,

.

SPP, PP, ST,

.

SPP, PP, ST,

SPP, PP, ST,
.

(3) (ASS_SPD)
o ASS_SPD.1

STOE .

(tolerated), (accepted), (avoided), (transferred),

(unacceptable) .

. ,
, (adverse) .

' OSP (describe) .

(4) (ASS_OBJ)
o ASS_OBJ.1

' ' STOE .

- 112 -

' ' .

STOE
OSP .

OSP .

OSP .

OSP .

(5) (ASS_ECD)
o ASS_ECD.1

CC ,
.

CC , ,
.

-
.

(6) (ASS_REQ)
o ASS_REQ.1

SSF SSA .

- 113 -

o ASS_REQ.2 (derived)

SSF SSA .

SSF STOE
.

SSF STOE
.

SSF SSA
STOE STOE
.

(7) STOE () (ASS_TSS)

o ASS_TSS.1 STOE ()

STOE SSF .

STOE SSA .

- 114 -

(8) (ASS_DMI)
o ASS_DMI.1

, ,
.

/ .

(9) (ASS_DMC)
o ASS_DMC.1

SPP, PP, ST,

.

(-conformant) (-augmented)
.

STOE SPP, PP, ST,

STOE .

SPP, PP,
ST, .

SPP, PP, ST,

.

SPP, PP, ST,

.

SPP, PP, ST,

SPP, PP, ST,

- 115 -

(10) (ASS_DMP)
o ASS_DMP. 1

.
(accepted) (unacceptable) .

.
, , .

OSP .

(11) (ASS_DMO)
o ASS_DMO.1

OSP

.

OSP

.

OSP

- 116 -

OSP
(enforce) .

(12) (ASS_DMR)
o ASS_DMR.1 (stated)

SSF SSA .

o ASS_DMR.2 (Derived)

SSF SSA .

,
.

SSF .

SSA .

SSF SSA

- 117 -

(13) () (ASS_DMS)
o SSF .
o SSA

2.

.
CC 19791 8) . , CC

, 19791
,
. BS-7799 .
KISSES E 19791-TR

, .

.
[ 4-1] .
CC , (, )

. (19791)
. 5
(, ) .
5 . ,

17799
.

8) CC , 19791 (control) .

- 118 -

[ 4-1] 19791-TR

FOD:
(adm.)

DTR
FOD_POL:
FOD_PSN:
FOD_RSM:
FOD_INC:
FOD_ORG:
FOD_SER:
FOS_POL:

FOS:

FOS_CNF:
FOS_NET:
FOS_MON:

FOS_PSN:
FOS_OAS:

FOA:

FOB:

FOS_RCD:
FOA_PRO:
FOA_INF:
FOB_POL:
FOB_BCN:

- 119 -

1.
2.
1.
1.
2.
1.
1.
2.
1.
1.
2.
3.
4.
5.
1.
2.
1.
2.
1.
2.
3.
4.
1. (authorization)
2.
1.
2.
1.
1.
1.
1.
1.

FOP:

FOT:

FOP_MOB:
FOP_RMM:
FOP_RMT:
FOP_SYS:
FOP_MNG:

FOT_MNG:
FOM_PRM:

FOM:
(mgmt.)
FOM_CLS:
FOM_PSN:
FOM_ORG:
FOM_INC:

1.
1.
1.
1. (equipment)
1.
2.
3.
1.
2.
1.
2. (segregation)
1. (categorization)
2.
1.
2.
1.
1.

3.

.
KISSES 19791 . 19791

CC . AOT_DPT(
), AOT_IND() AOV_VLA() CC
.

.
[ 4-2] 19791-TR .

H .

- 120 -

[ 4-2] 19791-TR

(19791-TR)
1. SPP

ASP_INT: SPP

ASP:
SPP

2. SPP

ASP_CCL:

1.

ASP_SPD:

1.

ASP_OBJ:

1.

ASP_ECD:

1.
1. (stated)

ASP_REQ:

2. (derived)

ASP_DMI:

1. (overview)

ASP_DMC:

1.

ASP_DMP: 1.
ASP_DMO:
ASP_DMR:

1.
2.
1. SST

ASS_INT: SST

2. SST

ASS_CCL:

1.

ASS_SPD:

1.

ASS_OBJ:

1.

ASS_ECD:

1.
1.

ASS_REQ:
ASS:
SST

1.

2.

ASS_TSS: STOE ()

1. STOE ()

ASS_DMI:

1.

ASS_DMC:

1.

ASS_DMP:
ASS_DMO:
ASS_DMR:
ASS_DMS:

- 121 -

1.
2.
1.
1.
2.
1.

AOD_OCD:
AOD_ADM:.
AOD:

1.
2.
1. SSF

2. SSF

AOD_USR: 1. SSF

2. SSF
AOD_GVR:

1.

ASD_SAD:

1.

ASD_IFS: ()
ASD:
ASD_SSD:

ASD_CMP:

ASD_IMP:

ASD_CON.:
ASD_GVR:

1.
1.
1.
1.
1.
1.

AOC_OBM: 1.

2.
AOC_ECP:
AOC:

1.
2.
1. PP

AOC_PPC: PP

2. PP

AOC_NCP 1.

2.
AOT_FUN:
AOT_COV:

1. SSF
1. SSF
2. SSF
1.

AOT:
AOT_DPT:

2.
3.
4.
1. -
2. -

AOT_IND:

3. -
AOT_REG:

1.

- 122 -

AOV_MSU:.
AOV:

1.
2.
1. /
2.

AOV_VLA.

3.
4.

AOL:

AOL_DVS:

1.
2.
1.

ASI_AWA: .

2.

ASI:
ASI_CMM.:

1. SSF
2. SSF
1. STOE

ASI_SIC:

2.

ASO_RCD:
ASO:
ASO_VER:

1.
2.
1.
2.
1. SSF

ASO_MON:

2.

3
1. (EWP)
[ 4-3] 9)
topological sort [ 4-4] 6

.
. , 3
ASD_CMP.1: ASD_CON:
9) (dependency) . , A B
B A .

- 123 -

ASD_SSD: .
.

[ 4-3]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

1 2 3 4 5 6 7 8 9 1011121314151617181920212223 24 25 26

AOD_OCD.1/2
- - X
X
AOD_ADM.1/2
X
AOD_USR.1/2
X
AOD_GVR.1
X X X
- - - ASD_IFS.1
X
ASD_SSD.1
X
X
ASD_CMP.1
X X
ASD_IMP.1
- - X
ASD_GVR.1
X X X
X X
AOC_ECP.1/2
X
AOC_PPC.1/2
X
AOC_NCP.1/2
X
AOT_COV.1/2
X
X
AOT_DPT.1
X
X
AOT_DPT.2
X X
X
AOT_DPT.3
X X X
X
AOT_DPT.4
X X X X
X
AOT_IND.1
X X
X
AOT_IND.2/3
X X
X
X
AOV_MSU.1/2
X X
AOV_VLA.1
X X
X X
- X
AOV_VLA.2/3/4
X X
X X - X
- X
ASD_SAD
ASD_CON
AOC_OBM
AOT_FUN

Topological sort
Loop
(Stage I);
;
I = I + 1;
Until (no-more nodes)

- 124 -

[ 4-4]

3
4
5
6

z AOD_GVR.1: ,
z ASD_GVR.1: ,
z AOC_ECP.1/2: , AOC_PPC.1/2: PP ), AOC_NCP.1/2:
,
z AOT_COV.1/2: , AOT_DPT.1:
, AOT_DPT.2: , AOT_DPT.3:
, AOT_DPT.4: , AOT_IND.1: :,
AOT_IND.2/3: : , ,
z AOV_MSU.1/2: , AOV_VLA.1: / ,
AOV_VLA.2/3/4: ,,
z AOD_OCD.1/2:
z AOD_ADM.1/2: )
z AOD_USR.1/2:
z ASD_IMP.1:
z AOC_OBM:
z AOT_FUN: SSF
z ASD_CMP.1:
z ASD_CON:
z ASD_SSD:
z ASD_IFS:
z ASD_SAD:

2.

.
4 [ 4-5]
.

.

- 125 -

[ 4-5]

(19791-TR)

1.
2. SSF
3. SSF
,
1.
2.
3.
4.
5.
6.

1. SSF
2. SSF
3. SSF
4.
5.
6.
7.
8.

1.
2.

1.
2.
3. PP
4.

1. SSF
2. SSF
3. SSF
4.
5.
6.
7.
8. (1,2,3)

1.
2. (1,2,3,4)

1.
2. SSF
3. STOE

- 126 -

1.
2. SSF
3. SSF

1.
2.
3. PP
4.

1.

1.
2. SSF
3.

1. (1,2)
2. (1,2)
3. SSF
4.

1.

1.

1.

1.
2. (1,2,3,4)

[ 4-6]

1. SPP
1.1 SPP
(ASP_INT)

- SPP
- STOE , , ,

- CC .
2.
2.1 - SPP / , , ,
(ASP_CCL)
STOE, .

- 127 -

- STOE
3. 3.1
-
(ASP_SPD) (ASP_SPD)
- OSP
- STOE,
4.
3.2

- .
(ASP_OBJ)
(ASP_OBJ)
- OSP
-
5. 5.1
-

(ASP_ECD)
(ASP_ECD) - CC , ,

- /(SSF/SSA)
6.1 -

-

- /(SSF/SSA)

6.
(ASP_REQ)

-
6.2

- "" ,
""
- SSF STOE
- STOE
SSF SSA

7.
7.1

- , , ,

(ASP_DMI)
- SPP, PP,
8.
8.1 - / .

- SPP, PP, STOE , , ,
(ASP_DMC)

-
9.
9.1

-

(ASP_DMP)
- OSP
-
- ,

10.
-
10.1

- /

(ASP_DMO)

OSP
- /OSP /

- 128 -

- SSF SSA
11.1
- .
11.
-


(ASP_DMR)
11.2 - SSF SSA
-

[ 4-7]

1. SST
1.1 SST
(ASS_INT)

- SST , STOE , , ,
- SST

2.
2.1
(ASS_CCL)

- SST

- SPP, PP, ST,

- STOE
3. 3.1
-
(ASS_SPD)
- OSP
- STOE
4.

4.1
(ASS_OBJ)

- ,

- STOE
OSP
- /OSP /

-
5.
5.1

- CC ,

(ASS_ECD)

- 129 -

- SSF SSA
6.1 -

6.
(ASS_REQ)

- SSF SSA

-
6.2

- SSF STOE

7. STOE 7.1 STOE - STOE SSF
(ASS_TSS)
- STOE SSA
8.
8.1

- , ,

(ASS_DMI)
- SPP, PP, ST,
-
9.

9.1
- , ,
(ASS_DMC)
SPP, PP, ST,

-
10.
10.1

-

(ASS_DMP)
- OSP
-
11.
-
11.1



(ASS_DMO)
-
/OSP / .
12.1 - SSF SSA .
-

-
12.

- SSF SSA
(ASS_DMR) 12.2
-

- ,

- SSF
13.
13.1

- SSA
(ASS_DMS)

- 130 -

[ 4-8]

- STOE
- STOE

1.1
-

-

- STOE

1.
(AO
D_OCD)

- STOE
1.2

-

- STOE

-
- STOE
2.1

-

- STOE

2.

(AOD_ADM)

-

- STOE

-
- STOE
-
2.2

- STOE

-

-

- 131 -

- STOE

-
3.1 - STOE

3.

(AOD_USR)

- STOE
.

-
3.2 .

- STOE

4.
4.1
(AOD_GVR)

-
.
- ,,

.

[ 4-9]

- ,
1.
1.1

-

(ASD_SAD)
- -
2.
2.1 -

()

(ASD_IFS)
-
- , ,
3.
3.1

-
(ASD_SSD)
-

- 132 -

- , ,

4. 4.1
-
(ASD_CMP)

-
-

-

5.
5.1
(ASD_IMP)
-
HW, , SW
- ,
6. 6.1 - (, )

(ASD_CON)

- SSF SFRs

7.
- ,
7.1
(ASD_GVR)

[ 4-10]

- CM STOE , ,
1.1

- CM
1.

- CM STOE , ,
(AOC_OBM) 1.2

- CM

- 133 -

- CM

2.1
-

ST
2.
- CM

- CM
(AOC_ECP)
2.2
-

ST
- CM
- CM PP
3.1
3.
PP

-

(AOC_PPC)
ST

- CM .
4.1 - CM

4.
- CM

4.2 - CM
(AOC_NCP)

- CM

.
[ 4-11]

- SST

-

1.

1.1
(AOT_FUN)

-

-

-

- 134 -

- ()
2.1 SSF

- SSF

2.

- ()
(AOT_COV)
SSF
2.2
- ()
SSF

3.1 :
-

SSF

3. 3.2 : - ,
SSF

(AOT_DPT) 3.3 : - ,

SSF
3.4 : - ,

SSF
4.1 - TOE

- STOE
4. 4.2 -- / SSF
(AOT_IND)

- STOE
4.3 - / SSF

- ,

-

5.

5.1
(AOT_REG)

-

.

- /
SSF

-

- 135 -

[ 4-12]

- STOE ( / )

1.1 - , ,
-
1.

(AOV_MSU)

-
- STOE

1.2

-
-
2.1 /
- STOE

2.2 - STOE

2.
- STOE
(AOV_VLA) 2.3

2.4

-
- STOE

- STOE
(address)

- 136 -

[ 4-13]

- , ,
1.1
- STOE

(follow)
1.
- STOE , ,

(AOL_DVS) 1.2 , , ,

- STOE
(follow)

[ 4-14]

1.1 -
- , , ,
1.
(ASI_AWA)

1.2 -

- , , ,

2.1
2.

(ASI_CMM)
2.2

-
- , ,
-
- , ,

3.1 - STOE

3.
3.2
- STOE
(ASI_SIC)

- 137 -

[ 4-15]

1.1 -
1.
- , ,

(ASO_RCD) 1.2 -

- , ,
-
2.1
- , ,
2.

(ASO_VER)
2.2 -

- , ,

3.1 -
3. - , ,

(ASO_MON) 3.2 -

- , ,

3. (53-A)

NIST SP 800-53A . [
4-15] SP 800-53A . SP
800-53A I . , [ 4-16] SP
800-53A . 19791

. , 19791 800-53A
.
[ 4-16] NIST SP 800-53A

FOD:

(adm.)

ISO/IEC TR 19791

FOD_POL:

1.

SP 800-53A
Enhaced-CC
AC-1,AT-1,CA-1

2.

PPD_DSP,
PPD_RAR
-

FOD_PSN:

1.

AC-5,PS-2,

PPS_DIS,
PPS_PSP

FOD_RSM:

1.

RA-1

PSI_DSO,
PSI_PSP

- 138 -

2.

PS-7

FOD_INC:

1.

IR-1,IR-2,IR-3,IR4,IR-5,IR-6,IR-7

FOD_ORG:

1.

AU-1

FOD_SER:

FOS:

2.
1.

1.

FOS_POL:

FOS_CNF:

FOS_NET:

2.
3.
4.
5.
1.

FOS_PSN:

FOS_OAS:

FOA:

FOS_RCD:

FOA_PRO:

FOA_INF:

PEM_SEL,
PEM_DET,
PEM_RTE,
PEM_REC,
PEM_REA
PPD_RAR,
PSI_DSO

SA-1,SA-2,SA-3,
SA-4,SA-5,SA-6,
SA-7,SA-8
SI-3
SC-18
IA-7,SC-12,SC-13
SA-10,SA-11

PPD_ASC
FMT_MSA
PCM_DEV,
PCM_INT

2.

CM-1,CM-2,CM3,CM-4,CM-5,C
M-6,CM-7
CP-8,SC-10,SC-2
0,SC-21
CA-3,SC-5,SC-7,
SC-8,SC-9,SC-11
AU-2,AU-1,AU-2,
AU-3,AU-4,AU-5,
AU-6,AU-7,AU-8,
AU-9,AU-11
SI-5
SI-4
AC-2,AC-3,AC-6,
AC-8
IA-1,IA-2,IA-4,IA
-5,IA-6
AC-11,AC-12,SA6,SA.7
CP-5

1.

AU-3, PE-8

PBC_CON

1.

PL-5

PAD_OWN

1.

AU-9,MP-1,MP-2,
MP-3,MP-4,MP-5,
MP-6

2.
1.
2.

1.
FOS_MON:

2.
3.
4.
1.
(authorization)
2.
1.

- 139 -

PPS_PSM,
PSP_PSP
PAD_TYP,
PAD_ASA,
-

FOB:

FOP:

FOT:

FOM:

(mgmt.)

FOB_POL:

FOB_BCN:

1.

FOP_MOB:

FOP_RMM:

FOP_RMT:

FOP_SYS:

FOP_MNG:

1.

1.

1.

AC-6

PAD_ASA,
PAD_CTS

1.

1.
(equipment)
1.

CP-2,CP-10,IR-4

AC-19

MP-6

MIA-4

MA-1,MA-2,MA3

PE-1,PE-2,PE-3

2.
3.
1.
2.

1.
2.
(segregation)
1.
(categorization)
2.

PE-6,PE-9,PE-11
SC-7
SA-9

SA-7

IA-7

AC-6

AC-16

AU-11,SI-12

PAD_TYP,
PAD_OWN,
PAD_CCA

FOM_PSN:

1.
2.

PS-4,PS-5

PAD_OWN

PPS_PSM,
PPS_PSP

FOM_ORG:

FOM_INC:

1.

AT-1,AT-2,AT-3,
AT-4

PSI_DSO,
PSI_DFR

AU-7,IR-6

FMT_MOF

FOT_MNG:

FOM_PRM:

FOM_CLS:

1.

[ 4-17] NIST SP 800-53A

AC-1
AC-2
AC-3
AC-4
AC-5
AC-6
AC-7
AC-8
AC-9

(Access Control) :

(Access Control Policy and Procedures)
(Account Managemen)t
(Access Enforcement)
(Information Flow Enforcement)
(Separation of Duties)
(Least Privilege)
(Unsuccessful Login Attempts)
(System Use Notification)
(Previous Logon Notification)

- 140 -

(Concurrent Session Control)

(Session Lock)
(Session Termination)
(Supervision and ReviewAccess Control)
(Permitted Actions w/o Identification or
AC-14
Authentication)
AC-15
(Automated Marking)
AC-16
(Automated Labeling)
AC-17
(Remote Access)
AC-18
(Wireless Access Restrictions)
AC-19
Access Control for Portable and Mobile Systems
AC-20
Personally Owned Information Systems
(Awareness and Training)

(Security Awareness and Training Policy and

AT-1
Procedures)
AT-2
(Security Awareness)
AT-3
(Security Training)
AT-4
(Security Training Records)
(Audit and Accountability) :

(Audit and Accountability Policy and

AU-1
Procedures)
AU-2
(Auditable Events)
AU-3
(Content of Audit Records)
AU-4
(Audit Storage Capacity)
AU-5
(Audit Processing)
AU-6
(Audit Monitoring, Analysis, and Reporting)
AU-7
(Audit Reduction and Report Generation)
AU-8
(Time Stamps)
AU-9
(Protection of Audit Information)
AU-10
(Non-repudiation)
AU-11
(Audit Retention)
, (Certification, Accreditation, and Security Assessments) :
, (Certification, Accreditation, and
CA-1
Security Assessment Policies and Procedures)
CA-2
(Security Assessments)
CA-3
(Information System Connections)
CA-4
(Security Certification)
CA-5
(Plan of Action and Milestones)
CA-6
(Security Accreditation)
CA-7
(Continuous Monitoring)
(Configuration Management) :
CM-1
(Configuration Management Policy and Procedures)
CM-2
(Baseline Configuration)
CM-3
(Configuration Change Control)
CM-4
(Monitoring Configuration Changes)
CM-5
(Access Restrictions for Change)
CM-6
(Configuration Settings)
CM-7
(Least Functionality)
AC-10
AC-11
AC-12
AC-13

- 141 -

Contingency Planning :
(Contingency Planning Policy and Procedures)
(Contingency Plan)
(Contingency Training)
(Contingency Plan Testing)
(Contingency Plan Update)
(Alternate Storage Sites)
(Alternate Processing Sites)
(Telecommunications Services)
(Information System Backup)
(Information System Recovery and
CP-10
Reconstitution)
(Identification and Authentication) :

(Identification and Authentication Policy and

IA-1
Procedures)
IA-2
(User Identification and Authentication)
IA-3
(Device Identification and Authentication)
IA-4
(Identifier Management)
IA-5
(Authenticator Management)
IA-6
(Authenticator Feedback)
IA-7
(Cryptographic Module Authentication)
(Incident Response) :
IR-1
(Incident Response Policy and Procedures)
IR-2
(Incident Response Training)
IR-3
(Incident Response Testing)
IR-4
(Incident Handling)
IR-5
(Incident Monitoring)
IR-6
(Incident Reporting)
IR-7
(Incident Response Assistance)
(Maintenance) :
MA-1
(System Maintenance Policy and Procedures)
MA-2
(Periodic Maintenance)
MA-3
(Maintenance Tools)
MA-4
(Remote Maintenance)
MA-5
(Maintenance Personnel)
MA-6
(Timely Maintenance)
(Media Protection) :
MP-1
(Media Protection Policy and Procedures)
MP-2
(Media Access)
MP-3
(Media Labeling)
MP-4
(Media Storage)
MP-5
(Media Transport)
MP-6
(Media Sanitization)
MP-7
(Media Destruction and Disposal)
(Physical and Environmental Protection) :
)Physical and Environmental Protection
PE-1
Policy and Procedures)
PE-2
(Physical Access Authorizations)
CP-1
CP-2
CP-3
CP-4
CP-5
CP-6
CP-7
CP-8
CP-9

- 142 -

PE-3
PE-4
PE-5
PE-6
PE-7
PE-8
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14
PE-15
PE-16
PE-17
PE-18
PE-19
PL-1
PL-2
PL-3
PL-4
PL-5
PL-6
PS-1
PS-2
PS-3
PS-4
PS-5
PS-6
PS-7
PS-8
RA-1
RA-2
RA-3
RA-4
RA-5
SA-1
SA-2
SA-3
SA-4
SA-5
SA-6

(Physical Access Control)

(Access Control for Transmission Medium)
(Access Control for Display Medium)
(Monitoring Physical Access)
(Visitor Control)
(Access Logs)
(Power Equipment and Power Cabling)
(Emergency Shutoff)
(Emergency Power)
(Emergency Lighting)
(Fire Protection)
(Temperature and Humidity Controls)
(Water Damage Protection)
(Delivery and Removal)
(Alternate Work Site)


(Planning) :
(Security Planning Policy and Procedures)
(System Security Plan)
(System Security Plan Update)
(Rules of Behavior)
(Privacy Impact Assessment)

(Personnel Security) :
(Personnel Security Policy and Procedures)
(Position Categorization)
(Personnel Screening)
() (Personnel Termination)
(Personnel Transfer)
(Access Agreements)
(Third-Party Personnel Security)
(Personnel Sanctions)
(Risk Assessment) :
(Risk Assessment Policy and Procedures)
(Security Categorization)
(Risk Assessment)
(Risk Assessment Update)
(Vulnerability Scanning)
(System and Services Acquisition) :
(System and Services Acquisition Policy
and Procedures)
(Allocation of Resources)
(Life Cycle Support)
(Acquisitions)
(Information System Documentation)
SW (Software Usage Restrictions)

- 143 -

SW (User Installed Software)

(Security Design Principles)
(Outsourced Information System Services)
(Developer Configuration Management)
(Developer Security Testing)
(System and Communications Protection) :
(System and Communications Protection
SC-1
Policy and Procedures)
SC-2
(Application Partitioning)
SC-3
(Security Function Isolation)
SC-4
(Information Remnants)
SC-5
(Denial of Service Protection)
SC-6
(Resource Priority)
SC-7
(Boundary Protection)
SC-8
(Transmission Integrity)
SC-9
(Transmission Confidentiality)
SC-10
(Network Disconnect)
SC-11
(Trusted Path)
SC-12
(Cryptographic Key Establishment and Management)
SC-13
(Use of Validated Cryptography)
SC-14
(Public Access Protections)
SC-15
(Collaborative Computing)
SC-16
(Transmission of Security Parameters)
SC-17
(Public Key Infrastructure Certificates)
SC-18
(Mobile Code)
SC-19
VoIP (Voice Over Internet Protocol)
SC-20
(AUTHORITATIVE )
SC-21
(RESOLUTION)
(System and Information Integrity) :
(System and Information Integrity Policy
SI-1
and Procedures)
SI-2
(Flaw Remediation)
SI-3
(Malicious Code Protection)
SI-4
(Intrusion Detection Tools and Techniques)
SI-5
(Security Alerts and Advisories)
SI-6
(Security Functionality Verification)
SI-7
SW (Software and Information Integrity)
SI-8
(Spam and Spyware Protection)
SI-9
(Information Input Restrictions)
, , (Information Input Accuracy,
SI-10
Completeness, and Validity)
SI-11
(Error Handling)
SI-12
(Information Output Handling and Retention)

SA-7
SA-8
SA-9
SA-10
SA-11

4.

- 144 -

CC .
. , 19791
CEM .
[ 4-18] CEM .

, CEM
.
[ 4-18]
ISO/IEC TR 19791

(19791-TR)

CEM

1. SPP
APE_INT.1
ASP_INT: SPP 2. SPP
APE_INT.1

ASP_CCL:
1.

ASP_SPD:
1.

ASP_OBJ: 1.
APE_OBJ.1

RA-2

RA-1

1. (stated)
APE_REQ.1

SA-1,SA-2,S
A-3,SA-4,S
A-5,SA-6,S
A-7,SA-8

2. (derived)

SA-1,SA-2,S
A-3,SA-4,S
A-5,SA-6,S
A-7,SA-8

ASP_DMI: 1.

(overview)

1.

1.

ASP_REQ:

ASP_DMC:

ASP_DMP:

ASP_DMO:

ASS:
SST

53A

ASP_ECD: 1.

ASP:
SPP

Enhanced
CC

1.

ASP_DMR: 1.
2.
1. SST
ASE_INT.1
ASS_INT: SST 2. SST
ASE_INT.1

ASS_CCL:
1.

ASS_SPD:

1.

- 145 -

ASE_ENV.1

AST_PPP
AST_PPP
ASC_PPO

AST_SCI

RA-2

ASS_OBJ: 1.
ASE_OBJ.1
ASS_ECD:
1.
ASE_SRE.1

ASS_REQ:

SA-1,SA-2,S
A-3,SA-4,S
A-5,SA-6,S
A-7,SA-8
SA-1,SA-2,S
A-3,SA-4,S
A-5,SA-6,S
A-7,SA-8

1.
ASE_REG.1

2.
ASE_REQ.1

1. STOE () ASE_TSS.1

1.

ASS_TSS: STOE
()
ASS_DMI:

ASS_DMC:

RA-1

1.

ASS_DMP: 1.
2.

ASS_DMO:
1.

ASS_DMR: 1.

2.
ASS_DMS: 1.

1.
AOD_OCD:

2.

1.
AOD_ADM:.
SSF

AOD:
2.
SSF



1.
AOD_USR:
SSF

SSF
2.

AOD_GVR:
1.

ASD_SAD:
1.

ASD_IFS: 1.
()

ASD_SSD: 1.
ASD:

ASD_CMP: 1.

ASD_IMP: 1.

ASD_CON.: 1.

- 146 -

AST_PPP
AST_PPP

ACM_CAP.1 ASC_PPO

CM-1

ACM_CAP.2

CM-2

AGD_ADM.1 AGD_ADM

SA-1,SA-5

AGD_ADM.1

SA-1, SA-5

AGD_USER.
AGD_USR
1
AGM_USER.
AGD_USR
1
-

SA-1,SA-5
SA-1,SA-5
SA-1,SA-5

ADV_HLD.1 ASD_SAD

SA-8

ADV_FSP.1

SA-5

ASD_IFS

ADV_HLD.2 ASD_SSD
ADV_IMP.1
-

ASD_CMP

CM-2

ASD_IMP

CM-2

ASD_COM

RA-2

ASD_GVR:
1.

AOC_OBM: 1.

2.

1.
AOC_ECP:
2.

AOC:


1. PP

AOC_PPC: PP 2. PP

1.

AOC_NCP
2.

AOT_FUN:
1. SSF

AOT_COV: 1. SSF
2. SSF

1.

2.

AOT_DPT:
AOT:
3.

AOT_IND:

ACM_CAP.1 AST_PPP

CM-1

ACM_CAP.2 AST_PPP

CM-2

ADO_IGS

ADO_IGS

ASE_PPC.1

ASE_PPC.1

ATE_EUN.1

ATE_FUN

ATE_EUN.1

ATE_COV

ATE_EUN.1

ATE_COV

AOT_DPT.1

ATE_DPT

AOT_DPT.1

ATE_DPT

AOT_DPT.1

ATE_DPT

ATE_DPT

1.
AOL:

AOL_DVS:

2.

ASI_AWA: . 1.

2.

- 147 -

RA-3

SA-5

ATE_IND

SI-6

ATE_IND

SI-6

ATE_IND

SI-6

PE-18

AVA_MSU.1 AVA_MSU

SA-5

AVA_MSU.2 AVA_MSU

RA-5

1. /
AVA_VLA.1 AVA_VLA

AVA_VLA.2 AVA_VLA
2.
AOV_VLA.

3.
AVA_VLA
4.

ASI:

CM-3

4.
AOT_DPT.1

1. -
ATE_IND.1
2. -
ATE_IND.2

3. -
AOT_REG: 1.

1.

AOV_MSU:.

2.

AOV:

ADV_LLD.1 ASD_RCR

AVA_VLA

ALC_DVS.1

ALC_OPS

ALC_DVS.1

ALC_OPS

RA-5
RA-5
RA-5
RA-5
MA-1,MA-2
MA-3,PL-1,P
L-2,PL-3
-

AT-1,AT-2,A
T-3

AT-4

ASI_CMM.:

ASO:

1. SSF

PS-1,PS-3

2. SSF

PS-6,
IA-1,IA-2,IA5,IA-6

1. STOE
ASI_SIC:

2.

ASO_RCD: 1.

2.
1.
ASO_VER:
2.

1. SSF
ASO_MON:

2.

- 148 -

ADO_DEL

SA-6,SA-7

ADO_DEL

SA-7

AST_SOT

AU-3, PE-8
AU-6,AU-7
SC-13,SI-6

AST_SOT

SC-13,SI-6

AU-2,AU-3,A
U-5
AU-6,AU-7,A
U.9,AU-11

1 PP/ST
1.

, (SW) SW
(, , )
(, ) ,
(requirement analysis) .

(requirement specification)" .

SW
.
, (: , VPN, IDS)
(PP),
(ST) . CC ITSEC
. PP ST .
o (, , )

o .
o , .
o .
o ()

.
, 10)( )
10) , (operational system) (application system) .

- 149 -

(: , , , )
PP/ST
. ,
PP (SPP),
ST (SST) .
SPP/SST PP/ST .
o SPP/SST 1
(PP ).
o .
o , .
o SPP/SST .
o .
o (, , ) PP/ST

.
PP/ST ,
SPP/SST .
. , PP/SS SSP/SST
SSP/SST
.

2. SPP SST

. FAA SPP
(1)
2000 1 National Information Assurance Acquisition Policy, NSTISSP
#11 , 2002 7 (FAA)

CC .
, FAA 18 PP , ,
, CC - (C&A) (,
) .
- 150 -

FAA PP FAA ()

CC PP , System Protection Profile

(SPP) System Protection Profile Template (SPPT) . SPP

.
o , ,
o (what)
o
o
SPP PP , SPP

, SPPT (NAS) FAA
, CC ,
, .

(2)
FAA PP 18 .
o : (a) Mission Critical (NAS), (b) Mission Support/Administrative
o : (a) Wide Area Network (WAN), (b) Local Area
Network (LAN)/Facility Communications, (c) Applications System
o : (a) High Risk/Critical System, (b) Moderate Risk/Essential System,
(c) Low Risk/Routine System. ,
NAS-SR-1000 3.8.5 FIPS PUB 199 .
FAA PP .
o : NAS-SR-1000 3.8.5 10

( ) PP

- 151 -

. , 10 ,
, , , , , , ,
.
o FAA : CC FAA

83%(=20/24) , CC
NIST SP 800-37 C&A 65.5%(=19/29) .
o (SOW) (DID) :

SOW (Statement of Work) DID (Data Item Descriptions)

Contract Data Requirements Lists (CDRL) . SOW CC

, DID
, , , ,
, , .

. SPP
(1) Digital Bond Control Center Protection Profile (CCPP 0.5)
2004

NIST

PCSRF

(Process

Control

Security

Requirements Forum) , PP . (
5-1) CCPP . ,

, . ,
CCPP PP Field Device
Protection Profile FDPP) .

- 152 -

( 5-1) CCPP

(2) NIST SPP (SPP for ICS 1.0)

2004 4 NIST Process Control Security Requirements
Forum (PCSRF) CC ,

. ISO
, SPP SST , SPP
.
o

o ,

o , , ,

- 153 -

( 5-2) NIST SPP

-
MMI)

,
,

(actuator)

(disturbance)

( 5-2) NIST PP

. SRS
(1) SRS

2003 2005 PP
SRS (security requirement specification)
11).
SRS PP

(RFP) (, )
. SRS (SRS-Process)
(SRS-Tool) .
11) , , 9
(SIS)-2004, pp. 477-498, 2004 7.
y , , NSRI , 2003 11.
y , , NSRI , 2004
11.
y Sang-soo Choi, Soo-young Chae, and Gang-soo Lee, SRS-Tool: A Security Functional
Requirement Specification Development Tool for Application Information System of
Organization, Lecture Notes in Computer Science(LNCS), Vol. 3081, Part 2, pp.458-467,
May. 2005 (ISSN 0302-9743).

- 154 -

SRS FISMA FAA SPP

-,
, .
SRS .
o (: ) SRS ,

.
o SRS-Process SRS-Tool SRS

SRS .
o

.
o 15 CC PP

.
o SRS

.
o SRS

(2) SRS (SRS-Process)

SRS PP . , PP

, SRS . (
5-3) SRS . , , ,

- 155 -

,
,

SRS (stepwise refinement)

(H/M/L)

(H/M/L)

(H/M/L)

SRS

(H/M/L)

CC

( 5-3) SRS

SRS .
o SRS : ()

, (, , , , , )
,
SRS
o : SRS

SRS .
o ( )
o ()
o
o (HW, SW, , SW) (

)
o
o (IT, )
o
o ( )

(3) SRS (SRS-Tool)

- 156 -

SRS-Tool SRS-Process SRS

. ,
, , ,
, CC PP
. SRS-Tool .
SRS-Tool 2006 3.0 .

.
(TC260) WG5
Information technology - Security techniques - Evaluation criteria for
information systems security assurance (ISIA .) 2005 3

ISIA

CC

(,

),

ISO/IEC-19977 (, ) SSE-CMM

(, )
.
ISIA ISPP ISST . PP/ST

, () .
, ISST ISPP 2 .

. 19791 SPP/SST
(1) 19791 SPP
() SPP
2005 6 ISO/IEC DTR 19791( 19791-3 ),

(operational) ( O-TOE .) SPP CC

PP ,

. SPP O-TOE
. [ 5-1] PP SPP .

- 157 -

[ 5-1] PP SPP
PP

PP (PPP)

19791-3 SPP

IT

(,
OSP,
)

- ,

- IT (, ) ,

TOE

IT

/ ,

() SPP
SPP SPP

- .
. SPP .
o (O-TOE)
o , O-TOE

1) SPP : SPP O-TOE .

.
o SPP () SPP O-TOE

.
o SPP SPP .
o STOE SPP ,

- 158 -

, ,
, , .
1 ,
. ,
,
.
.

2) : SPP SPP PP

. SPP SPP PP
.

3)
o (OSP): , , ,

(, (ISA) (MOU)
o : SPP

, O-TOE
.

4) : (,

) (,
) .

5) :

.
.

- 159 -

o ,

o SPP

o SPP

o , SPP

,
o SPP ,

o , ,

,
o , ,

,

o O-TOE

6) SPP : SPP .

7) : SPP

.
o
o
o
o

- 160 -

o
o

(2) ST (SST)
SST SPP . [ 5-2] [ 5-3] CC ST 19791 SST

O-TOE .

[ 5-2] ST
CC ST

O-TOE

19791 SST

- STOE IT

TOE

-
-

STOE IT

IT

- STOE STOE IT

-

TOE

STOE

PP

SPP, PP / ST

IT/

OSP

IT

TOE

- 161 -

- IT

-

SPP, PP / ST

[ 5-3] ST SST

ST

19791 ST (SST)

CC ST

IT: - .

- (, , )

- IT ( ) ,

TOE

IT

, ,

IT

(; )

-
-

3.

SPP/SST CC PP/ST
, (, ,
) .
[ 5-4] SPP/SST .

- 162 -

[ 5-4] SPP/SST

y
FAA SPP
y
Digital Bond CCPP 0.5 y
NIST SPP for ICS 1.0

y
y

SRS

y
y

ISPP/ISST

y
y

19791 SPP/SST

18 PP






(: PP, PP )
SRS
, ()

( )
SPP/SST

SPP/SST CC PP/ST
. [ 5-5] [ 5-6] SPP SST
.

[ 5-5] SPP
CC v2.2
1. ST

CC v2.4 & 3.0

a. ST
b. ST
c. CC
2. TOE
3. TOE
a.
b.
c.
4.
a. TOE
b.
5. IT
a. TOE
b. IT
6. TOE
a. TOE
b.
7. PP Claim
a. PP
b. PP
c. PP
8.
a.
b.
c. TOE
d. PP Claim

1. ST

a. ST
b. TOE
c. TOE
d. TOE
2.
a. CC Claim
b. PP Claim
c. Claim
3.
a.
b.
c.
4.
a. TOE
b.
c.
d.
5.
a.
6.
a.
b.
c.
7. TOE
a. TOE

- 163 -

CC v2.2

CC v2.4 & 3.0, 3.1

1. PP

1. PP

a. PP
b. PP
2. TOE
3. TOE
a.
b.
c.
4.
a. TOE
b.
5. IT
a. TOE
b. IT
6. PP
7.
a.
b.

19791-1 SPP
1. SPP
a. SPP
b. SPP
2.
3.
a.
b. (OSP.
c.
4.
a.
b.
5.
6.
a.
b.

a. PP
b. TOE
2.
a. CC
b. PP Claim
c. Claim
3.
a.
b.
c.
4.
a. TOE
b.
c.
d.
5.
a.
6.
a.
b.
c.

19791-2,3 SPP
1. SPP
a. SPP
b. SPP
2. (conformance claims)
3.
a.
b.
4. (security objectives).
5. (security requirements)
6. SPP (SPP rationale)
7.
, , ,
,

- 164 -

ISPP
1. PP
PP
PP
2. TOE

PP/ST

-
- ,
-

-
-
-

-
-
-
3. TOE

4.
TOE

5.




6. PP
7.

NIST SPP
NIST System PP (SPP for
ICS 1.0.. 004 4, 1.0
1. disturbance
1.1 SPP
1.2 SPP
2. STOE
2.1 STOE
2.2 STOE
2.3
2.4
3. STOE
3.1
3.2
3.3
4.
4.1 STOE
4.2
5.
5.1 STOE
5.2
6.
6.1 STOE
6.2 STOE
6.3
6.4 -
7. SPP
7.1 SPP
7.2 SPP :
7.3 SPP : SPP
7.4 SPP : SST
8.
8.1
8.2
8.3
8.4
8.5

- 165 -

[ 5-6] SST
CC v2.2

CC v2.4 & 3.0

1. ST

a. ST
b. ST
c. CC
2. TOE
3. TOE
a.
b.
c.
4.
a. TOE
b.
5. IT
a. TOE
b. IT
6. TOE
a. TOE
b.
7. PP Claim
a. PP
b. PP
c. PP
8.
a.
b.
c. TOE
- d. PP Claim

19791-1 SST
1. SST
a. SST
b. SST
2.
3.
a.
b. (OSP)
c.
4.
a.
b.
5.
6.
7. SSP
8.
a.
b.
c.
d. SPP

1. ST

a. ST
b. TOE
c. TOE
d. TOE
2.
a. CC Claim
b. PP Claim
c. Claim
3.
a.
b.
c.
4.
a. TOE
b.
c.
d.
5.
a.
6.
a.
b.
c.
7. TOE
a. TOE

19791-2,3 SST

1. SST
a. SST
b. SST
2. (conformance claims_
3.
a.
b.
4.
5.
6. STOE
7. SST (SST rationale)
8. : ,
, , , ,
,

- 166 -

1. PP
PP
PP
2. TOE

PP/ST

-
- ,
-

-
-
-

-
-
-

SST
3. TOE

4.
TOE

5.




6. TOE




7. PP


8.
9.


TOE

4. SPP/SST

.
SPP/SST . (

5-4) SPP
SPP ,
. (; . SPP
SST(
) . SST
.
, SST
. SST
/, , .

- 167 -

, ,

()

,
,
CC ,
CC

SPP

SPP
PP
PP

SST
(SPP)

SPP

( 5-4) SSP/SST

(1)
ISO/IEC TR 19791 (operational) Enhanced
CC(2004 12), WE 19791(2003 7), PDTR 19791(2004.12)

CC 19791 ,
19791 . ,

( K
).
(2) SPP/SST
19791 19791 SPP/SST

. 19791 SPP/SST .
(3) SPP/SST

SSP/SST SRS SRS-Method

SRS-Tool , 12).

. SPP/SST (SRS-Tool)
12) (), PP , :

, , 2005 11.
(), , : , ,
2004 11.

- 168 -

SRS-Tool SRS 19791 SPP/SST

. SRS-Tool SRS-Process SRS

. ,
, , ,
, CC PP
. SRS-Tool .
[ 5-7] SRS-Tool . 2003

1.0 2004 2.0 .

[ 5-8] SRS-Tool .

[ 5-7] SRS-Tool

Intel Pentium 2.54GHz PC
768MB DDR RAM
120GB HDD
Windows (98/ME/2000/XP)
Power Script
Power Builder 9.0

MySQL ODBC Driver Version

3.51.07

5-5)

SRS-Tool

DB
Intel Pentium 2.54GHz PC
768MB RAM
120GB HDD
Windows (98/ME/2000/XP)
Power Script
Power Builder 9.0
MySQL 4.0.18 for Windows
2000/XP
MySQL ODBC Driver Version
3.51.07

()

SRS-Tool .
o :

o :

, SRS

o SRS CC , CC

- 169 -

[ 5-8] SRS-Tool

//





/


PKB
PKB

PKB
PKB

PKB

/ (SOF) (EAL)

SRS
SRS

SRS-Tool

(b)

(c)

( 5-5) SRS-Tool

5.

. , CC

- 170 -

. SPP/SST .
SPP/SST ,
19791 , ,
19791 SPP/SST . , SPP/SST

SRS-Tool .

(TOE) .
o (Product TOE; P-TOE): CC .

o (Composed-TOE; C-TOE): CC 3.0 .

P-TOE
o (Operational TOE; O-TOE): 19791
P-TOE C-TOE ( ) ,
O-TOE , , , . ,

. C-TOE
() , O-TOE
. , O-TOE
. ,
TOE .

- 171 -

( ST)

(---

(COTS)
(COTS)
(COTS)

( 5-6) , TOE

1.
ICCC-2005 Kurth & Karger

.
o
o
o
o
o

, .
o : ,

.
o : ,

, ,
, .
o : , ,

- 172 -

,
, .

. CC 3.1 CAP ACP

CC 3.1 C-TOE
C-TOE 3 CAP(Component Assurance Package)

.
(, ) . ,
. ACO E
.
(1) CAP

CC EAL1 ~ EAL7 ,
TOE(C-TOE) 3 . CAP-A, CAP-B, CAPC

EAL-2, EAL-3, EAL-4 .13)

o CAP-A ( ) : TOE

.
, (:
). ,

.
o CAP-B ( ) : TOE

,
. ,
.
, TOE , ,
.
13) Albert B. Jeng and Yu-Min Yu, Analysis of the composition problems in CC v3.1 rev.1
with some suggested solutions, ICCC 2006, , 2006.9.

- 173 -

o CAP-C ( , ) : TOE

.
.
TOE,
,

.

[ 5-9] CC 3.1 (CAP)

Class

CAP-A

CAP-B
ACO_COR.1

ACO_CTT.1

ACO:

AGD:

ALC:

CAP-C

ACO_CTT.2

ACO_DEV.1

ACO_DEV.2

ACO_DEV.3

ACO_REL.1
ACO_REL.2
ACO_VUL.3 -
ACO_VUL.2
ACO_VUL.1

AGD_OPE.1
AGD_PRE.1
ALC_CMC.1 TOE
ALC_CMS.2 TOE CM
ASE_CCL.1
ASE_ECD.1
ASE_INT.1 ST

ASE:
ST

ASE_OBJ.1

ASE_REQ.1

ASE_OBJ.2
ASE_REQ.2
ASE_TSS.1 TOE
ASE_SPD.1
()

(2) ACO
[ 5-10] CC 3.1 CAP

- 174 -

[ 5-10] CC 3.1 CAP

-
ACO_COR.1

.
- -
ACO_DEV.1 . -

.
- -
.
ACO_DEV.1 -
. ,
ACO_DEV
- TSF -

.
- -
.
ACO_DEV.3 -
. -

-
TSF
.
ACO_REL.1 - -
. C-TOE

ACO_REL

ACO_REL.2 . TOE
TSFI ,
C-TOE -
.
ACO_CTT.1 - -
ACO_CTT
.
TOE ACO_CTT.2
- -

ACO_COR

ACO:

ACO_VUL.1

ACO_VUL.2
ACO_VUL

ACO_VUL.3
-

- 175 -

AGD:

TOE
(, , TOE , TOE
)
. TSF
AGD_OPE AGD_OPE.1 .
TSF , -

, - .


.
AGD_PRE

TOE
AGD_PRE.1 .
TOE
(transition) .

ALC_CMC ALC_CMC.1 TOE

TOE TOE
TOE

ALC:

ALC_CMS.2

ALC_CMS TOE TOE

, TOE

ASE_CCL ASE_CCL.1 . , ST
PP .
ASE_ECD ASE_ECD.1 CC (ST
)

.
ASE_INT
ASE_INT.1 3 (TOE , TOE , TOE )
ST
ST
TOE
ASE_OBJ.1
ASE_OBJ
(ASE_SPD)
.

ASE_OBJ.2
ASE:

ST
ASE_REQ ASE_REQ.1
SFR , -

. , TOE
ASE_REQ.2 , .

ASE_TSS
ASE_TSS.1
TOE
TOE
TOE
.

ASE_SPD ASE_SPD.1 TOE (address)

(3)

ITSEC , - -
,

- 176 -

.
o -: , , OS, (peer)
o -: , , SW,

C-TOE ST: ST C-TOE (, - + -

) . C-TOE
, ST C-TOE
.

: ( 5-7)
. , a b
. .
b (, ST FIA SFR )
, a .
, .

E
E
TSF-a

ACO-REL
(-a)
ADV-FSP
(-b)

TSFI-b
C

TSF-b

- -a

-TSF-a

ACO-DEV
(-b)

D
-TSF-b

D
- -b

( , , , )
( 5-7)

- 177 -

(1) ITSEM (ITSEM V1.0, 1993.9)

1993 ITSEM

. CC 3.1 - -
ITSEM 3 .
D .

()
o P :
o 2 (I/F): ( I/F),

( I/F)
o :
o

() -

C1 C2 .
I/F C1 . C2 C1 I/F
. , . ( 5-8-(a))
.

(b) -

(a) -

- 178 -

(c)
( 5-8)

() -
C1(: DBMS) C2(: ) .
C1 C2 I/F (VMM) I/F

()
C1 C2 , C2 C1

()
C3 C1 C2 . C3 P3(, C3

) , C1 C2 . C3 ()
.
[ 1] C1 (, P1 True) (C1 C2

)
[ 2] C2 (, P2 True) (C1 C2

)
[ 3] C1 I/F = C2 I/F
[ 4] P3 = P1 P2
[ 5] P2 C2 True .
C2 P2 .

- 179 -

[ 6] P1 C1 True .
C1 P1 .
[ 7] C2 P1 .
[ 8] C1 , C2 .

(2) 19791

(, O-TOE) (, C-TOE), 19791

O-TOE C-TOE .
H .
o

.
o . ,

()
.
o .
o .

.
o .
o

.
19791, ,

,
, , ()
.
. O-TOE
C-TOE .

- 180 -

1
. , PP/ST . ,
.

(3) CC (ADV )
o ADV_FSP(TSFI ) TOE (boundary) (TSF)

(TSFI) .
o ADV_IN.() TOE . TSF
SFR-(enforcement) TSF SFR-

, TSF -SFR- SFR-(support) SFR--

(non-interference) .
o ADV_TDS( ) TOE

. TOE 1 1
.

(4) PP/ST 14)

(composability) .
o TOE(C-TOE) PP/ST. C-TOE 2

C-TOE
PP/ST( PP ST )
.
o IT TOE( )

PP/ST. C-TOE
(: -IT , PP/ST
14) Guide for the protection profile and security targets, ISO/IEC PDTR 15446, Version 0.9,
January 4, 2000.

- 181 -

.)
:
o ST

, C-TOE ST . , C-TOE ST ,

.
o C-TOE PP

PP . C-TOE PP
. , C-TOE ST PP
.
.
C-TOE PP/ST C-TOE

. E .

(5) CCEVS

Scheme Policy Letter #2 (Reuse of Previous Evaluation Results

and Evidence, 4 March 2002) .

ETR . ST
VR(Validation Report) .
. D .
o

(ST,

VR)

CRD(Composition

Requirements

Definition) .

( ) .
o TOE (HLD) (LLD)

.
o "" (

- 182 -

).
o
o TOE
o TOE

CRD .:
o
o

o .

,
. (
) .
.
o

. .
o CRD

2.

2.1 ITSEM CC 3.1

. -TSF
TSF -TSF . ,
TSF -TSF ( 5-8) CC 3.1 ACO

- 183 -

.
(C-TOE)

1 (

)
.
C-TOE = <COM, REL>
o REL: REL = {-, }
o COM = { I/F, ST } = { I/F, {AS, PO, TH, SO, SF, EAL} }
COM: (COM1, COM2)
I/F: COM
ST: COM ((AS), (PO), (TH),

(SO), (SF), (EAL) )

o -

- - .
-(BCOM) (DCOM) .
BCOM

DCOM

()

BCOM
o

- .
.

-
(DCOM)
TSF-a

(I/F)

TSF-a

-TSF-a

-
(BCOM)

-TSF-a

(a)

- 184 -

DCOM

(COM1)
TSF-a

(I/F)

TSF-a

-TSF-a

(COM2)

-TSF-a

(b) (peer)
( 5-9)

COM ST
. , , , ,
. COM .

.
o [ 1] .

C-TOE ,
, .
o [ 2] C-TOE

. , EALC-TOE = Min {EALCOM1, EALCOM2, ... }

o [ 3] C-TOE

.
CC.3.1 ( 5-9) 4

, - -
[ 5-11] 16 .
16 4

- 185 -

. I/F ( 5-8) ~ .
o I/F : I/F
o I/F : I/F (- ). I/F
( )
o I/F : I/F
o I/F : I/F

[ 5-11] (- )

#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

TSF N-TSF TSF N-TSF TSF N-TSF TSF N-TSF

O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O

- 186 -

I/F
( 5-8)

I/F

O
X
O
X
O
X
O
X
O
X
O
X
O
X
O
X

[ 5-12] 4 (- )

TSF N-TSF TSF N-TSF

O

O
O

O
O

O
O

#
1
5
3
7
9
13
11
15

TSF N-TSF TSF N-TSF

O
O
O
O
O
O
O
O

I/F

- , .
o (-) : I/F I/F
o (-): - .
o (-): - . .
o (-): - .

.
o

, .

o (-) :
o (-): - .
o (-): - . .
o (-): - .

.
,
o [1] EAL1 -(OS) EAL4 -(

) C-TOE EAL1. ()
o [2] EAL4 -(OS) -(

) , - (EAL2) C-TOE
EAL2 . , . ( )
o [3] -(OS) EAL4 -(

- 187 -

) , - (EAL2 ) C-TOE
EAL2. .( )
o [4] -(OS) -(

) , .
( )

.
ITSEM CC 3.1 .
.
.

(1)
1964 Petri net

.
( ) (executable)
UML activity diagram
.
1992
( , ) ,
15). (
5-10) .

(2)
o (security block-diagram: SBD)

(RBD) (MODE) (EDGE) .

SBD = <NODE, EDGE>

NODE

()

15) Gang-soo Lee, Jin-seok Lee, Petri Net based model fpr Specification and Analysis of
Cryptographic Protocols, Journal of Systems Software, Vol. 37, 1997, pp. 141-159.

- 188 -

EDGE NODE (, ) .
o SBD

(: ) .
o RBD Fault Tree

16) ,
.17)18)19)
o Fault Attack Tree

20).

16)
17)
18)
19)
20)

http://BlockSim.ReliaSoft.com.
http://www.reliasoft.com/newsletter/3q2002/rbd.htm
http://www.isograph-software.com/rwboverrbd.htm
http://www.mtain.com/relia/relmod.htm
Bruce Schneier, Modeling security threats Attack Trees Dr. Dobb's Journal
December 1999.

- 189 -

Ci

Cij
(= CiCj)

Cj

Cij
(= CiCj)

Ci
Cj

Cij
(= CiCj)

Cij
(= CiCj)

Cij
(= Ci Cj)

Cij
(= CiCj)

Cij
(= CiCj)

( 5-10)

( 5-10)

.
.

- 190 -

COM1

COM1

COM1

COM1

COM2

COM1

COM1

COM2

(1)

(b)

(3)

( 5-11)

3
1.

(TOE) .
CC TOE
(, TOE)
.
o TOE (Product TOE: P-TOE): CC

TOE .
o TOE (Composed TOE: C-TOE): CC 3.1

TOE .
o TOE (Operational TOE: O-TOE): 19791
TOE .
P-TOE ,

, .

. 1980 B. Boehm
,
21)22) .
(: ) ( 5-13)
21) , 2005-22, 2006. 4. 27 .
22) 2003 , S/W, 2005.12.

- 191 -

( )
( ) (CBSE)

.
(outsourcing). ( 5-12) ( 5-13) TOE ,

TOE TOE .
O-TOE

( ST)

(---

(COTS)
(COTS)
(COTS)

( 5-12)

- 192 -

COM1

COM2

COM3

()

COM4

" TOE"
COM1

COM2

COM4

" TOE"

COM3

" TOE"

( 5-13) , TOE (
PP/ST )

2. TOE

KISA 2
(2003 2005 ).
. P-TOE
, C-TOE O-TOE
.

. 03 CC
( 5-14) P-TOE
23).

23) ,
(), KISA, 2003.11.

- 193 -

SW (COCOMO )

SW (Function point)
SW (ISO 9126,
14598)
(PERT/CPM )

CC, CEM

(CC Final interpretation)

KISA

EAL1 EAL2 EAL3 . ....

EAL7

1
2
3
....
n

1
m

CC

( 5-14) 03

(1)
o CC (EAL1 ~ EAL7) : EAL PP, ST

, , . ([ 4-13])

[ 5-13] CC 2.2

PP

ST
(*)

6
9
32
14

8
11
41
45

EAL1
( EAL2 EAL3
)
7
13
17
7
18
22
23
47
63
10
20
27

- 194 -

EAL4

EAL5

EAL6

EAL7

23
33
94
39

23
33
90
39

25
40
132
44

25
45
135
47

Work ST
unit

(EAL1)

32
8
40

41
11
52

23
3
26

47
7
54

63
12
75

94
23
117

108
35
143

132
40
172

135
50
185

40

78

106

127

169

195

225

237

0.51

1.35

1.63

2.17

2.5

2.88

3.04

(*) ST

o CC (EAL1 ~ EAL7) : KISA

(:
0.54 6.11)([ 5-14]
), , EAL PP, ST .
[ 5-15] .

[ 5-14]
( )

1.
2.
3.

()
4.
5.
6.
(confirm)
7.
-
8.

9.
10.
11.
12.
13.
14. ,

(determine) 15.
-
16.
17.
18.
(check)

0.3
0.5

1
1.5

0.54
0.78

2
(
)
0.54
0.78

1.00

1.00

1
1
1
1
1
1.3
1
1
1
1

4
2.5
3
3
5
3
3
5
2
5

1.50
1.47
1.38
1.44
1.54
1.74
1.67
1.60
1.29
1.52

1.41
1.46
1.34
1.40
1.41
1.68
1.63
1.47
1.33
1.38

1.9

2.34

2.15

1
4
7
1.5

7
10
15.26
6

2.75
6.03
9.85
2.65

2.61
5.92
9.71
2.53

- 195 -

14. ,

(determine) 15.
-
16.
17.
18.
19.
20.
21.
(test)
22.
23.

()

24.
25.
26.
27.

()

1.9

2.34

2.15

1
4
7
1.5
1.5
1.5
2
3.9

7
10
15.26
6
4
4
12.5
8

2.75
6.03
9.85
2.65
2.47
2.60
5.28
5.07

2.61
5.92
9.71
2.53
2.35
2.40
5.24
4.97

5.50

5.45

2
1
1
4

9
2
2
10

5.29
1.51
1.44
5.87

5.26
1.48
1.49
6.11

[ 5-15] ,
(ST )

PP

(ST70.25) 51.94

0.48
(EAL1 1)

0.51
( 2-1)

EAL1
(
)
106.9

EAL2

EAL3

EAL4

EAL5

148.5 172.65 230.31

8

255.99

EAL6

EAL7

287.75 298.81

1.39

1.62

2.15

2.39

2.69

2.80

1.35

1.63

2.17

2.5

2.88

3.04

o : 2003 8 33

PP 67 ST . ([ 5-16] )

[ 5-16] ,

DB
(
)

VPN

OS

1.00

0.92

1.88

1.50

1.71

1.68

1.65

1.24

0.93

1.25

- 196 -

DB EAL1 1 .

[ 5-17]

DB

VPN

OS

1.00
0.92
1.88
1.50
1.71
1.68
1.65
1.24
0.93
1.25
1.38

PP
0.48
0.48
0.44
0.90
0.72
0.82
0.81
0.79
0.60
0.45
0.60
0.66

EAL1
1.00
1.00
0.92
1.88
1.50
1.71
1.68
1.65
1.24
0.93
1.25
1.38

EAL2
1.39
1.39
1.28
2.61
2.09
2.38
2.34
2.29
1.72
1.29
1.74
1.91

EAL3
1.62
1.62
1.49
3.05
2.43
2.77
2.72
2.67
2.01
1.51
2.03
2.23

EAL4
2.15
2.15
1.98
4.04
3.23
3.68
3.61
3.55
2.67
2.00
2.69
2.96

EAL5
2.39
2.39
2.20
4.49
3.59
4.09
4.02
3.94
2.96
2.22
2.99
3.29

EAL6
2.69
2.69
2.47
5.06
4.04
4.60
4.52
4.44
3.34
2.50
3.36
3.70

EAL7
2.80
2.80
2.58
5.26
4.2
4.79
4.70
4.62
3.47
2.60
3.50
3.85

1.81
1.81
1.67
3.41
2.73
3.11
3.05
2.99
2.25
1.69
2.27

(2)

(, Man-Month), 3
, . ,
.

(3)
KISA

()

2 7 .
5~7
, 5
. KISA 2(VPN CC 3 ) 100%
, CC
100% 3 (, , 1)

- 197 -

.
.

()

, EAL1 5.6 , EAL2 EAL3

10 . EAL4 18 . EAL7
27( OS MULTOS ).
, EAL1 6, EAL3 10, EAL4 18
.
(: , , ,
) . ,
2 ,
2 . EAL7 OS( OS MULTOS)
2 5 (, )

()

EAL1 65$(8 100), EAL2 8

$(1), EAL3 15$(1 9000), EAL4 20$(2 5000),
EAL5 25$(3 1000). CC , KISA

2003 , K4
1 8 800 , CC VPN
EAL3+ 3 2600(
).
, . ,
(CC
) , . ,

- 198 -

()
o : EAL4

2 2160(177$). .
o : EAL4 10

(4)
[ 5-17] [ 5-18]

[ 5-18] ()

DB

VPN

OS

1.00
0.92
1.88
1.50
1.71
1.68
1.65
1.24
0.93
1.25

PP

EAL1

EAL2

EAL3

EAL4

EAL5

EAL6

EAL7

0.48

1.00

1.39

1.62

2.15

2.39

2.69

2.80

5,372
4,924
10,073
8,058
9,177
9,065
8,842
6,715
5,036
6,715
7,387

11,192
10,297
21,041
16,788
19,138
18,802
18,467
13,878
10,408
13,990
15,445

15,557
14,326
29,211
23,391
26,637
26,189
25,629
19,250
14,438
19,474
21,377

18,131
16,676
34,135
27,196
31,002
30,442
29,882
22,496
16,900
22,720
24,958

24,063
22,160
45,215
36,150
41,186
40,403
39,731
29,882
22,384
30,106
33,128

26,749
24,622
50,252
40,179
45,775
44,992
44,096
33,128
24,846
33,464
36,821

30,106
27,644
56,631
45,215
51,483
50587
49,692
37,381
27,980
37,605
41,410

31,337
28,875
58,869
47,006
53,609
52,602
51,707
38,836
29,099
39,172
43,089

() 1.: EAL4 2 2160

2.: KISA K4E 2 2160 K4 1 8994

- 199 -

[ 5-19] ()

DB

VPN

OS

1.00
0.92
1.88
1.50
1.71
1.68
1.65
1.24
0.93
1.25
1.38

PP

EAL1

EAL2

EAL3

EAL4

EAL5

EAL6

EAL7

0.48

1.00

1.39

1.62

2.15

2.39

2.69

2.80

2.4
2.2
4.5
3.6
4.1
4.1
4.0
3.0
2.3
3.0
3.3

5.1
4.6
9.5
7.6
8.6
8.5
8.3
6.3
4.7
6.3
7.0

7.0
8.2
10.9
12.1
13.6
14.1
6.5
7.5
10.0
11.1
12.5
13.0
13.2
15.4
20.4
22.7
25.6
26.2
10.6
12.3
16.3
18.1
20.4
21.2
12.0
14.0
18.6
20.7
23.2
24.2
11.8
13.7
18.2
20.3
22.8
23.7
11.6
13.5
17.9
19.9
22.4
23.3
8.7
10.2
13.5
14.9
16.9
17.5
6.5
7.6
10.1
11.2
12.6
13.1
8.8
10.3
13.6
15.1
17.0
17.7
9.6
11.3
14.9
16.6
18.7
19.4
() : EAL4 10)

. 05 CC
2005 ( 5-15) P-TOE

24)

25).

KISA

CC 2.3
EAL1 EAL2 EAL3 EAL4

z
z
z

( 5-15) 05

24) , , KISA,
2005.12.
25) 2005 , , , , 2005.8

- 200 -

(1)
KISA, , , (:

, )
.

(2)

[ 5-20]
.

[ 5-20] CC 2.3

ST
ASE
()
ADV_FSP
ADV_HLD
ADV_LLD
ADV
()
ADV_RCR
ADV_SPM
ADV_IMP
ATE_COV
ATE
ATE_DPT
()
ATE_FUN
AVA_MSU
AVA
AVA_SOF
()
AVA_VLA
ACM_AUT
ACM
ACM_CAP
()
ACM_SCP
ADO_DEL
ADO
( )
ADO-IGS
ALC_DVS
ALC
ALC_LCD
()
ALC_TAT
AGD_ADM
AGD
()
AGD_USR

EAL1

EAL2

EAL3

EAL4

65(12)

65(12)

65(12)

65(12)

8
10

8
12

12

12
5
7
10

9
12
12
4
8
4
4
4
12
10
7
16
7
18
1
4
2
4
2
3
8
6
222(12)
2.4

7
10
3

2
2

14
1
2
2

8
6
98(12)
1

8
6
141(12)
1.5

8
6
158(12)
1.7

(3)

- 201 -

(, EAL1 : EAL2 : EAL3 :

EAL4 = 1 : 1.5 : 1.7 : 2.4) [
5-21] . , EAL4 187.

[ 5-21] CC 2.3 ()

ST

ADV
()

ATE
()
AVA
( )
ACM
()
ADO
( )

ALC
()

AGD
()

ASE
AVD_FSP
AVD_HLD
AVD_LLD
AVD_RCR
AVD_SPM
AVD_IMP
ATE_COV
ATE_DPT
ATE_FUN
AVA_MSU
AVA_SOF
AVA_VLA
ACM_AUT
ACM_CAP
ACM_SCP
ADO_DEL
ADO_IGS
ALC_DVS
ALC_LCD
ALC_TAT
ALC_FLR.1
ALC_FLR.2
ALC_FLR.3
AGD_ADM
AGD_USR
ADO_IGS
ATE_IND

EAL1
20(10)
7

EAL2
20(10)
7
8

EAL3
20(10)
7
9

8
3
1
6

1
6
1

2
6

3
6
8
10
3
3
5

10
3
3
10

10
3
3
10

10
3
3
10

60(50)
1

99(89)
1.6

116(106)
1.9

187(177)
3.1

AVA_VLA
ETR

4
5
2
6

EAL4
20(10)
8
10
15
5
3
15
8
5
8
6
1
10
5
5
5
3
6
5
3
3

() ST

- 202 -

(4)

, .
o = (/30)
( 30 )
o : [ 5-22] .

[ 5-22]

0.8

1.2

IT

IT

IT

, OS, ,
, SW ,
PC, , , , ,
, HW,
OS, OS, IC

(5)
SW .
o = {()}
o : 7%
o : 110%

3. TOE

. TOE
(1)
o 30 26) CC

.
o 30 3

C-TOE BASE . (BASE

26) CC

- 203 -

(2)

COM COM = {COM1, COM2, ..., COMn}

, TOE (, C-TOE) C-TOE = {COM1, COM2, ...,
COMn} , C-TOE (TIME) .
TIME = BASE CAP FUN IF
o BASE : 30 3

C-TOE ()
o CAP : C-TOE (CAP-A, CAP-B, CAP-C )
o FUN : COMi FUNi (FUN = FUNi /n)
o IF: C-TOE ( n , IF = 4n(n-1)/2. : n=2

IF=4, n=3 IF=12, n=4 IF=24, n=5 IF=40)

CAP, FUN IF .

[ 5-23] C-TOE (IF)

0.8
1
1.2

8 (2 )
12 (3 )
40 (4 )

[ 5-24] (FUN)

0.8
1
1.2

25
305
36

- 204 -

[ 5-25] (CAP)

0.7
1
1.1

CAP-A ( )
CAB-B ( )
CAP-C ( , )

(3)
o C-TOE (IF): 5 2 ( 5-6) 2

(IF) 4,
. , n , IF = 4n(n-1)/2.
, n=2 IF=4, n=3 IF=12, n=4 IF=24, n=5 IF=40. 3
(=1) , 2 0.8, 4 1.2
.
. * .
o (FUN): 2005 KISA

27), (,
) 30, 30 5 0.8
, 1.2 . 2005
(30) , 3

. TOE
.
.
(CAP): CC 7(EAL1 ~
EAL7) , CC 3.1 TOE 3

(CAP: Composed Assurance Package) 28). CAP

CAP-A : CAP-A : CAP-A = 31 : 43 : 46

27) , , KISA,
2005.12.

28) Common Criteria for Information Technology Security Evaluation Part 1, 2, 3,

Version 3.1, Revision 1, September 2006.

- 205 -

, . CC 3.1
CAP .

. (CAP)
(1) CAP
CAP-A, CAP-B, CAPC EAL-2, EAL-3, EAL-4 .29)
o CAP-A ( ) : C-TOE

.
, (:
). ,

.
o CAP-B ( ) : C-TOE

,
. ,
.
, TOE , ,
.
o CAP-C ( , ) : C-TOE

.
.
C-TOE,
,
.

(2) CAP

2003 CC (,
29) Albert B. Jeng and Yu-Min Yu, Analysis of the composition problems in CC v3.1 rev.1
with some suggested solutions, ICCC 2006, , 2006.9.

- 206 -

) CC 3.1 ACO() [
5-27] 30). [ 5-26] CC 3.1 (CAP)

. [ 5-27]
. E
CC 3.1 (ACO) (CAP)

.
CAP , CAP

.
CAP-A : CAP-A : CAP-A = 31 : 43 : 46

[ 5-26] CC 3.1 (CAP)

Class

CAP-A

CAP-B
ACO_COR.1 (1)

ACO_CTT.1
(5.93)
ACO:

AGD:

ALC:

CAP-C

ACO_CTT.2 (6.93)

ACO_DEV.3

(5.15)
ACO_REL.1 (1)
ACO_REL.2 (2)
ACO_VUL.1
ACO_VUL.2
ACO_VUL.3 -
(8.6)
(14.71) (15.71)
AGD_OPE.1 (1)
AGD_PRE.1 (1)
ALC_CMC.1 TOE (1)

ACO_DEV.1
(3.15)

ACO_DEV.2
(4.15)

ALC_CMS.2 TOE CM (1)

30) ,
(), KISA, 2003.11.

- 207 -

ASE_CCL.1 (1)
ASE_ECD.1 (2)
ASE_INT.1 ST (2)
ASE:
ST

ACO
)

ASE_OBJ.1
ASE_OBJ.2 (1)
(1)
ASE_REQ.1
ASE_REQ.2 (2)
(1)
ASE_TSS.1 TOE (2)
ASE_SPD.1 (1)
30.68 (18.68)

42.79 (27.79)

45.79 (30.79)

()

[ 5-27] CC 3.1 CAP

(ACO_COR)

ACO_COR.1

ACO_DEV.1

(ACO_DEV)

(ACO_REL)

()

(1)

(1),
(2.15)

3.15

, (1+),
,
,
(2.15+)

, ,
ACO_DEV.3 , (1++),
,
(2.15++)

,
ACO_REL.1
, ,
(1)
,

ACO_DEV.1

ACO_REL.2

, ,
,

(1+)

(1),
ACO_CTT.1 ,
(), (2.53),

()
TOE
(2.4)

, (1+),
ACO_CTT.2
(ACO_CTT)
( ),
(2.53),
( )

(2.4)

- 208 -

3.15++
==> 4.15
3.15+++
==> 5.15
1
1+
==> 2
5.93

5.93+
==> 6.93

(ACO_VUL)

ACO_VUL.1

(1),
(2.15),

(5.45)

8.6

ACO_VUL.2

(1),
(2.15),

(5.45), basic
(6.11)

14.71

ACO_VUL.3
-

(1),
,

(5.45), extended
basic
(6.11+)

14.71+
==> 15.71

(1)

(1)

(1)

(1)

(1)

1(1), 2(1)

1(1), 2(1)

(1)

(1)

(1)

(1)

1+
==> 2

1(1), 2(1)

(1)

AGD_OPE
AGD_OPE.1

AGD_PRE
AGD_PRE.1

ALC_CMC
ALC_CMC.1
TOE

ALC_CMS.2
ALC_CMS
TOE

ASE_CCL.1
ASE_CCL

ASE_ECD
ASE_ECD.1

ASE_INT
ASE_INT.1
ST
ST
ASE_OBJ.1
ASE_OBJ

ASE_OBJ.2

ASE_REQ.1

ASE_REQ.2
ASE_REQ

ASE_TSS.1 TOE

ASE_SPD.1

4. TOE (19791-TR)

. TOE

- 209 -

(1)
o 19791 O-TOE (composit) TOE .31)

, 19791 O-TOE C-TOE .

o O-TOE 30 32)
CC .

(2)
O-TOE TOE, C-TOE

.
O-TOE COM COM = {COM1, COM2, ...,
COMn} , O-TOE (TIME) .
TIME = BASE EAL FUN IF OPE
o BASE : 30 3

C-TOE ()33)
o EAL : O-TOE (5, 7)
o FUN : COMi FUNi (FUN = FUNi /n)
o IF: O-TOE ( n , IF = n(n-1)/2. : n=2
IF=1, n=3 IF=3, n=4 IF=6, n=5 IF=10)
o OPE:
IF, FUN, EAL, OPE . EAL

. , O-TOE OPE
" 11" 34). OPE
.

31) 19791-3 6.1 6.6 (composit)

.
32) CC
33) O-TOE
34) , , 2005.

- 210 -

[ 5-28] TOE (IF)

0.8
1
1.2

2 (2 )
3 (3 )
4 (4 )

[ 5-29] TOE () (FUN)

0.8
1
1.2

25
305
36

[ 5-30] 7 TOE (EAL)

EAL1
EAL2
EAL3

1
1.4
1.5

EAL1
EAL2
EAL3

EAL4

1.7

EAL4

EAL5

1.9

EAL5

EAL6
EAL7

2.0
2.2

EAL6
EAL7

[ 5-31] 5 TOE (EAL)

L1
L2
L3

1
1.4
1.5

CMM Level1
CMM Level1
CMM Level1

L4
L5

1.7
2.1

CMM Level1
CMM Level1

- 211 -

[ 5-32] (OPE)

1.0

1.2

1.7

1.7

1.9

2.0

2.2

1.3

, , ,

, , , , OR, CAE
, , ,
,
, , ,
, , DBMS,
, , CASE,
, , , GPS
, CAM, CIM, , , ,

,

(3)
o O-TOE (IF): (IF) ,

. , n , IF =
4n(n-1)/2. , n=2 IF=4, n=3 IF=12, n=4 IF=24, n=5
IF=40. 3 (=1) , 2

0.8, 4 1.2 .
.
o O-TOE () (FUN): 2005 KISA

35), (,
) 30, 30 5
0.8 , 1.2 . 2005

(30) ,
3 . TOE

. .
o O-TOE (EAL): 19791

. , 3 ~ 5(CMVP, CMM,
35) , , KISA,
2005.12.

- 212 -

, ) 7(CC) .
CMM36) 37) 38)
5 CC 7

. O-TOE
(1) 19791-3

2003 39) CC (,
) CC 3.1 ACO()
[ 5-22] . [ 5-33] 19791-TR

.
[ 5-33] 19791-TR

ASP_INT: SPP
ASP_CCL:

ASP_SPD:

,
1. SPP

2. SPP ,

,
1.

,
1.

,
1.

1+1.63()
= 2.63
1+1.63()
= 2.63

1+1.63 = 2.63

ASP_OBJ:
ASP:
SPP ASP_ECD: 1. ,

1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63

1+1.63 = 2.63

1+1.63 = 2.63

ASP_DMI: 1. ,

(overview)

1+1.63 = 2.63

1+1.63 = 2.63

ASP_REQ:

1. (stated)

2. (derived)

ASP_DMC: 1.

36) ISO/IEC 21827 Information technology Systems Security Engineering Capability

Maturity Model (SSE-CMM).
37) B ISSAC .
38) (), 2005.
39) ,
(), KISA, 2003.11.

- 213 -

ASP_DMP:
1.

ASP_DMO: 1.

1.

ASP_DMR:
2.

1. SST

ASS_INT: SST ;
2. SST

ASS_CCL:
1.

ASS_SPD:

1.

ASS_OBJ: 1.

ASS_ECD:
1.

1.

ASS_REQ:

2.

ASS:
SST ASS_TSS: STOE

1. STOE ()

()

ASS_DMI:
1.


ASS_DMC: 1.

ASS_DMP: 1.

2.

1.
2.

1.
AOD_OCD:

2.

AOD:

1.

AOD_ADM:.
SSF

2. SSF

AOD_USR:

,
,
,
,
,
,

1.
SSF

1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63

1+1.63 = 2.63

1+1.63 = 2.63

1+1.63 = 2.63

,
,
,
,
,
,

ASS_DMO:
1.

ASS_DMR:

1+1.63 = 2.63

,

,

1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63
1+1.63 = 2.63

1+1.63 = 2.63

1+1.63 = 2.63
1+1.63 = 2.63
1

,
1+2.15() = 3.15
(verify)

,
1+2.15() = 3.15
(verify)

- 214 -

AOD_GVR:

ASD_SAD:

ASD_IFS:
()
ASD: ASD_SSD:

ASD_CMP:

ASD_IMP:

ASD_CON.:

ASD_GVR:

2. SSF

,
1+2.15() = 3.15
(verify)

1.

,
(determine)
1. ,
(determine)

1. ,
(determine)

1. ,
(determine)

1. ,
(determine)

,
1.
(determine)
1.

1.

AOC_OBM: 1.

2.

AOT:

AOT_DPT:

AOT_IND:

1+2.15() = 3.15
1+2.15() = 3.15
1+2.15() = 3.15
1+2.15() = 3.15
1+2.15() = 3.15
1

1
,
1+2.15() = 3.15
(verify)

1
1,
1
2

1
1,
1+1 = 2
2

1
1,
1+1 = 2
2

1.
AOC_ECP:
2.

AOC:

1. PP

AOC_PPC: PP 2. PP

AOC_NCP 1.
2.

AOT_FUN:
1. SSF



AOT_COV: 1. SSF
2. SSF

1.

1+2.15() = 3.15

1
1
1

2.
1

3.

1

4.

1

, 1+2.35() =
1. -

3.35
1+2.35()+2.
,
2. -
4() = 5.
,
75
3. -

,
,

- 215 -

1+2.35()+2.
4()+5.24
() = 10.

99
AOT_REG:
1.

1.

AOV_MSU:.

AOV:

,
, ,

2. ,
, , ,

1. /

2.
,
AOV_VLA.

3.
, +

4.
, ++
1.
AOL:

AOL_DVS:

2.

1.

ASI_AWA: .

2.

1. SSF
ASI:

ASI_CMM.:
2. SSF

1. STOE

ASI_SIC:

2.


1.

ASO_RCD:

2.

ASO:
ASO_VER:

1.

,
,
,
,

1
1+1.48()+2.
15(
)+1.46(
) = 6.09
1+1.48()+2.
15(
)+1.46(
)+4.97(
) = 11.06
1+5.45() =
6.45
1+5.45+2.61(
) = 9.06
1+5.45+5.92(
) = 12.37
1+5.45+9.71(
) = 16.16
1
1

2. ,

1. SSF
ASO_MON:
2. ,

1
1
1
1
1
1

()

(2)

CMM-SSE 5

- 216 -

.
o 7 : CC

7(EAL1 ~ EAL7) . ,

EAL1 ~ EAL4 .

EAL1:

EAL2:

EAL3:

EAL4: ,

EAL5:

EAL6: ,

EAL7: ,
7 , [ 5-24]
EAL1 : EAL2 : EAL3 : EAL4 :EAL5 : EAL6 : EAL7 =
70.0 : 97.6 : 104.7 : 132.2 : 138.0 : 141.8 : 150.8
= 1 : 1.4 : 1.5 : 1.7 : 1.9 : 2.0 : 2.0 : 2.2 .

CC 19791-3 ,

.
o 5 : CMM-SSE 5

. 40).

1 ( ):
.

2 ( ): ,
.

3 ( ):
.

40) ISO/IEC 21827 Information technology Systems Security Engineering Capability

Maturity
Model (SSE-CCM), 2002.

- 217 -

4 ( ):
.

5 ( ):

5 , [ 5-34] Level 1 1

() .
Level1 : Level2 : Level3 : Level4 : Level5
70.0 : 97.6 : 104.7 : 132.2 : (138.0 + 141.8 + 150.8)/3
= 1 : 1.4 : 1.5 : 1.7 : 2.1

. CC 19791-3
,
.
[ 5-34] 19791-TR (
)

()
EAL

Level
1. SPP (2.63)
ASP_INT: SPP
2. SPP (2.63)
1. (2.63)
ASP_CCL:
ASP_ECD: 1.

(2.63)
ASP_SPD: 1. (2.63)
ASP_OBJ:
1. (2.63)
1 . ( s t a t e d )
(2.63)
ASP_REQ:
2. (derived)(*
ASP
CC.3.1) (2.63)
(SPP
) ASP_DMI: 1. (overview)
(2.63)

ASP_DMC:

1. (2.63)

ASP_DMP:
1. (2.63)

ASP_DMO: 1. (2.63)

ASP_DMR: 1. (2.63)

2. (2.63)

- 218 -

1
1

1
1

1
1

1
1

1
1

1
1

1. SST (2.63)
2. SST (2.63)
1. (2.63)
ASS_CCL:

ASS_ECD: 1.
(2.63)

ASS_SPD: 1. (2.63)
1. (2.63)
ASS_OBJ:
1. (2.63)
ASS_REQ:
2. (2.63)
ASS_TSS: STOE
1.STOE () (2.63)
()
ASS_DMI:
1. (2.63)

ASS_DMC:
1. (2.63)

ASS_DMP: 1. (2.63)

2. (2.63)
ASS_DMO: 1. (2.63)

ASS_DMR: 1. (2.63)
2. (2.63)

ASS_DMS 1. ()
()
(2.63)
1.
(1)
AOD_OCD:
2.

(3.15)
1.
AOD_ADM:.
SSF (1)

2. SSF
(3.15)
1.
AOD_USR:
SSF (1)
SSF

2.
(3.15)
AOD_GVR:
1. (1)

ASS_INT: SST ;

ASS
(SST
)

AOD
(

1
1

1
1

1
1

1
1

1
1

1
1

ASD_SAD: 1. (3.15)
ASD_IFS:
ASD
()
(

ASD_SSD:

ASD_CMP:

ASD_IMP:
)
ASD_COM.:

ASD_GVR:
AOC
( AOC_OBM:

1. (3.15)
1. (3.15)

1.
(3.15)
1. (3.15)

1. (3.15)

1. (1)

1. (1)
2. (3.15)

- 219 -

AOC_ECP:

AOC_PPC: PP
AOC_NCP

AOT_FUN:

AOT_COV:

AOT
(
AOT_DPT:

AOT_IND:
AOT_REG:
AOV_MSU:

AOV
(

) AOV_VLA.

AOL_DVS:

(AOL)
ASI_AWA:

ASI_CMM.:


(ASI)
ASI_SIC:

ASO_RCD:.

ASO_VER:

(ASO)
ASO_MON:

1. (1)
2.
(1)
1.PP (1)
2. PP
(2)
1. (1)
2.
(2)

1.SSF (1)
1. SSF (1)
2. SSF
(1)
1.
2.
(1)
3. (1)
4. (1)
1. - (3.35)
2. - (5.75)
3. - (10.99)
1. (1)
1.
(6.09)
2.
(11.06)
1./
(6.45)
2. (9.06)
3. (12.37)
4. (16.16)

1. (1)
2.
(1)
1. (1)
2. (1)
1. SSF (1)
2.SSF
(1)
1. STOE
(1)
2.
(1)
1. (1)
2. (1)
1. (1)
2. (1)
1.SSF (1)
2. (1)

104. 132. 138.

70.0 97.6 7 2 0 141.8 150.8

() CC

- 220 -

4
(/, , , )

4
(, TOE TOE)
(scoping rule) ,
. 19791 , CC 3.1 (composed)
(C-TOE ) 19791 (operational
system) (O-TOE 41)) . ,

C-TOE O-TOE .

1.

. 19791-3
19791 O-TOE .

. , O-TOE 1
, PP ST
. ,
.
O-TOE . O-TOE

. , O-TOE
. , .

. CC/CEM
CC/CEM S-TOE TOE

41) 19791 STOE .

- 221 -

o . , TOE

.
o ADV_TDS TOE 1

1 ( )
.

.
O-TOE TOE
(scoping rule) . F
TOE .
(1) 42)

IT (UK-ITSEC)
.
(sponsor) ST .
o ( )
o (TOE ):
PC TOE .

.
o ( ): TOE

. TOE

. TOE HW SW
. TOE
TOE .
o TOE ( ): TOE
42)

(TOE) , 2005. 7. 1.0.

http://www.cesg.gov.uk/site/iacs/itsec/media/formal-docs/TOEscoping_1.0.pdf

- 222 -

.
o ( ): TOE

. TOE
.
o TOE , , ,

o , ,

o TOE ( ): , ,

TOE .
o TOE (): TOE

.
.

TOE

SW HW

HW SW

TOE (:
;
OS )

o ,
( 5-16) (context diagram) . TOE

TOE .
, .

- 223 -

(
)

(
)

TOE , TOE

(: , ,
, SW , , , , )
TOE (, )

(, )
. .

(usage)

IDS

/
?

TOE
()

.
,

OS

( 5-16) TOE

- 224 -

()

o : ,
( 5-17) . ,

SW
.
SW .
COTS
GUI

GUI SW

SW
IDS
SW

SW
COTS OS

SW

SW

SW

SW

COTS OS

OS

( 5-17) 2 ( )

. ,
. COTS(, )
. ,
o : (,

) . ( 5-18)
.

(2) 43)
() .
43) , 1.0 , January 2006.

- 225 -

<CC >
o CCP1. TOE . ,

.
o CCP2. IT

PC

PC
GUI

IDS

SW

SW

GUI

PC
SW

GUI

SW

COTS OS

COTS OS

SW

COTS OS

OS

SW

OS

<SW PC , PC HW . (,
PC PC .)

( . )
( 5-18) SW HW

< >
o EP1. TOE SFR

.
o EP2. TOE

.
o EP3. IT
IT .
<CC >
o SP1. TOE .

- 226 -

o SP2. TOE .
o SP3. TOE IT

. TOE
, IT
.
o SP4. -CC

. (: )
o SP5. .
o SP6.

() TOE .
<>
o
o 3 (; )

o 3 C-TOE
o TOE
<DB>
o OS

OS
o OS , TOE

TOE
<>
o (, , ,

)
o

- 227 -

OS .
< >
o
<>
o , , ,

IT

() CC TOE
o

TOE: ( ).

()

TSF44) - TSP TOE .

CC TSF .

o TOE : TOE

.
o : TOE . ,

. TSFI45) TSF
. TSFI 46)
TOE .

TSFI TSF

44) TSF CC 2.2 TOE CC 3 TOE

.
45) CC 2.2 TSFI (TOE ) TSF
. CC 3 TSFI (TOE )
. TSFI .
46) TSFI TOE CC ,
. CCP1 .
CC .

- 228 -

. , CC TSF
TSFI TSF TSFI TSF

.

TSFI TOE TSF TSF

TSFI .

TOE TSFI TOE

. TSF
TOE . TSF
,
CC .
GUI .

o ( ) : CC

TOE .
.

. TOE TOE

.

(3) TOE
< >
o : TOE .
o TOE : TOE

.
o : IT

IT .

- 229 -

< (viability)>
o IT : TOE IT

.
TOE , IT

.
o : -CC

. (: ) CC
TOE .
o (State of the Art):

.
< >
o :

TOE
.

2.

,
,
47)
. , O-TOE
. , (,
) O-TOE .
(: O-TOE)
(; )

. ,
UML(Unified Modeling Language) Use-case diagram, Class diagram,
47) -
. ,

- 230 -

Sequence diagram 20 .

O-TOE ,
( 5-19) , () ()

3 .

O-TOE1

O-TOE2

( 5-19) 3

[ 5-35] 3 O-TOE

( )

( )

O-TOE1

06 11
19()

HW

O-TOE2

051
( )

O-TOE3

044
( )

OS

TOE

. (temporal scope)
(, ----)
(duration) (time point) .
o : ,

( ,

6). O-TOE , ,

- 231 -

( , ,
2).
o : O-TOE snapshot

. 19791 , . ,
,
. (ISMS)
.

. () (spatial scope)
(, , )
.
:
, , , , , (LAN), WAN,
,
PP48) 19791
. , O-TOE
. ,
, (: )
. ( 5-20) WAN
O-TOE() . ( 5-21)
. , 19791
.

48) Control Center Protection Profile For Industrial Control Systems, Version 0.50, Submitted
To: Process Control
Security Requirements Forum (PCSRF), By: Digital Bond, Inc.
February 17, 2004. http://www.digitalbond.com/SCADA_security/PP_05.pdf

- 232 -

( 5-20) O-TOE

O-TOE
A

D

DB

B
COTS
F

( )

( 5-21) O-TOE (19791 )

. () (functional scope)
O-TOE . O-TOE

- 233 -

(view) . ( 5-22)
O-TOE ,
.
o : O-TOE

. , ,
, ,
O-TOE .
o : O-TOE ( ,

) . CC 3.0
TOE .
o : CC TOE (

) , O-TOE
(, , ) .
O-TOE ,

. ,
.
o 49): O-TOE 1

, .50).

,
. A B
, A B ,
A B .

49) ( *-) 19791 ,

. , 19791 .
50) .

- 234 -

(: )

IS
SW
()

SW

(OS, DBMS)

(DB)

OS

HW()

O-TOE

(a) (architecture)

O-TOE

(EAL4)

(EAL1)

(b)

( : H )

1 ()
2 ()
3 ()
4 ()

TSF

TOE
/

(c)

- 235 -

O-TOE

A (X )
B ()
p2

A
C ()

p3

B
p1
D ()

p4

(d)
( 5-22) ()

3.
O-TOE

. O-TOE
. O-TOE . ,
TOE , ,

.
CC 3.0 TOE

, 19791 O-TOE . ,
O-TOE , TOE CC (: EAL4

X ) .
[ O-TOE ]
o R1(). TOE (encapsulated) (information hiding)

().
o R2( ). TOE(, ) TOE(,
O-TOE) .
o R3( ): TOE PP ST . ,

, , , .
o R4( ): TOE .

- 236 -

o R5( ): TOE .
o R6( ): .
o R7( ): TOE () TOE

.
o R8( ): TOE TOE

. CC .
<>
( 5-21-(d))
o TOE-A(, A) TOE-B TOE-D TOE-B
TOE-C .
o p1 TOA-A p3 TOE-C

( ).
o TOE-B TOE-D EAL4 EAL5, TOE-A

EAL4( ). TOE-C EAL4

.

- 237 -

<Control PP>
[1] Dale Peterson, Control Center Protection Profile Made Easy, Presented to
PCSRF, Digital Bond, peterson@digitalbond.com.
[2]

Control

Center

Protection

Profile,

http://www.digitalbond.com/SCADA_security/FAQ.htm#question1digitalbond.com.
[3] Control Center Protection Profile For Industrial Control Systems, Version
0.50, Submitted To: Process Control
By:

Digital

Bond,

Security Requirements Forum (PCSRF),

Inc.

February

17,

2004.

http://www.digitalbond.com/SCADA_security/PP_05.pdf
[4] System Protection Profile - Industrial Control Systems, Version 1.0, NIST,
Decisive Analytics, 2004 4.
<IATF PP>
[5] The Information Assurance Technical Framework (IATF), Release 3.1,
National

Security

Agency,

information

Assurance

Solutions,

Technical

Directors. September 2002.

<>
[6] G. Jones, Ed., Operational Security Requirements for Large Internet Service
Provider (ISP) IP Network Infrastructure, Network Working Group, The
MITRE Corporation, September 2004.
<FAA PP>
[7] Marshall D. Abrams,

FAA System Security Testing and Evaluation, MTR

02W0000059, MITRE TECHNICAL REPORT, May 2003.

[8] FEDERAL AVIATION ADMINISTRATION, INFORMATION SYSTEM
SECURITY TECHNOLOGY OVERVIEW, Version 2.0, MITRE Corporation,
September 30, 2002.
[9] Ross Parker, System Process Flow Chart/Information Systems Security,

- 238 -

Change Request Number: 03-101, 09/25/03.

[10] CAASD, Integrating Information Security Into the Procurement Process for
Large Systems, MITRE, 2003.
[11] Marshall Abrams, Joe Veoni, R. Kris Britton, Security in Large System
Acquisition, MITRI, 2004.
[12] FAA Low Risk Mission Support

Application System Security Function

Protection Profile, Version 1.0, AIO-4-PP-LRMSAPS1.0, 1/28/04.

[13] FAA Low Risk Mission Support

LAN/Facility Communication Security

Function Protection Profile, Version 1.0, AIO-4-PP-LRMSALAN1.0, 1/29/04.

[14] FAA Low Risk Mission Support

WAN Security Function Protection

Profile, Version 1.0, AIO-4-PP-LRMSAWAN1.0, 1/29/04.

[15] FAA Low Risk NAS

Application System Security Function Protection

Profile, Version 1.0, AIO-4-PP-LRNASAPS1.0, 1/28/04.

[16] FAA Low Risk NAS LAN/Facility Communication Security Function
Protection Profile, Version 1.0, AIO-4-PP-LRNASLAN1.0, 1/29/04.
[17] FAA Low Risk NAS WAN Security Function Protection Profile, Version
1.0, AIO-4-PP-LRNASWAN1.0, 1/29/04.
[18] FAA Moderate Risk Mission Support

Application System Security

Function Protection Profile, Version 1.0, AIO-4-PP-MRMSAPS1.0, 1/28/04.

[19] FAA Moderate Risk Mission Support

LAN/Facility Communication

Security Function Protection Profile, Version 1.0, AIO-4-PP-MRMSALAN1.0,

1/29/04.
[20] FAA Moderate Risk NAS Application System Security Function Protection
Profile, Version 1.0, AIO-4-PP-MRNASAPS1.0, 1/28/04.
[21] FAA Moderate Risk NAS LAN/Facility Communication Security Function
Protection Profile, Version 1.0, AIO-4-PP-MRNASLAN1.0, 1/29/04.
[22] FAA Moderate Risk NAS WAN Security Function Protection Profile,
Version 1.0, AIO-4-PP-MRNASWAN1.0, 1/29/04.
[23] FAA High Risk Mission Support

Application System Security Function

- 239 -

Protection Profile, Version 1.0, AIO-4-PP-HRMSAPS1.0, 1/28/04.

[24] FAA High

Risk Mission Support

LAN/Facility Communication Security

Function Protection Profile, Version 1.0, AIO-4-PP-HRMSALAN1.0, 1/29/04.

[25] FAA High Risk Mission Support WAN Security Function Protection Profile,
Version 1.0, AIO-4-PP-HRMSAWAN1.0, 1/29/04.
[26] FAA High

Risk NAS

Application System Security Function Protection

Profile, Version 1.0, AIO-4-PP-HRNASAPS1.0, 1/28/04.

[27] FAA High

Risk NAS LAN/Facility Communication Security Function

Protection Profile, Version 1.0, AIO-4-PP-HRNASLAN1.0, 1/29/04.

[28] FAA High Risk NAS WAN Security Function Protection Profile, Version
1.0, AIO-4-PP-HRNASWAN1.0, 1/29/04.
<19791 PP/ST>
[29] ISO/IEC 1st WD 19791, Information Technology - Security Technology Security assessment of operational systems, Haruki Tabuchi ed., 2003. 7.
[30] SO/IEC 2nd PDTR 19791, Information technology - Security techniques
Security assessment of operational systems, 2005.3.
[31] ISO/IEC DTR 19791, Information technology - Security techniques
Security assessment of operational systems, 2005.5.
[32] Common Methodology for Information Technology Security Evaluation
Methodology, Version 2.2, Revision 256, CCIMB-2004-01-004, Jan. 2004.
[33] An Enhanced ISO/IEC 15408 Standard for Systems Security Specifications
and Evaluation, Version 1.1, Decisive Analytics Corporation, 2004.12.
[34] Guide for the protection profile and security targets, ISO/IEC PDTR 15446,
Version 0.9, January 4, 2000.
[35] (), PP ,

: , , 2005 11.
[36] (), , : ,

, 2004 11.

- 240 -

(KISSES)

KISSES

19791-TR SP 800-53A

. 19791-TR 19791
, KISSES .
, .
o :

. , (,
) ,
. ,

. .
o 19791 : 19791

. ,
BS 7799 , CC CC

. , KISSES 19791 .
o :

(CC ) .
, KISSES
.
o KISSES : 19791
KISESS .
o :

CC 3.1 .
- PP/ST

- 241 -

-
-
-
CC 19791

. CC 4.0 19791
.
.
o :
o : ( ),

,
. ,
,
, .
.

. , , 19791-TR(20065),
SP 800-53A,

, , ,
. , 4 4

.

- 242 -

 A.

A.
ITSEC CC ,
CC CC ( )
. EAL4
,
. , 19791
.

o Tailored Assurance Scheme(TAS)

o SYS
o Fast Threat Assessment(FTA)

A.1 Tailored Assurance Scheme(TAS) 51)

(1)
IT CESG
, CESG SYSn
Fast Track Accessment (FTA) 2006 .
TAS TAS 1.3 (2005.11-2006.4), 2006 3/4
TAS SYSn FTA . 2006 10
2007 10 .

(2)
o STSn FTA . ,
, (HMG)
Infosec Standard No.1 (IS1) Residual Risk Assessment Method ,
JSP440 for residual risks 11.5 ~14.4 .
o , .
o ,
.
o SE IT
.
(3)
FTA 4 .
o : ST WP(Work Plan) .
o : / .
o : (ER) CESG letter .
51) http://www.cesg.gov.uk/

- 243 -

 A.

o : (AMP) .
(4)
o 11.5 ~ 14.4

- 2 ~ 4
- SYS2 ~ SYS4 : , & ,
&, & , ,
o
- (: Standard Assurance):
, (IS1) 3 ( 1 ~
5 )
- ( : Developed Assurance): ,
(credible) , 5
( 6 7 )
- .
o ,
barriers) .

(5)
/ ,
.

CESG

. ,

CESG (contractors) ST Work Plan

. CESG
, .

(6) Toolbox Approach

o toolbox . CESG
toolbox . . IS1 JSP 440
(tailor) .
o , CESG
.
-
-
-
-
-
-

- 244 -

 A.

o , CESG ,
, toolbox . toolbox()
.
-
-
- &
-
-
-
-
o . ,
trade-off .
(7) TAS
o , .
. (, .),
, / . ST
( ), ST .
o (Task Start up Review): , & .
o (assurance maintenance): .
(8)
o (EWP): .
o (ER: Evaluation Report): , ,
.
/ ,
.
o CESG letter: ,
, (aim) . IS1
. .
o (OR): .
(9)
. ,
,
, .
(tailored assurance) ,
. ,
.

- 245 -

 A.

A.2 SYSn Assurance Packages Framework(SYSn 52)

(1)
SYSn MoD ,
HMG IS1 EAL2, EAL3, EAL4 CESG
, ITSEC CC ,
.
SYSn' SYS2, SYS3, SYS4
.
SYS .

o
. .
o ,
.
o ,
.
o SYS .
o SYS , .
o , .
o .
o : , (pragmatic
agreement), COTS

o CC CEM .
(2)

SYSn
, , .

ST MoD
.

52) UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME, SYSn Assurance

Packages Framework, Issue 1.0, September 2002.

- 246 -

 A.

SYSn .
. , TOE

.

o
CLEF -
. ,

[JIL] '

' . :

- ( ) TOE(, )

- ST ( ST
)
- AVA( )
.
-

- , (TOE
)
.
o
SYSn EAL ETR ,
, ,
.
(
. TOE
.

o TOE , , (,
) .
o , .
TOE ,
.

- 247 -

 A.

.
ETR CB
. , ETR
.

a) '-'
b) TOE .
c) (, , )
d)
(3)
SYS2
SYS2 AVA_VLA.1+
CC EAL2 . SYS2
.

Class ACM:
ACM_CAP.2
ADO_DEL.1
Class ADO:
ADO_DEL.1
ADO_IGS.1 , ,
Class ADV:
ADV_FSP.1
ADV_HLD.1
ADV_RCR.1
Class AGD:
AGD_ADM.1
AGD_USR.1
Class ATE:
ATE_COV.2
ATE_FUN.1
ATE_IND.2 :
Class AVA:
AVA_SOF.1 TOE
AVA_VLA.1+

- 248 -

 A.

SYS3
SYS3 AVA_VLA.1+
CC EAL2 . SYS3
.

Class ACM:
ACM_CAP.3
ACM_SCP.1 TOE
Class ADO:
ADO_DEL.1
ADO_IGS.1 , ,
Class ADV:
ADV_FSP.1
ADV_HLD.2 Security enforcing high-level design
ADV_RCR.1
Class AGD: Guidance
AGD_ADM.1
AGD_USR.1
Class ALC:
ALC_DVS.1
Class ATE:
ATE_COV.2
ATE_DPT.1
ATE_FUN.1
ATE_IND.2 :
Class AVA:
AVA_MSU.1
AVA_SOF.1 TOE
AVA_VLA.1+
SYS4
SYS4 CC EAL4
.

(4)
ST
o , , (ASE_INT.1)
TOE ,

- 249 -

 A.

a) ST TOE .
b) ST ST(CC 2, CC 3, PP
) .

o TOE (ASE_DES.1)
TOE , TOE
(- ) .

TOE
.

o TOE (ASE_ENV.1)
TOE
TOE
TOE .
(OSPs) .

o (ASE_OBJ.1)
TOE .
a) TOE (
.) TOE

b) . , ,
(OSPs), .

o PP (ASE_PPC.1)
TOE ST PP
.

o IT (ASE_REQ.1, ASE_SRE.1)
TOE .
a) IT (SFRs)
.

b) IT TOE , IT
, TOE
.

o TOE (ASE_TSS.1)
TOE .
a) IT .
b) IT SFRs
.

- 250 -

 A.

c) .
(ADO)
o , , (ADO_IGS.1)
TOE , ,
TOE .

(AGD)
o (AGD_ADM.1)
ST , ,
TOE .

o (AGD_USR.1)
ST , ,
TOE .

(ATE)
o (ATE_FUN.1)
TOE
.

a) (,
.)
.

b) ( , , )
.

o (ATE_IND.2)

TOE TOE .

(AVA)
o TOE (AVA_SOF.1)

TOE .

A.3 Fast Track Assessment(FTA) 53)

53) Fast Track Accessment Methodology, 2001, http://www.cesg.gov.uk/site/iacs

- 251 -

 A.

(1) FTA
FTA Inforsec Inforsec
(CESG ) , -
. CESG (, )
, (suitable)
.

FTA (, CC ) ,
. ,
.

FTA :
- FTA
- FTA TOA
FTA (FTAC) - FTA (oversee)
- TOA ST FTA
FTAC () FTA
. FTA .
o - TOA ST , /
, FTAC
(AWP)
o - AWP ST FTA . FTA
. ST AWP
, TOA ,
(culminate).
o - FTAR FTAC . FTAC
.

o
o
o
o

(2)
, FTA
.

TAO . (
)

FTA CC . ST
.

FTA TOA
.

- 252 -

 A.

TOA , .
CC ,
.( ) ,
, ,

( ) TOA
. CC CC CEM
.
, , ,
(gleaned) , .
.
. ,
- . , FTA
.
,
.(CEM soundness' ). .
,
(commensurate) .
TOA . ,
:

, TOA TOA

FTA .

o (verbally) - , FTAC,
o (written) -

, . , EAL1 (
) EAL4
.
( TOA ),
, (bearing on)
.

(impartiality)
.

- 253 -

 A.

CC
(objectivity)
.
CC .
FTA FTAC

(oversight) .
.

TOA ( )
.
(, TOA, ST,
), ,
. FTAC .

o FTA AWP ;
o FTA ;
o TOA FTA
,
, FTA . ,

UKAS . ,

, , , .
.

FTA FTAC AWP . ,

.
FTAC ( ) .

o ST ( ) -

o - FTA

FTA (outset) 'set in stone' .

- 254 -

 A.

FTAC ,
, .

(validity)
FTA TOA .
ST FTA . TOA ,
FTA . FTA
.
TOA , CC FTA -
. , ST (impose)
(adhered) , TOA TOA
TOA .

(3)
FTA (FTAC)
FTAC . , FTAC FTA
(FTAR ), , TOA
.
, , 1
. , FTAR FTAC
, . FTAR FTA
,
.
CC , FTAR

TOA .
()
FTA .
( ) FTA , ST ,
.

.
.

- 255 -

 A.

- . .
, - .(:
). .
.

o AVA_MSU.2, AVA_SOF.1 AVA_VLA.1 FTA

.
o TOA
.
o TOA . ,
. Unix, , , OpenSSL
. , , EAL3 ,.
CAPS
FTA CAPS( )
.
FTAR (CAPS letter
). CAP FTAR .

(4) (EAL4 )
ST (ASE)
ST FTA CC ST
. , (SFR) CC 2
. (
). CC 2
(FTA ). CC 2

ST .
ST FTA
.

1. ST ?
2. TOA , ?
3. , ?
4.
(uphold)
5. TOA ?
6. , ?

- 256 -

 A.

7. TOA ?
, .
, .

FTAR ST
. , ASE
.

ACM
CM (ACM_AUT)
ACM_AUT.1, .
1. TOA
?

2. TOA (
TOA )?.

CM (ACM_CAP)
ACM_CAP.1 ACM_CAP.2, .
1. TOA ( )?
2. TOA ? (TOA TOA
)

FTA ACM_CAP.1 ACM_CAP.2. .

ACM_CAP.3, .
3. TOA ?
4. CM , ,
TOA (undermined)
?

ACM_CAP.4, .
5. (upholding) CM
?

6. TOA TOA
?

CM (ACM_SCP)
ACM_SCP.1 ACM_SCP.2, .
1. TOA
?

- 257 -

 A.

CM .

(ADO)
ADO_DEL.1, .
1. , TOA
?

ADO_DEL.2,
2.
?

3. (masquerade)
ADO_IGS.1, .
1. TOA TOA , TOA ,
?

TSF (ADV)
(ADV_FSP)

ADV_FSP.1, TSF .
.

1. ?
2. ?
3. ?
FTA ADV_FSP.1 ADV_FSP.2. .
TSP (ADV_SPM)
.
(ADV-HLD)

ADV_HLD.1, TOA
.

1. TOA (TSF ) ?
2. TSF , ST
TSF (co-operate) ?
3. TSF , TAF
?

4. SW, HW

- 258 -

 A.

5. ( ) ST ( )
? , (; ATE_IND, AVA_VLA)
?

6. TSF ,
?

7. TSF TSF
( ) ,
?

8. TAF TAF
( ) ,
( )
?

ADV_HLD.2, .
9. TOA TSP- ?
?
(ADV_LLD.1)

ADV_LLD.1, TOA
.

1. TSF ?
2. TSF (, TSF )
3. TSP- TSP- ? ,
TSP- ?
4. TSP- ?
5. ( ) ST ( )
? , (; ATE_IND, AVA_VLA)
?

6. , TSF
?

7. ,
?

8. ,
?
(ADV_IMP)

- 259 -

 A.

ADV_IMP.1, .
1. ?
2. ?
(ADC_RCR)

FTA ADV .
(AGD)
(AFD_ADM.1)
.

1. ?
2. , , ST
?

(ALC)
(ALC_DVS)

ALC_DVS.1, .
1. , TOA
?
(ALC_LCD)

ALC_LCD.1, .
1. , TOA ,
?
(ALC_TAT)

ALC_TAT.1, .
1. (; )
, ?
.

(ATE)
(ATE_COV)

ATE_COV.1

.
. FTA ATE_COV.1 ATE_COV.2.

- 260 -

 A.

,
(ATE_DPT)

ATE_DPT.1
TAF
.
.

ATE_FUN.1, .
1.
(, , )
2. (, ),
, ?
(ATE_IND)

ATE_IND.1,
TOA . TOA ,
TOA , .

ATE_IND.2, ,
. TOA
.
, TOA
.

(AVA)
(AVA_MSU)

AVA_MSU.1
1. TOA , ,
(
TOA )

2. TOA ,

AVA_MSU.2
3.

- 261 -

 A.

TOA (AVA_SOF)
AVA_SOF.1
1. ST SOF SOF ,
permutational . (

CEM B.8 . FTA )

(AVA_VLA)

AVA_VLA.1
1.
2. , TOA

3.

AVA_VLA.2
4. (gleaned)

TOA ,

5.

6. TOA

- 262 -

 B.

B.
(TC260) WG5

Information technology - Security techniques - Evaluation criteria for information

systems security assurance (ISIA .) 2005 3 . ISIA
4 .

o
o
o
o

Part 1.
Part 2. (CC Part2 )
Part 3 :
Part 4 : (= )
/ CC

CC Part2 , SSE-CMM 5
, .54)

B.1 (ISIA)
(1)
o GB/T 18336-2001(, CC) "IT, , IT " ,
, ,
. (CC) &
(C&A)
(Evaluation):
(TCSEC, CTCPEC, ITSEC GB/T 18336 idt ISO/IEC 15408)

(C&A): , ,

. (DITSCAP, SSE-CMM, ISO/IEC 17799)

==> "ISIA": GB/T 18336 IT

, ,

o : IT IT
, IT IT
,
, ,
, .
o ==> ISIA
54) IT=, IA=

- 263 -

 B.

o CC "ISIA"
o :
, , , , , ,
,
o ISIA
o
ISIA : ISIA (ISPP)
ISIA ISIA : ISIA (ISPP)
ISIA (ISST)

ISIA
(IA) : ISIA (ISST) ISIA
(ISPP)
:
ISIA (ISST) ISIA

ISIA : ISIA (ISST) ISIA

IS ISIA :
IS ISIA [ISST] ISIA , ,
ISIA ISIA ISIA
o
GB/T 9387.2-1995 2:
(idt ISO 7498-2: 1989)

GB/T 18336.1-2001 IT IT 1:
GB/T 18336.2-2001 IT IT 2:
GB/T 18336.3-2001 IT IT 3: IA

- 264 -

 B.

( B-1)

(2) ISIA
o ISIA : "ISIA"
, , , ,
, , ,

.
o 3 (): 3
: (M), (T), (),

: , , , ,

: , ,

o
"ISIA" .

. ,
( )

, , , "ISIA"
. , , "ISIA"
.

- 265 -

 B.

, .

( B-2) "ISIA"

o
:
. ,

,
.

:
. , ,

.
,
"ISIA"

- 266 -

 B.

. , ,

, , .

:
. . ,
, . , ,
,
.
3
.
"ISIA"
.

:
. ,
, ,
.

:
.

.

: ,
.

"ISIA"
.

- 267 -

 B.

( B-3) "ISIA"

(3) (ISAL)
o ,
, ,
, , IA
IA "ISIA" .
o IA , , IA , ,
, .
o ,
, ,
,

- 268 -

 B.

( B-4) "ISIA"

(4) ISPP ISST

o CC PP/ST .
[ B-1] ISPP ISST
ISPP

ISST

PP
1.
PP PP

ST
1.
ST ST

PP/ST

-
2. TOE
- ,

-
-
-

-
-
-

3. TOE

TOE
4.

PP/ST

-
2. TOE
- ,

-
-
-

-
-
-

3. TOE

4.
TOE

5.

5.

- 269 -

 B.

6. TOE

7. PP

8.
6. PP

9.

TOE

7.

(5)
1) :
, .

2) : .
o : .
, ,
.
o : ,
o :
.

o "ISIA" : (
), (
) ( )
.
3) : , ,
.

o : ,

: ////
.

, :

: (
, , ) ( ,

- 270 -

 B.

, ,
,
, , )

o : . ,
.
,
.
:

: .

: .

o : ,
,
.
: .

: .

:
.
.

( B-5)

- 271 -

 B.

(6) "ISIA"
o : ,
.
[ B-2]

.
, ,
,
.

.
, ,
,
.

.

: , , B(Basic), M(-Middle),
H(High) . , (:
) .

o : 7
( B-3)

T1

,
T2

T3

T4

T5

T6

T7

o ISAL : "ISIA"
.

- 272 -

 B.

[ B-4] "ISIA"

T1
ISAL1
ISAL1
ISAL1
ISAL2
ISAL3

T2
ISAL1
ISAL1
ISAL2
ISAL3
ISAL3

T3
T4
ISAL1
ISAL2
ISAL1
ISAL2
ISAL2
ISAL3
ISAL4
ISAL4
ISAL4
ISAL4

T5
ISAL2
ISAL3
ISAL3
ISAL4
ISAL5

T6
ISAL2
ISAL3
ISAL4
ISAL5
ISAL5

o ISAL : ISAL , , ,
. // ///
"ISIA" .

ISAL, ,

. "ISIA" ,
.
[ B-5] "ISIA"

ISAL1
ISAL2
ISAL3
ISAL4
ISAL5

TCML1
TCML2
TCML3
TCML4
TCML5

MCML1
MCML2
MCML3
MCML4
MCML5

PCML1
PCML2
PCML3
PCML4
PCML5

"ISIA"
(CQI) .

B.2
CC Part 2 ()

B.3 ISIA

- 273 -

 B.

( B-6) "ISIA"

o "ISIA"
: ,
, , , 5
.

"ISIA" : "ISIA" "ISIA"

. "ISIA" ,
"ISIA"
, "ISIA"
.

:

"ISIA" .

"ISIA" "ISIA" TOE

"ISIA" ,

.

(1)
---------------------------------------------------------------------------------------------------------------- (MOA)
- (MOA_ORG)
- (MOA_MLC)

- (MOA_LCP)
- (MOA_OKR)
- IA (MOA_DRV)

- 274 -

 B.

(MSP)
- (MSP_ISP)
- (MSP_RPG)
- 3
(MSP_TFR)
- (MSP_MSD)
(MSR)
- (MSR_SRE)
- (MSR_ISN)
- (MSR_ISP)
- (MSR_ISC)
- (MSR_TSR)
(MCP)
- (MCP_LCP)
- (MCP_LOG)
- (MCP_CCK)
- (MIP)
- (MIP_IOP)
- (MIP_LRP)
- (MIP_SRP)
- (MIP_LPC)
- (MIP_CIP)
-
(MIP_MEP)
- (MIP_AES)
(MPB)
- (MPB_IAP)
- (MPB_AOB)
- (MPB_CPC)
- (MPB_CPD)
(MPS)
- (MPS_SCR)
- (MPS_SAW)
- (MPS_SED)
- (MPS_ACI)
- (MPS_IAT)
- (MPS_SMP)

(MAD)
- (MAD_ASR)
- (MAD_AFS)

(MAD_DMS)
- (MAD_EPY)

(MAS)
- (MAS_ASL)
- (MAS_DMT)
- (MAS_AMG)
- (MAS_SDC)
- (MAS_DCC)
- (MAS_DLP)
- (MAS_DMP)
- (MAS_PCM)
(MPH)
- (MPH_SAR)
- (MPH_ZIP)
- (MPH_ZPP)
- (MPH_ARU)
- (MPH_PAC)
- (MPH_ASR)
- , (MPH_DMP)
- (MPH_CAS)
(MCO)
- (MCO_OER)
- (MCO_MAC)

(MCO_LCS)
- (MCO_CUS)
- (MCO_MFC)
- (MCO_VPT)
- E-Mail (MCO_EMS)
- OA (MCO_OAS)
- (MCO_SRE)
- (MCO_DOP)
- (MCO_STO)
- (MCO_INM)
- (MCO_AUD)
- (MCO_MCB)

- 275 -

 B.

(MCC)
- (MCC_NEC)
- (MCC_CCC)
- (MCC_SDC)
- (MCC_TIC)

(ADM)46
- (ADM_DRP)
-
(ADM_MRP)

----------------------------------------------------------------------------------------------------------------(2) (CMM-SEI)
SSE-CMM 55)

o 0
.
.
.

o 1
.
.
.

.
.

1.1 :
. ,
.

1) GP 1.1.1 : ,
.

o 2

- - 3 .
,

55) ISO/IEC 21827 Information technology Systems Security Engineering Capability

Maturity Model (SSE-CMM).

- 276 -

 B.

.
.
.

2.1- : .
IA .
IA
, IT
(: , , ).

1) GP2.1.1- :
2) GP2.1.2- : IA
3) GP2.1.3- :
4) GP2.1.5- : IA

2.2- :

.

1) GP 2.2.1-
.

2.3- , : IA
.

1) GP 2.3.1- :
.

o 3

. .
,
.
.

3.1 :
.

1) GP 3.1.1 :
.

3.2 :

- 277 -

 B.

.
, ,
.
.

1) GP 3.2.1 :
.

2) GP 3.2.2 :
.

3) GP 3.2.3 :
.

3.3

1) GP 3.3.1 :
2) GP 3.3.2 :
3) GP 3.3.3 :
o 4
, , .
. .
.

.
.

4.1 :
.
.
.

1) GP 4.1.1 :
.

4.2 :
.
.

1) GP 2.4.1 :
2) GP 2.4.2 : ,
.

o 5

- 278 -

 B.

.
, .

, .
.

5.1 :
, .
,
.
,
.
.

1) GP 5.1.1 :
.

2) GP 5.1.2 :
.

5.2 :
, .

1) GP 5.2.1 : .
2) GP 5.2.2 :
.

3) GP 5.2.3 :
.

B.4 (Engineering Criteria)

(1)
.
[ B-6]

(DPN)

- ,
,
.
-

- 279 -

y
y
y
y

(PSD)
(PAT)
(PAV)
(PAI)

 B.

(DSR)

(DSA)

(DSD)

(ISS)

(APE)

.
.
-
.
,
.
-
,

,
,
.
-

, .
-
.

.
-

,
.
.
-
, ,
.
-


.
- ,
, , ,

.

y (PAR)
y (PSR)

y (PPI)
y
(PHD)
y

(PDD)

y
y
y
y

(PEI)
(PCS)
(PMS)
(PAS)

y
(PVV)
y
(PBA)

o .
--------------------------------------------------------------------------------------------------------------- (DPN)

- DPN_PAT.3

1. (DPN_PSD)

- DPN_PAT.4

- DPN_PSD.1

- DPN_PAT.5

2. (DPN_PAT)

- DPN_PAT.6

- DPN_PAT.1

3. (DPN_PAV)

- DPN_PAT.2

- DPN_PAV.1

- 280 -

 B.

- DPN_PAV.2

- DSA_PHD.2

- DPN_PAV.3
- DPN_PAV.5

(DSD)
9. (DSD_PDD)

4. (DPN_PAI)

- DSD_PDD.1

- DPN_PAI.1

- DSD_PDD.2

- DPN_PAI.2

- DSD_PDD.3

- DPN_PAV.4

- DSD_PDD.4

- DPN_PAI.3
- DPN_PAI.4
- DPN_PAI.5

(ISS)

- DPN_PAI.6

10. (ISS_PEI)

5. (DPN_PAR)

- ISS_PEI.1

- DPN_PAR.1

- ISS_PEI.2

- DPN_PAR.2

- ISS_PEI.3

- DPN_PAR.3

- ISS_PEI.4

- DPN_PAR.4

- ISS_PEI.5

- DPN_PAR.5

- ISS_PEI.6

- DPN_PAR.6

11. (ISS_PCS)
- ISS_PCS.1

(DSR)

- ISS_PCS.2

6. (DSR_PSN)

- ISS_PCS.3

- DSR_PSN.1

- ISS_PCS.4
12. (ISS_PMS)

- DSR_PSN.2 ,

- ISS_PMS.1
- ISS_PMS.2

- DSR_PSN.3

- ISS_PMS.3

- DSR_PSN.4

- ISS_PMS.4

- DSR_PSN.5

- ISS_PMS.5

- DSR_PSN.6

- ISS_PMS.6

- DSR_PSN.7

- ISS_PMS.7
13. (ISS_PAS)

(DSA)

- ISS_PAS.1

7. (DSA_PPI)

- ISS_PAS.2

- DSA_PPI.1

- ISS_PAS.3 ,

- DSA_PPI.2

- ISS_PAS.4

- DSA_PPI.3

8. (DSA_PHD)
- DSA_PHD.1

(APE)

- 281 -

 B.

14. (APE_PVV)

15. (APE_PBA)

- APE_PVV.1

- APE_PBA.1

- APE_PVV.2

- APE_PBA.2

- APE_PVV.3

- APE_PBA.3

- APE_PVV.4

- APE_PBA.4

- APE_PVV.5

- APE_PBA.5

----------------------------------------------------------------------------------------------------------------(2) ()
o 0
.
.
.

o 1
.
, .
.
,
. .
.

1.1 :

. ,
.

1) GP 1.1.1 :
.

o 2

. .
.
.
.
.

2.1: 1
.

- 282 -

 B.

.
(, , ) .

1) GP2.1.1 : (, ,
) .

2) GP2.1.2 :
.

3) GP2.1.3 :
.

4) GP2.1.4 :
.

5) GP2.1.5 :
.

6) GP2.1.6 : .

2.2 : 2
.

1) GP 2.2.1 , : ,
.

2) GP 2.2.2 :
.

2.3 : 2
.

1) GP 2.3.1 : .
2) GP 2.3.2 :
.

2.4 :
, .
, .

1) GP 2.4.1 :
.

2) GP 2.4.2 :
.

- 283 -

 B.

o 3
,
.
, .

.
.

3.1 :
.
.

.
,
.
.

1) GP 3.1.1 :
.

2) GP 3.1.2 :
.

3.2 :
.
, ,
.
.

1) GP 3.2.1 :
.

2) GP 3.2.2 :
.

3) GP 3.2.3 :
.

3.3

1) GP 3.3.1 :
2) GP 3.3.2 :

- 284 -

 B.

3) GP 3.3.3 :
o 4
.
. ,
.
.
.

4.1 :

. .
.

1) GP 4.1.1 :
.

4.2 :
,
.
.
.

1) GP 4.2.1 :
.

2) GP 4.2.2 : ,
.

o 5

.
.

.
.

5.1 :
,
. ,

- 285 -

 B.

.
,
, .
.

1) GP 5.1.1 :
.

2) GP 5.1.2 :
.

5.2 :
.

1) GP 5.2.1 : .
2) GP 5.2.2 :
.

3) GP 5.2.3 :
.

- 286 -

 C.

C.
y

,
.

ISO/IEC 19791 (
, SP 800-53A
ISO/IEC 19791 .).

C.1 19791-TR
C.2 ISMS , KISA
C.3 (, 2005, )C.4 CC 2.3
C.5 ACSI 33(19 September 2005) -
C.6 SP 800-53 (20063)
C.7 ISO/IEC 17799:2000
C.8 ISO/IEC 17799:2005
C.9 COBiT Domains PROCESS
C.10 NIST 800-12(An Introduction to Computer Security: The NIST Handbook)
C.11 DIACAP ( I&A) DoD 8500.2, 2004
C.12 SP 800-26 ()
C.13
C.14 SSE-CMM
C.15 IT Baseline Protection Manual (BPM)

19791-3
1. Administration (FOD)

ISMS

1.1.2 :

1.
1.1
1.2
I.
1.1
1.1.1
1.1.2
1.2
1.2.1
1.2.2
1.3
1.3.1

1.2 (Personnel

2.
2.1
4.
4.2

1.1 (Policy
administration, FOD_POL)
1.1.1 : ,
(goal) ,

- 287 -

ASCI 133

1.
1.1
1.1.1
1.1.2
2.1
2.1.1
2.1.2

2. (Personnel)

 C.

administration, FOD_PSN)
1.2.1 ():

(disciplinary action) ,
(agreement) ,
,

4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.2 2.1
5.
4.3 (Awareness)
5.1

2.2
5.1.1
2.2
5.1.2
2.3
2.2.1

5.1.3

2.2.2

5.2
2.3

2.3.1
2.3.2
2.3.3

1.3 (Risk management

3
administration, FOD_RSM)
1.3.1 : 3.1
3.2

3.3
1.3.2 3.4
: 3.5

13.
13.1
13.1.1
13.1.2
1.4 (Incident

management administration,
13.2
FOD_INC)
13.2.1
1.4.1 :
, 13.2.2

13.2.3
13.3
13.3.1

2.
2.1
1.5 (Security
2.
1.2
organization administration,
2.1
1.2.1
2.1.1
FOD_ORG)
1.2.2
2.1.2

1.5.1 :
1.2.3
2.2

2.2.1
2.2.2
1.6 (Service
agreements administration,
FOD_SER)
1.6.1 :
,

2. IT Systems (FOS)

3.
3.1 7.2
7.2.1

3.1.1 7.2.2

7.2.3

2.1 (Policy for

IT systems, FOS_POL)
10.
2.1.1 : IT 10.1
, 10.1.1
housekeeping , 10.1.2
10.1.3
10.1.4
(introduction)
10.1.5
2.1.1 : 9.1

- 288 -

3
6.3.1
6.3.2
6.3.3
6.3.4
7.4

 C.

2.1.2 : ,

2.1.3 :

8.3
8.3.1
2.2
8.3.2 8.2
(Configuration of IT systems,
8.3.3
8.2.1
FOS_CNF)

2.2.1 : 11.
8.2.2
11.1
8.2.3

11.1.1
7.1
2.2.2 : 11.1.2
11.1.3

11.1.4
11.1.5

2.3 (Network
security of IT systems, FOS_NET)
2.3.1 : 11.3
11.3.1

11.3.2
2.3.2 : 11.3.3
, ,

10.

10.1
6.2
10.2
6.2.1 10.3 Gateways

10.4 Firewalls
6.2.2
10.5 Diodes
6.2.3
10.6
6.2.4
10.7
6.2.5
10.8 VPN
6.2.6
10.9 Peripheral
6.2.7
Switches
10.10 LANs
10.11

4. ,
2.4 ( of IT 14.1
systems, FOS_MON)
14.1.1
2.4.1 . , 14.1.2
, , 14.1.3
(Active)
14.2 2.4

7.6
7.1 IDS
14.2.1

7.6.1
2.4.2 . 14.2.2
7.2
7.6.2

14.2.3
7.6.3
2.4.3 (alarm) . 14.3
7.3
14.3.1
14.3.2
7.4
(response)
14.3.3
2.4.4 . 14.4
14.4.1

14.4.2
2.5
10.2
(Personnel control of IT systems,
10.2.1
(FOS_PSN)
10.2.2
2.5.1 (authorization) : 10.2.3
10.2.4
10.2.5

10.3
2.5.2 : 10.3.1

10.3.2
2.5.3 : 10.3.3
10.3.4

5.1
-
6.
6.1
6.4
6.1

6.4.1
6.2
6.4.2

6.4.3
(Privileged and
6.4.4
System Accounts)
6.5 6.3
(Authorisation)

2.6 11.2
11.2.1
(Operational system assets of IT

7.7

- 289 -

3. (ICT)

 C.

systems, FOS_OAS)
2.6.1 :
, ,

2.6.2 : SW

(housekeeping)

11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8

2.7 (Records for 11.4

IT systems, FOS_RCD)
11.4.1
2.7.1 : 11.4.2
11.4.3

3. User Assets (FOA)
3.1
(Privacy data protection,
FOA_PRO)
3.1.1 :
, ,

3.2 (User
assets information protection,
FOA_INF)
3.2.1 :
, (transit)
(retention),
,

4. Business (FOB)
4.1 (Business
policies, FOB_POL)
4.1.1 :
,

,
(),

() .

4.2 (Business
continuity, FOB_BCN)
4.2.1 : ,

restore
,

15.
15.1
15.1.1

15.1.2

15.2

15.2.1
15.2.2
15.2.3
15.3

15.3.1
15.3.2

5. Facility and Equipment (FOP)

5.1 (Mobile
equipment, FOP_MOB)
5.1.1
:

11.6.1

- 290 -

3.1 DSD
3.2 Product
Selection
Acquiring
Products Installing
and Using
Products
3.3

5.2 DB
5.3
5.4 E-mail
5.5 E-Mail -

(Protective)

 C.

,

.

(unattended)
5.2 (Removable
equipment, FOP_RMM)
5.2.1 :
,

,

3.3

1.1
(Removable)

5.3 (Remote equipment,

FOP_RMT)
5.3.1 : 11.6
, 11.6.2

8.
(Comsec.)
8.1
8.2

8.3
8.4
8.5
8.6 IP Telephony
8.9 Pagers
8.10

5.4 (System
equipment, FOP_SYS)
5.4.1 :
(fallback) ,

,

1.2

1.3

4. HW
4.1 HW ,

4.2 HW

4.3 HW
4.4
(Sanitisation)
4.4
(Destruction)
4.5
PDA

7.
7.1
5.5 (Facility
7.1.1
management, FOP _MNG)
5.5.1 : , 7.1.2
7.2
7.2.1
. 7.2.2
7.2.3
. , 7.3
, 7.3.1
(separation) 7.3.2
7.3.3

7.3.4
5.5.2 : 7.3.5
7.3.6

7.4
6. Third Parties (FOT)

- 291 -

5.
5.1
5.1.1
5.1.2
5.1.3 .
5.1.4

5.1.5
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5

1.
Physical security
1.4
1.5
1.7
(Seals)
1.8

1.9

 C.

6.2 (Third party

management (FOT_MNG)
6.2.1 : , ,

(transition)

8.3
3.1.2 3 7.3

6.2.2 : 3.2
7.3.1
3.2.1

. 3.2.2 3
7.3.2


.

.
7. Management (FOM)

9.
9.1
9.1.1
9.1.2
9.1.3
9.2
9.2.1
9.2.2

9.2.3
9.3
9.3.1
9.3.2
9.4

7.1
(Management of security
parameters, FOM_PRM)
7.1.1 . 9.
9.2
(recovery) 9.3
, .
7.1.2 .
(segregation).

2.
7.2 (Management 2.2
4.
of asset classification, FOM_CLS) 4.1
7.2.1 :
.
4.1.1
7.2.2 : 4.1.2
4.2
.
4.2.1
4.2.2
6.
7.3
6.1
(Management of personnel security 6.1.1.
6.1.2
responsibilities, FOM_PSN)
7.3.1 : 6.2

().
6.2.1
7.3.2 : 6.2.2
6.3
(assignment)
6.3.1
7.4 (Management
2.
of security organization,
2.1
FOM_ORG)
2.1.1
7.4.1 () : 2.1.2

2.2
7.4.2 : 2.2.1
2.2.2

7.5 (Management 5.
of security reporting, FOM_INC) 5.1
7.5.1 : 5.2

- 292 -

3.
3.1
3.1.1
3.1.2
3.1.3
3.2
3.2.1
3.2.2

3.2.3

9.
9.1
9.2 DSD

(DACAs)
9.3 DSD

(DACPs)
9.4 SSL/TLS
9.5 Secure Shell
(SSH)
9.6 Secure
Multipurpose
Internet Mail
Extension
(S/MIME)
9.7 FIPS 140
9.8

 C.

5.3
4.
4.1

7.5 PC
8.
8.1
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.2
8.2.1
8.2.2
8.2.3
8.2.4

8.

8.1

8.1.1 5.6 SW

8.1.2

8.1.3

12.
12.1
12.2
12.3
12.4
12.5

C.1 19791-TR

(mgmt.)

adm.

IT

1. Administration (FOD) :

administration, FOD_RSM)
1.4 (Incident management

(adm.)

1.1 (Policy administration,

administration, FOD_INC)
1.5 (Security

FOD_POL)

organization administration,

1.2 (Personnel administration,

FOD_PSN)

FOD_ORG)
1.6 (Service agreements

1.3 (Risk management

administration, FOD_SER)

- 293 -

 C.

5.1 (Mobile equipment,

2. IT Systems (FOS):
IT

FOP_MOB)
5.2

2.1 (Policy for IT

(Removable

equipment, FOP_RMM)

systems, FOS_POL)

5.3

2.2 (Configuration of

(Remote

equipment,

FOP_RMT)

IT systems, FOS_CNF)

5.4 (System equipment,

2.3 (Network

FOP_SYS)

security of IT systems, FOS_NET)

5.5 (Facility management,

2.4 ( of IT

FOP _MNG)

systems, FOS_MON)
2.5 (Personnel

6. Third Parties (FOT):

6.2

control of IT systems, (FOS_PSN)

2.6

(Third

party

(Operational system assets of IT

management (FOT_MNG):

systems, FOS_OAS)

2.7 (Records for IT

7. Management (FOM):

systems, FOS_RCD)

(management)

3. User Assets (FOA):

7.1 (Management
of security parameters, FOM_PRM):

3.1 (Privacy data

7.2 (Management

of

asset classification, FOM_CLS):

protection, FOA_PRO)
3.2 (User assets

7.3 (Management
of personnel security responsibilities,

information protection, FOA_INF)

FOM_PSN):
4. Business (FOB) :

4.1 (Business policies,

7.4 (Management

of

security organization, FOM_ORG):

FOB_POL)

4.2 (Business

7.5 (Management of

continuity, FOB_BCN)

security reporting, FOM_INC):

5. Facility and Equipment (FOP):

- 294 -

 C.

SPP (ASP)

ASP_INT: SPP ;

(ASD),

ASP_CCL: ;

ASD_IMP.1

ASP_ECD: ;

ASD_SSD.1

ASP_SPD: ;

ASD_CMP.1

ASP_OBJ: ;

ASP_REQ: ;
ASP_DMI: ;

ASD_IFS.1

ASP_DMC: ;

ASD_SAD.1

ASP_DMP:

ASD_COM.1

ASP_DMO: ;
ASP_DMR: .

(AOD)

AOD_USR.1

SST (ASS)

SSF

ASS_INT: SST ;

AOD_USR.2 SSF

ASS_CCL: ;

ASS_ECD: ;

AOD_ADM.1

ASS_SPD: ;

SSF

ASS_OBJ: ;

AOD_ADM.2 SSF

ASS_REQ: ;

ASS_TSS: STOE ();

ASS_DMI: ;

AOD_OCD.1

ASS_DMC: ;

AOD_OCD.2

ASS_DMP:

AOD_SIC.1 STOE
AOD_SIC.2

ASS_DMO: ;
ASS_DMR: .

(AOC)

AOC_OBM.1

(AOL)

AOL_DVS.1

AOL_DVS.2

AOC_OBM.2
AOC_ECP.1
AOC_ECP.2
(

AOC_CPP.1 PP
AOC_CPP.2 PP

- 295 -

 C.

AOV_MSU.2

AOC_NCP.1

AOC_NCP.2

AOV_SOF.1 STOE

AOV_VLA.1-4

(ASI),
(AOT)

AOT_FUN.1 SSF

ASI_AWA.1

(Awareness

AOT_FUN.2

training)

AOT_DPT.1

ASI_AWA.2

AOT_DPT.2

ASI_CMM.1 ()

AOT_DPT.3

ASI_CMM.2 () SSF

AOT_DPT.4

(Verification of awareness training)

SSF
)
(ASO),

AOT_IND.1~3 SSAOT_REG.1
(Regression testing)

ASO_RCD.1 SSF
ASO_RCD.2 SSF

(AOV),

ASO_VER.1 SSF
ASO_VER.2 SSF
ASO_MON.1 SSF

AOV_MSU.1
AOV_MSU.2

ASO_MON.2

C.2 ISMS , KISA

I.
1.
1.1
1.2
2.

2.1
2.2
3
3.1
3.2

- 296 -

 C.

3.3
3.4
3.5

6.3

4.
4.1
4.2

7.
7.1
7.2
7.3
7.4

5.
5.1
5.2

5.3
II.
1.
1.1
1.2
1.3

8.
8.1
8.2
8.3
9.
9.1
9.2
9.3

2.
2.1
2.2

10.
10.1
10.2
10.3

3.
3.1
3.2
4.
4.1
4.2
5.
5.1
5.2
6.
6.1
6.2

11.
11.1
11.2
11.3
11.4
11.5
11.6
12.
12.1
12.2
12.3
12.4
12.5

- 297 -

 C.

13.
13.1
13.2
13.3
14. ,
14.1

14.2
14.3
14.4
15.
15.1
15.2
15.3

C.3 2005() -
1.

6.1

1.1

6.2

1.2

6.3
6.4

2.

6.5

2.1
2.2

7.

2.3

7.1

2.4

7.2
7.3

3.

7.4

3.1

7.5 PC

3.2

7.6

3.3

7.7

4.

8.

4.1

8.1

4.2

8.2

4.3

8.3

5.

9.

5.1

9.1

5.2

9.2
9.3

6.

9.4

- 298 -

 C.

C.4 CC 2.3
1. (FAU)
1.1 (FAU_ARP)
1.2 (FAU_GEN)
1.3 (FAU_SAA)
1.4 (FAU_SAR)
1.5 (FAU_SEL)
1.6 (FAU_STG)

5. (FIA)
5.1 (FIA_AFL)
5.2 (FIA_ATD)
5.3

(FIA_SOS)
5.4 (FIA_UAU)
5.5 (FIA_UID)
5.6 - (FIA_USB)

2. (FCO)
2.1 (FCO_NRO)
2.2 (FCO_NRR)
3. (FCS)
3.1 (FCS_CKM)
3.2 (FCS_COP)
4. (FDP)
4.1 (FDP_ACC)
4.2 (FDP_ACF)
4.3 (FDP_DAU)
4.4 TSF
(FDP_ETC)
4.5 (FDP_IFC)
4.6 (FDP_IFF)
4.7 TSF
(FDP_ITC)
4.8 TOE (FDP_ITT)
4.9 (FDP_RIP)
4.10 (FDP_ROL)
4.11

(FDP_SDI)
4.12 TSF
(FDP_UCT)
4.13 TSF
(FDP_UIT)

6. (FMT)
6.1 TSF (FMT_MOF)
6.2 (FMT_MSA)
6.3 TSF (FMT_MTD)
6.4 (FMT_REV)
6.5 (FMT_SAE)
6.6 (FMT_SMF)
6.7 (FMT_SMR)
7. (FPR)
7.1 (FPR_ANO)
7.2 (FPR_PSE)
7.3 (FPR_UNL)
7.4 (FPR_UNO)
8. TSF (FPT)
8.1 (FPT_AMT)
8.2 (FPT_FLS)
8.3 TSF
(FPT_ITA)
8.4 TSF
(FPT_ITC)
8.5 TSF
(FPT_ITI)
8.6 TSF (FPT_ITT)
8.7 TSF (FPT_PHP)
8.8 (FPT_RCV)

- 299 -

 C.

8.9 (FPT_RPL)
8.10
(FPT_RVM)
8.11 (FPT_SEP)
8.12 (FPT_SSP)
8.13 (FPT_STM)
8.14 TSF TSF
(FPT_TDC)
8.15 TSF
(FPT_TRC)
8.16 TSF (FPT_TST)

9.2 (FRU_PRS)
9.3 (FRU_RSA)
10. TOE (FTA)
10.1
(FTA_LSA)
10.2 (FTA_MCS)
10.3 (FTA_SSL)
10.4 TOE (FTA_TAB)
10.5 TOE (FTA_TAH)
10.6 TOE (FTA_TSE)
11. /(FTP)
11.1 TSF (FTP_ITC)
11.2 (FTP_TRP)

9. (FRU)
9.1 (FRU_FLT)

C.5 ACSI 33(19 September 2005) -

ACSI 33: Australian Government Information and Communications, Technology
Security Manual, Defence Signals Directorate, Release Date: 19 September 2005.
1. Physical security

Installing and Using Products

1.1 (Removable)

3.3

1.2
1.3

4. HW

1.4

4.1 HW ,

1.5

4.2 HW

1.7 (Seals)

4.3 HW

1.8

4.4 (Sanitisation)

1.9

4.4 (Destruction)
4.5 PDA

2. (Personnel)
2.1 (Awareness)

5. SW

2.2

5.1 -

2.3

5.2 DB
5.3

3. (ICT)

5.4 E-mail

3.1 DSD

5.5 E-Mail -

3.2 Product Selection Acquiring Products

- 300 -

(protective)

 C.

5.6 SW

9.
9.1

6.

9.2 DSD

6.1

(DACAs)

6.2 (privileged
and system accounts)

9.3 DSD (DACPs)

9.4 SSL/TLS

6.3 (authorisation)

9.5 Secure Shell (SSH)

9.6 Secure Multipurpose Internet Mail

7. (Active)

Extension (S/MIME)

7.1 IDS

9.7 FIPS 140

7.2

9.8

7.3
7.4

10.
10.1

8. (Comsec.)

10.2

8.1

10.3 Gateways

8.2

10.4 Firewalls

8.3

10.5 Diodes

8.4

10.6

8.5

10.7

8.6 IP Telephony

10.8 VPN

8.9 Pagers

10.9 Peripheral Switches

8.10

10.10 LANs
10.11

C.6 SP 800-53 (20063)

Guide for Assessing the Security Controls in Federal Information Systems, NIST Special
Publication SP 800-53A, Department of Commerce, United States, 2005.

I. (management)
1. (Risk Assessment; RA)

2. (Planning: PL)

RA-1.

PL-1.

RA-2. (categorization)

PL-2.

RA-3.

PL-3.

RA-4.

PL-4.

RA-5.

PL-5.

- 301 -

 C.

PL-6.

PS-5. (transfer)
PS-6. (Access Agreements)

3. (Acquisition;

PS-7.

SA)

PS-8. (sanctions)

SA-1.

6. (Physical and

SA-2.

Environmental Protection; PE)

SA-3.

PE-1.

SA-4.
SA-5.

PE-2. (authorizations)

SA-6. SW

PE-3.

SA-7. SW

PE-4.

SA-8.

PE-5.

SA-9.
SA-10.

PE-6.

SA-11.

PE-7.
PE-8.

4. ,

PE-9.

(Certification, Accreditation, and

PE-10. Shutoff

Security Assessments; CA)

PE-11.

CA-1. ,

PE-12. (Lighting)
PE-13. (protection)

CA-2.

PE-14.

CA-3.

PE-15. (protection)

CA-4.

PE-16.

CA-5.

PE-17.

CA-6.

PE-18.

CA-7.

PE-19.

II. (operational)

7.

5. (Personnel Security; PS)

()(Contingency

Planning; CP)

PS-1.

CP-1.

PS-2. (position categorization)

CP-2.

PS-3. (personnel screening)

CP-3.

PS-4. (termination)

CP-4.

- 302 -

 C.

CP-5.

SI-7. SW

CP-6.

SI-8.

CP-7.

SI-9.

CP-8.

SI-10. ,

CP-9.

SI-11.

CP-10.

SI-12.

(reconstitution)

(retention)
8. (Configuration Management;
11. (Media Protection; MP)

CM)
CM-1.

MP-1.

CM-2.

MP-2.

CM-3.

MP-3.

CM-4.

MP-4.

CM-5.

MP-5. (Transport)

CM-6.

MP-6. (sanitization)
(disposal)

CM-7.
9. (Maintenance; MA)

12. (Incident Response; IR)

MA-1.

IR-1.

MA-2.

IR-2.

MA-3.

IR-3.

MA-4.

IR-4.

MA-5.

IR-5.

MA-6.

IR-6.
IR-7.

10. (System and

13.

Information Integrity; SI)

(Awareness

and

Training; AT)

SI-1.

AT-1.

SI-2.

AT-2.

SI-3 . (protect)

AT-3.

SI-4. IDS

AT-4.

SI-5. (Alerts)

AT-5.

SI-6.

- 303 -

 C.

III.

16.

14. (identification and

(Audit

and

Accountability; AU)
AU-1.

Authentication; IA)
IA-1.

AU-2.

IA-2.

AU-3.

IA-3.

AU-4.

IA-4.

AU-5.

IA-5.

AU-6. ,

IA-6.

AU-7. (reduction)

IA-7.

AU-8.
15. (Access Control; AC)

AU-9.

AC-1.

AU-10.

AC-2. (Account)

AU-11. (retention)

AC-3.
AC-4.

17. (System and

AC-5. (duty)

Communications Protection; SC)

AC-6.

SC-1.

AC-7.

SC-2. (partitioning)

AC-8. (notification)

SC-3. (isolation)

AC-9.

SC-4. (remnants)

AC-10.

SC-5. (protection)

AC-11.

SC-6.

AC-12.

SC-7.

AC-13. (supervision)

SC-8. (transmission)

SC-9.

AC-14. w/o

SC-10.

AC-15.

SC-11.
SC-12. (establishment)

AC-16.

AC-17.

SC-13.

AC-18.

SC-14. (protection)

AC-19.

SC-15.

AC-20.

SC-16.
SC-17. PKI

- 304 -

 C.

SC-18.

(authoritative source)
SC-21.

SC-19. VOIP
SC-20.

(resolution)

C.7 ISO/IEC 17799:2000

ISO/IEC 17799:2000, Information technology Security Techniques Code of Practice for
Information Security Management.

1.

3.2.2

1.1
1.1.1

4. (PERSONNEL)

1.1.2

4.1
(resourcing)

2. (ORGANIZATIONAL

4.1.1
4.1.2 (personnel screening)

SECURITY)
2.1.1

4.1.3 (confidentiality)

2.1.2 (co-ordination)

4.1.4 (terms and conditions)

2.1

2.1.3
4.2

2.1.4

4.2.1

(authorization)

4.3

2.1.5
2.1.6

4.3.1

2.1.7

4.3.2 ()
4.3.3

2.2
2.2.1

4.3.4

2.2.2

4.3.5 (Disciplinary process)

2.3
2.3.1

5.
5.1
5.1.1

5.1.2

3.1

5.1.3 ,

5.1.4

3.1.1 (inventory)
3.2

5.1.5

3.2.1

- 305 -

 C.

(Isolated delivery and loading areas)

5.2 (EQUIPMENT)

6.6.2

5.2.1 (siting)

6.6.3

5.2.2

6.6.4

5.2.3 (Cabling)

6.7 SW

5.2.4

6.7.1

5.2.5 (off-premises)

6.7.2

5.2.6

6.7.3

5.3

6.7.4
6.7.5

5.3.1

6.7.6

5.3.2 ()
6.

6.7.7

6.1

()

6.1.1
6.1.2

7.

6.1.3

7.1

6.1.4

7.1.1

6.1.5

7.2

6.1.6

7.2.1

6.2 (acceptance)
6.2.1

7.2.2

6.2.2

7.2.3
7.2.4

6.3 SW(protection)
6.3.1
6.4 (HOUSEKEEPING : )

7.3

6.4.1

7.3.1

6.4.2

7.3.2 (Unattended)

6.4.3

7.4

6.5

7.4.1

6.5.1
6.6
6.6.1

- 306 -

7.4.2

7.4.3

 C.

7.4.4
7.4.5

8.2.4
8.3

7.4.6

8.3.1

7.4.7

8.3.2

7.4.8

8.3.3

7.4.9

8.3.4

7.5 OS
7.5.1

8.3.5
8.4

7.5.2

8.4.1

7.5.3

8.4.2

7.5.4
7.5.5

8.4.3

7.5.6 (safeguard

user)

8.5

7.5.7 (time-out)

8.5.1

7.5.8

8.5.2

7.6.1

8.5.3

7.6.2

7.6

8.5.4

7.7

8.5.5

7.7.1
7.7.2
7.7.3 (Clock)
7.8

9.
9.1

(teleworking)

9.1.1

7.8.1

9.1.2

7.8.2

9.1.3
9.1.4 ()

8.

9.1.5 ,

8.1

8.1.1
8.2
8.2.1 (validation)

10. (COMPLIANCE)
10.1

8.2.2

10.1.1

8.2.3

10.1.2 (IPR)

- 307 -

 C.

10.1.3

10.2.1

10.1.4

10.2.2

10.3

10.1.5

10.3.1

10.1.6

10.3.2

10.1.7
10.2

C.8 ISO/IEC 17799:2005

ISO/IEC 17799:2005, Information technology Security Techniques Code of Practice for
Information Security Management.

5.

(adressing)

5.1

6.2.3

5.1.1
7.

5.1.2

7.1
6.

7.1.1

6.1

7.1.2

6.1.1

7.1.3 (Acceptable)

(commitment)
6.1.2
6.1.3

7.2

6.1.4

7.2.1
7.2.2

(athorization)
6.1.5
6.1.6 (contact)

8.

6.1.7

8.1

6.1.8

8.1.1
8.1.2 (screening)
8.1.3

6.2

conditions)

6.2.1
6.2.2

- 308 -

(terms

and

 C.

8.2

10.1.4

8.2.1
8.2.2 ,

10.2

8.2.3

10.2.1
10.2.2

8.3

8.3.1

10.2.3

8.3.2
10.3 (acceptance)

8.3.3

10.3.1
9.

10.3.2

9.1
10.4

9.1.1

(protection)

9.1.2
9.1.3 ,

10.4.1

9.1.4

10.4.2

9.1.5

10.5
10.5.1

9.1.6 ,
10.6
9.2

10.6.1

9.2.1

10.6.2

9.2.2
9.2.3

10.7

9.2.4

10.7.1

9.2.5

10.7.2

9.2.6

10.7.3

9.2.7

10.7.4
10.8

10.

10.8.1

10.1

10.8.2

10.1.1

10.8.3

10.1.2

10.8.4

10.1.3

10.8.5

- 309 -

 C.

11.4.5
10.9

11.4.6

10.9.1

11.4.7

10.9.2
10.9.3

11.5 OS
11.5.1

10.10

11.5.2

10.10.1

11.5.3

10.10.2

11.5.4

10.10.3

11.5.5

10.10.4

11.5.6

10.10.5
10.10.6

11.6
11.6.1

11.

11.6.2

11.1

11.1.1

11.7

(Teleworking)
11.7.1

11.2

11.7.2

11.2.1
11.2.2

12.

11.2.3

12.1

11.2.4

12.1.1
12.2

11.3

12.2.1

11.3.2

12.2.2

11.3.3

12.2.3
12.2.4

11.4
11.4.1

12.3

11.4.2

12.3.1
12.3.2

11.4.3
11.4.4

12.4
12.4.1 SW

- 310 -

 C.

12.4.2

14.1.4

12.4.3

14.1.5 ,

12.5

15. (Compliance)

12.5.1

15.1

12.5.2

15.1.1

15.1.2 (IPR)

12.5.3

15.1.3
15.1.4

12.5.4 (Leakage)

12.5.5

15.1.5

12.6
12.6.1

15.1.6

13.

15.2

13.1
13.1.1

15.2.1

13.1.2

15.2.2

13.2

15.3

13.2.1

15.3.1

13.2.2

15.3.2

(Learning)
13.2.3
14.
14.1
14.1.1

14.1.2
14.1.3

<>
ISO17799:2000

ISO 17799:2005

- 311 -

 C.

Clause Sec
3.1
Securit 3.1.
1
y
Policy 3.1.
2

Control Objective/Control
Information Security Policy
Information Security Policy
Document

Clause

Review and Evaluation

5.1.2 Review of Information Security Policy

4.1
4.1.
1
4.1.
2
4.1.
3
4.1.
4
4.1.
5
Organi
4.1.
zational
6
Securit
4.1.
y
7

Information security Infrastructure

Management Information Security
Forum

6.1

Internal Organization
Management Commitment to
6.1.1
information security

Information Security co-ordination

6.1.2 Information security Co-ordiantion

5.
Security
Policy

Allocation of Information security

responsibilities
Authorization process for
Information Processing facilities
Specialist information security
6.
advice
Organizat
Co-operation between organization ion of
Informati
Independent review of Information on
Security
security

4.2 Security of Third Party Access

4.2.
1
4.2.
2

Identification of risk from third

party access
Security Requirement in third
party access

Accountability For Assets

Information Labeling and

Handling

Security in job Definition and

resourcing
6.1. Including security in job
1. responsibility
Person
6.1.
nel
Personal screening and Policy
Securit 2
y
6.1.
Confidentiality agreements
1.

Allocation of information security

Responsibilities
Authorization process for Information
6.1.4
Processing facilities
6.1.3

6.1.5 Confidentiality agreements

6.1.6 Contact with authorities
6.1.7 Contact with special interest groups
6.1.8

Independent review of information

security

6.2

External Parties

7.1 Responsibility for Assets

Inventory of Assets

Classification Guidelines

5.1.1 Information Security Policy Document

Identification of risk related to

external parties
Addressing security when dealing with
6.2.2
customers
Addressing security in third party
6.2.3
agreements

4.3. Security Requirement in

1
outsourcing contracts

Information Classification

Control Objective/Control
Information Security Policy

6.2.1

4.3 Outsourcing

5.1
5.1.
1
Asset
Classifi 5.2
cation 5.2.
1
and
Control
5.2.
2

Sec
5.1

7.1.1 Inventory of assets

7. Asset 7.1.2 Ownership of Assets
Managem
7.1.3 Acceptable use of assets
ent
7.2 Information classification
7.2.1 classification Guidelines
7.2.2 Information Labeling and Handling

6.1

8.1 Prior to Employment

8.1.1 Roles and Responsibilities
8. Human
Resource 8.1.2 Screening
Security
8.1.3 Terms and conditions of employment

6.1. Terms and conditions of

3
employment

8.2 During Employment

- 312 -

 C.

Physica
l and
Enviro
nmenta
l
Securit
y

Comm
unicati
ons
and
Operati
ons
Manag
ement

6.2 User Training

6.2. Information security education and
1
training
Responding to security Incidents
6.3
and Malfunctions
6.3.
Reporting security Incidents
1
6.3.
Reporting security Weakness
2
6.3.
Reporting Software Malfunctions
3
6.3.
Learning from Incidents
4
6.3.
Disciplinary Process
5

8.2.1 Management Responsibility

Information
security
awareness,
8.2.2
education and training

7.1
7.1.
1
7.1.
2
7.1.
3
7.1.
4
7.1.
5

Security Areas

9.1

Physical security Perimeter

9.1.1 Physical security Perimeter

Physical entry controls

9.1.2 Physical entry controls

Securing offices, rooms and

facilities

9.1.3 Securing offices, rooms and facilities

Working in secure areas

9.1.4

Isolated delivery and loading areas

9.1.5 Working in secure areas

7.2 Equipment security

7.2.
1
7.2.
2
7.2.
3
7.2.
4
7.2.
5
7.2.
6
7.3
7.3.
1
7.3.
2
8.1

8.2.3 Disciplinary process

8.3 Termination or change of employment
8.3.1 Termination responsibility
8.3.2 Return of assets
8.3.3 Removal of access rights

9.1.6
9.
Physical 9.2
and
Environm
9.2.1
ental
Security
9.2.2

Equipment siting and protection

Power supplies
cabling security

Secure Areas

Protecting
against
environmental threats

and

Public access, delivery and loading

areas
Equipment security
Equipment sitting and protection
Support utilities

Equipment Maintenance

9.2.3 Cabling security

Security of equipment off-premises

9.2.4 Equipment Maintenance

Secure disposal or reuse of

equipment
General controls
Clear desk and clear screen
Policy

external

9.2.5 Security of equipment off-premises

9.2.6 Secure disposal or reuse of equipment
9.2.7 Removal of Property

Removal of property
Operational Procedures and
responsibilities

8.1.
Documented operating Procedures
1
8.1.
Operational change control
2
8.1. Incident Management procedure

10.
Communi
cations
and
Operation
s
Managem
ent

- 313 -

10.1

Operational
responsibilities

Procedures

10.1.
Documented operating Procedures
1
10.1.
Change Management
2
10.1. Segregation of Duties

and

 C.

3
8.1.
4
8.1.
5
8.1.
6

3
10.1. Separation
of
development
and
4
Operations facilities
Third
Party
Service
Delivery
10.2
Management
10.2.
Service Delivery
1
10.2. Monitoring and review of third party
2
services
10.2. Manage changes to the third party
3
services

Segregation of Duties
Separation of development and
Operations facilities
External facilities Management

8.2 System Planning and acceptance

8.2.
Capacity Planning
1
8.2.
System acceptance
2
Protection against Malicious
8.3
software
8.3. Control Against Malicious
1
software

10.3

System Planning and Acceptance

10.3.
Capacity management
1
10.3.
System acceptance
2
Protection against Malicious
10.4
Mobile Code
10.4.
Controls against malicious code
1
10.4.
Controls against Mobile code
2

8.4 Housekeeping
8.4.
Information back-up
1
8.4.
Operator logs
2
8.4.
Fault Logging
3

10.5

Back-Up

8.5 Network Management

10.5.
Information Backup
1

8.5.
Network controls
1

10.6

8.6.
1
8.6.
2
8.6.
3
8.6.
4

Network Security Management

Management of removable
computer media

10.6.
Network controls
1
10.6.
Security of Network services
2

Disposal of Media

10.7

8.6 Media Handling and Security

Information handling procedures

Security of system documentation

Exchanges of Information and

Software
8.7. Information and software exchange
1
agreements
8.7.
Security of Media in transit
2
8.7.
Electronic commerce security
3
8.7.
Security of Electronic Mail
4
8.7. Security of Electronic office
5
systems
8.7.
Publicly available systems
6
8.7. Other forms of information
8.7

- 314 -

10.7.
1
10.7.
2
10.7.
3
10.7.
4

and

Media Handling
Management of removable media
Disposal of Media
Information handling procedures
Security of system documentation

10.8

Exchange of Information

10.8.
1
10.8.
2
10.8.
3
10.8.
4
10.8.

Information
procedures

exchange

policies

Exchange agreements
Physical media in transit
Electronic Messaging
Business Information systems

and

 C.

9.1
9.1.
1
9.2
9.2.
1
9.2.
2
9.2.
3
9.2.
4
9.3
9.3.
Access 1
control 9.3.
2

exchange

5
10.9
10.9.
1
10.9.
2
10.9.
3
10.10
10.10
.1
10.10
.2
10.10
.3
10.10
.4
10.10
.5
10.10
.6

Business Requirement for Access

Control

11.1

Access control Policy

User Access Management
User Registration
Privilege Measurement
User password management
Review of user access rights
User Responsibilities
11.
Access
control

Password Use
Unattended user equipment

9.4 Network Access control

9.4.
1
9.4.
2
9.4.
3
9.4.
4
9.4.
5

Policy on use of network services

11.1.
1
11.2
11.2.
1
11.2.
2
11.2.
3
11.2.
4
11.3
11.3.
1
11.3.
2
11.3.
3

User authentication for external

connections
Node authentication
Remote diagnostic port protection

9.4. Segregation in networks

Electronic Commerce
On-Line transactions
Publicly available information
Monitoring
Audit logging
Monitoring system use
Protection of log information
Administrator and operator logs
Fault logging
Clock synchronization
Business
Control

Requirement

Access

Access control Policy

User Access Management
User Registration
Privilege Measurement
User password management
Review of user access rights
User Responsibilities
Password Use
Unattended user equipment
Clear Desk and Clear Screen Policy

Policy on use of network services

User
authentication
connections

for

external

Equipment identification in networks

Remote diagnostic and configuration
port protection

11.4. Segregation in networks

- 315 -

for

11.4 Network Access control

11.4.
1
11.4.
2
11.4.
3
11.4.
4

Enforced path

Electronic Commerce Services

 C.

6
9.4.
Network connection control
7
9.4.
Network Routing control
8
9.4.
Security of network services
9

5
11.4.
Network connection control
6
11.4.
Network Routing control
7
11.5 Operating System Access Control
11.5.
1
11.5.
2
11.5.
3
11.5.
4
11.5.
5
11.5.
6

9.5 Operating System Access Control

9.5.
1
9.5.
2
9.5.
3
9.5.
4
9.5.
5
9.5.
6
9.5.
7
9.5.
8
9.6
9.6.
1
9.6.
2
9.7
9.7.
1
9.7.
2
9.7.
3
9.8

Automatic terminal identification

Terminal Log-on procedure
User identification and
authentication
Password Management system
Use of system utilities
Duress alarm to safeguard users

Secure Log-on procedures

User identification and authentication
Password Management system
Use of system utilities
Session Time-out
Limitation of connection time

11.6 Application access control

11.6.
1
11.6.
2
11.7
11.7.
1
11.7.
2

Terminal time-out
Limitation of connection time
Application access control
Information access restriction
Sensitive system isolation

Information access restriction

Sensitive system isolation
Mobile Computing and Teleworking
Mobile computing and communication
Teleworking

Monitoring system access and Use

Event Logging
Monitoring system use
Clock synchronization
Mobile Computing and
Teleworking

9.8.
Mobile computing
1
9.8.
Teleworking
2

10.1 Security Requirements of Systems 12.

Informati
System 10.1 Security requirement analysis and on
Systems
Develo .1 specifications
Acquisitio
pment 10.2 Security in Application Systems
n
and
10.2
Developm
Mainte
Input data validation
.1
ent and
nance
Maintena
10.2
Control of internal processing
nce
.2

- 316 -

12.1
12.1.
1
12.2
12.2.
1

Security Requirements of Information

Systems
Security requirement analysis and
specifications
Correct Processing in Applications
Input data validation

12.2.
Control of internal processing
2

 C.

10.2
.3
10.2
.4
10.3
10.3
.1
10.3
.2
10.3
.3
10.3
.4
10.3
.5

12.2.
3
12.2.
4
12.3
12.3.
1
12.3.
2

Message authentication
Output data validation
Cryptographic controls
Policy on the use of
cryptographic controls
Encryption
Digital Signature

12.4
12.4.
1
12.4.
2
12.4.
3

Non-repudiation services
Key Management

10.4 Security of System Files

10.4
.1
10.4
.2
10.4
.3

Control of Operational software

12.5
12.5.
1
12.5.
2
12.5.
3
12.5.
4
12.5.
5

Protection of system test data

Access control to program source

library
Security in Development and
10.5
Support Processes
10.5
Change Control Procedures
.1
10.5 Technical review of Operating
.2 system changes
10.5 Restrictions on changes to
.3 software packages
10.5
Covert channels and Trojan code
.4
10.5
Outsourced Software Development
.5

12.6

Message integrity
Output data validation
Cryptographic controls
Policy on the use of cryptographic
controls
Key Management
Security of System Files
Control of Operational software
Protection of system test data
Access control to program source
library
Security in Development and Support
Processes
Change Control Procedures
Technical review of applications after
Operating system changes
Restrictions on changes to software
packages
Information Leakage
Outsourced Software Development
Technical Vulnerability Management

12.6.
Control of technical vulnerabilities
1

13.1

Reporting Information Security Events

and Weaknesses

13.1.
Reporting Information security events
1
13.
13.1.
Reporting security weaknesses
Informati 2
on
Management of Information Security
Security 13.2
Incidents and Improvements
Incident
13.2.
Managem
Responsibilities and Procedures
1
ent
13.2. Learning for Information security
2
incidents
13.2.
Collection of evidence
3
Busines 11.1 Aspects of Business Continuity
Management
s
continu 11.1 Business continuity management

Information
Security
Aspects
14.
14.1
Business Continuity Management
Business
Continuit 14.1. Including Information Security

- 317 -

of
in

 C.

.1

process

11.1 Business continuity and impact

.2 analysis
ity
Manag
ement 11.1 Writing and implementing
.3 continuity plans
11.1 Business continuity planning
.4 framework
Testing, maintaining and
11.1
re-assessing business continuity
.5
plans

Business
process

continuity

14.1. Business
continuity
2 Assessment

management

and

Risk

y
Managem
developing
and
implementing
ent
14.1.
continuity plans including information
3
security
14.1. Business
continuity
planning
4 framework
14.1. Testing, maintaining and re-assessing
5 business continuity plans

Compliance with Legal

15.1 Compliance with Legal Requirements
Requirements
12.1 Identification of applicable
15.1.
Identification of applicable legislations
.1 legislations
1
12.1
15.1.
Intellectual Property Rights ( IPR)
Intellectual Property Rights ( IPR)
.2
2
12.1 Safeguarding of organizational
15.1.
Protection of organizational records
.3 records
3
12.1 Data Protection and privacy of
15.1. Data Protection and privacy of
.4 personal information
4 personal information
12.1 Prevention of misuse of
15.1. Prevention of misuse of information
.5 information processing facilities
5 processing facilities
15.1.
Compli 12.1 Regulation of cryptographic
Regulation of cryptographic controls
15.
.6 controls
6
ance
Complian
Compliance with Security Policies and
12.1
Collection of evidence
15.2
ce
Standards and Technical compliance
.7
Review of security policy and
15.2.
12.2
Compliance with security policy
technical compliance
1
12.2
15.2.
Compliance with security policy
Technical compliance checking
.1
2
Information
System
Audit
12.2
15.3
Technical compliance checking
Considerations
.2
15.3.
12.3 System Audit Considerations
Information System Audit controls
1
12.3
System Audit controls
15.3. Protection of information system audit
.1
2 tools
12.3
Protection of system audit tools
.2
12.1

C.9 COBiT Domains PROCESS

Control Objectives for Information and related Technology

- 318 -

 C.

1.
PO1 IT
PO2
PO3
PO4
PO5 IT
PO6
PO7 OT
PO8
PO9
PO10
PO11

3.
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13

2.
AI1
AI2
AI3
AI4
AI5 SW
AI6

4.
M1
M2
M3
M4

C.10 NIST 800-12

(An Introduction to Computer Security: The NIST Handbook)
I. (mgmt)
1.
1.1
1.2 -
1.3 -

2.6 -

2.
2.1
2.2
2.3

2.4 -
2.5 -

3. (mgmt)
3.1 (assessment)
3.2 (mitigation)
3.3
4.

4.1

4.2

- 319 -

 C.

4.3
4.4
4.5

5.
5.1
5.2
5.3
5.4
II.
6. /
6.1
6.2 (adm.)
6.3
6.4

11.
11.1
11.2
11.3 (utilities)
11.4
11.5 (interception)
11.6

7. (contingency)
Step 1: - -

Step 2:

Step 3:
Step 4:
Step 5:
Step 6:
8.
8.1
8.2
8.3
9. (awareness),
9.1
9.2
9.3
9.4
9.5

10.

10.1
10.2 SW
10.3
10.4
10.5
10.6
10.7

III.
12.
12.1

12.2

12.3

13.
13.1
13.2 :
(impetus)
13.3
13.4 (adm)
13.5 (coordinating)
14.
14.1
14.2

- 320 -

 C.

15.
15.1

15.2

C.11 DIACAP ( I&A) DoD 8500.2, 2004

COAS-1,2 (A)
COBR-1 (A)
CODB-1,2,3 (A)
CODP-1,2,3 (A)
COEB-1,2 (enclave boundary)
(A)
COED-1,2 (A)
COEF-1,2 (A)
COMS-1,2 (A)
COPS-1,2,3 (A)
COSP-1,2 (A)
COSW-1 SW (A)
COTR-1 (A)

DCAR-1 (A)
DCAS-1 (C)
DCBP-1 (I)
DCCB-1 (I)
DCCS-1,2 (I)
DCCT-1 (A)
DCDS-1 (I)
DCFA-1 AIS (I)
DCHW-1 HW (A)
DCID-1 (I)
DCII-1 (I)
DCIT-1
(I)
DCMC-1 (I)
DCNR-1 (I)
DCPA-1 (I)
DCPB-1
(A)
DCPD-1 SW (A)

DCPP-1 , (A)
DCPR-1 (I)
DCSD-1 (A)
DCSL-1
(I)
DCSP-1 (I)
DCSQ-1 SW (I)
DCSR-1,2,3 (C)
DCSS-1,2 (I)
DCSW-1 SW (A)

EBBD-1,2,3 (C)
EBCR-1 (A)
EBPW-1 WAN (C)
EBRP-1 (C)
EBRU-1
(C)
EBVC-1 VPN (A)

ECAD-1 (affiliation) (C)
ECAN-1 Need-to-Know (C)
ECAR-1,2,3 (C)
ECAT-1,2, , ,
(I)
ECCD-1,2 (I)
ECCM-1 (COMSEC) (C)
ECCR-1,2,3 (
) (C)
ECCT-1,2 (
) (C)
ECDC-1 (I)
ECIC-1 (enclaves)
(C)

- 321 -

 C.

ECID-1 IDS (I)

ECIM-1 (I)
ECLC-1 (C)
ECLO-1,2 (C)
ECLP-1 (C)
ECML-1 (C)
ECMT-1,2 (C)
ECND-1,2 (I)
ECNK-1,2 Need-To-Know
(C)
ECPA-1 (I)
ECPC-1,2 (production)
(I)
ECRC-1 (C)
ECRG-1 (reduction)
(I)
ECRR-1 (retention) (I)
ECSC-1 (A)
ECSD-1,2 SW (I)
ECTB-1 (I)
ECTC-1 (C)
ECTM-1,2 (I)
ECTP-1 (I)
ECVI-1 VoIP (A)
ECVP-1 (A)
ECWM-1 (C)
ECWN-1 (A)

IAAC-1 (C)
IAGA-1 (C)
IAIA-1,2 (C)
IAKM-1,2,3 (I)
IATS-1,2 (I)

PECF-1,2, (C)
PECS-1,2 (Clearing and
Sanitizing) (C)
PEDD-1 (C)
PEDI-1 (C)
PEEL-1,2 (A)
PEFD-1,2 (A)
PEFI-1 (A)
PEFS-1,2 (A)
PEHC-1,2 (A)
PEMS-1 (A)
PEPF-1,2 (C)
PEPS-1 (C)
PESL-1 (I)
PESP-1 (C)
PESS-1 (C)
PETC-1,2 (A)
PETN-1 (A)
PEVC-1 (C)
PEVR-1 (A)

PRAS-1,2 (C)
PRMP-1,2 (C)
PRNK-1 Need-to-Know
(C)
PRRB-1
(A)
PRTN-1 (I)

VIIR-1,2 (A)
VIVM-1 (A)

C.12 SP 800-26 ()
I.

1.

- 322 -

 C.

1.1

1.2.

7.

7.1.

2.

7.2.

2.1

7.3.

2.2.
8. , /

8.1.
3.

8.2.

3.1.
3.2.

9.
9.1.

4. (authorize) (&)

9.2.

4.1. /

4.2.

10.

10.1. SW SW

4.2.1

10.2. HW

SW ,
10.3.

5.
5.1. ,

11.

11.1. SW

5.2.

11.2.
II.

6.

6.1.

6.2.

12.
12.1. SW/HW

- 323 -

 C.

12.2.

15.2.

13. ,

16.

13.1.

16.1.

16.2. :
14.

14.1.

16.3. ,

14.2.
17.
III.

17.1.

15.

15.1. ,

C.13 (ISIA) 2004

I.
1. (MOA)
(MOA_ORG)
(MOA_MLC)
(MOA_LCP)
(MOA_OKR)
IA (MOA_DRV)
2. (MSP)
(MSP_ISP)
(MSP_RPG)
3
(MSP_TFR)
(MSP_MSD)
3. (MSR)
(MSR_SRE)

(MSR_ISN)
(MSR_ISP)
(MSR_ISC)
(MSR_TSR)
4. (MCP)
(MCP_LCP)
IS (MCP_LOG)
(MCP_CCK)
5. (MIP)

(MIP_IOP)
(MIP_LRP)
(MIP_SRP)
(MIP_LPC)
(MIP_CIP)

- 324 -

 C.

(MIP_MEP)
(MIP_AES)
6. (MPB)
(MPB_IAP)

(MPB_AOB)

(MPB_CPC)
(MPB_CPD)
7. (MPS)
(MPS_SCR)
(MPS_SAW)
(MPS_SED)
(MPS_ACI)
(MPS_IAT)
(MPS_SMP)
8. (MAD)
(MAD_ASR)
(MAD_AFS)

(MAD_DMS)
(MAD_EPY)
9. (MAS)
(MAS_ASL)
(MAS_DMT)
(MAS_AMG)
(MAS_SDC)
(MAS_DCC)
(MAS_DLP)
(MAS_DMP)
(MAS_PCM)
10. (MPH)
(MPH_SAR)
(MPH_ZIP)
(MPH_ZPP)
(MPH_ARU)
(MPH_PAC)
(MPH_ASR)
,

(MPH_DMP)
(MPH_CAS)
11. (MCO)
(MCO_OER)
(MCO_MAC)

(MCO_LCS)
(MCO_CUS)
(MCO_MFC)
(MCO_VPT)
E-Mail (MCO_EMS)
OA (MCO_OAS)
(MCO_SRE)
(MCO_DOP)
(MCO_STO)
(MCO_INM)
(MCO_AUD)
(MCO_MCB)
12. (MCC)
(MCC_NEC)
(MCC_CCC)

(MCC_SDC)
(MCC_TIC)
13. (ADM)46

(ADM_DRP)

(ADM_MRP)
II. ()
(DPN)
1. (DPN_PSD)
- DPN_PSD.1
2. (DPN_PAT)
- DPN_PAT.1
- DPN_PAT.2

- 325 -

 C.

- DPN_PAT.3

- DSR_PSN.4

- DPN_PAT.4

- DSR_PSN.5

- DPN_PAT.5
- DPN_PAT.6

- DSR_PSN.6

3. (DPN_PAV)

- DSR_PSN.7

- DPN_PAV.1
- DPN_PAV.2

(DSA)

- DPN_PAV.3

7. (DSA_PPI)

- DPN_PAV.4

- DSA_PPI.1

- DPN_PAV.5

- DSA_PPI.2

4. (DPN_PAI)

- DSA_PPI.3

- DPN_PAI.1

8. (DSA_PHD)

- DPN_PAI.2

- DSA_PHD.1

- DPN_PAI.3

- DSA_PHD.2

- DPN_PAI.4
(DSD)
9. (DSD_PDD)

- DPN_PAI.5
- DPN_PAI.6

- DSD_PDD.1

5. (DPN_PAR)

- DSD_PDD.2

- DPN_PAR.1

- DSD_PDD.3

- DPN_PAR.2

- DPN_PAR.3

- DSD_PDD.4

- DPN_PAR.4
- DPN_PAR.5

(ISS)

- DPN_PAR.6

10. (ISS_PEI)
- ISS_PEI.1

(DSR)

- ISS_PEI.2

6. (DSR_PSN)
- DSR_PSN.1

- DSR_PSN.2 ,

- DSR_PSN.3

- ISS_PEI.3
- ISS_PEI.4
- ISS_PEI.5
- ISS_PEI.6
11. (ISS_PCS)
- ISS_PCS.1
- ISS_PCS.2

- 326 -

 C.

- ISS_PCS.3
- ISS_PCS.4

(APE)

12. (ISS_PMS)

14. (APE_PVV)

- ISS_PMS.1

- APE_PVV.1

- ISS_PMS.2
- ISS_PMS.3

- APE_PVV.2

- ISS_PMS.4

- APE_PVV.3

- ISS_PMS.5

- APE_PVV.4

- ISS_PMS.6

- APE_PVV.5

- ISS_PMS.7

15. (APE_PBA)

13. (ISS_PAS)

- APE_PBA.1

- ISS_PAS.1

- APE_PBA.3

- ISS_PAS.2

- APE_PBA.4

- ISS_PAS.3 ,

- APE_PBA.5

- APE_PBA.2

- ISS_PAS.4

III.
. CC

C.14. SSE-CMM
ISO/IEC 21827 Information technology Systems Security Engineering Capability
Maturity
Model (SSE-CMM), 2002. PA: Process Area, BP: Base Practice

PA01
BP.01.01:

BP.01.02:

BP.01.03:
, ,

BP.01.04:

PA02
BP.02.01: /
,

BP.02.02:

BP.02.03:

BP.02.04:

BP.02.05:
BP.02.06:

- 327 -

 C.

PA03
BP.03.01:
, ,
BP.03.02: //
BP.03.03:

BP.03.04:

BP.03.05:
BP.03.06:

PA04
BP.04.01:

BP.04.02:
/
BP.04.03:

BP.04.04:

BP.04.05:

BP.04.06:

PA05
BP.05.01:
, ,
BP.05.02:
BP.05.03:
BP.05.04:

BP.05.05:

PA06

BP.06.01:
BP.06.02:

BP.06.03:

BP.06.04:
BP.06.05:

PA07
BP.07.01:

BP.07.02:

BP.07.03:
BP.07.04:

PA08
BP.08.01:

BP.08.02: , , , ,

BP.08.03:
BP.08.04:

BP.08.05:

BP.08.06:

BP.08.07:

PA09
BP.09.01:
, ,
BP.09.02:

BP.09.03:

- 328 -

 C.

BP.09.04:

BP.09.05:

BP.09.06:

PA10
BP.10.01:

BP.10.02: ,
, ,
BP.10.03:

BP.10.04:

BP.10.05:

BP.10.06:

BP.10.07:

PA11
BP.11.01:

BP.11.02:

BP.11.03:

BP.11.04:


BP.11.05: /

PA12
BP.12.01:

BP.12.02:
BP.12.03:
BP.12.04:
BP.12.05:
BP.12.06:
BP.12.07:
PA13
BP.13.01:
BP.13.02:
BP.13.03:
BP.13.04:
BP.13.05:
PA14
BP.14.01:
BP.14.02:
BP.14.03:
BP.14.04:
BP.14.05:
BP.14.06:
PA15
BP.15.01:
BP.15.02:
BP.15.03:
BP.15.04:
BP.15.05:
BP.15.06:
PA16
BP.16.01:
BP.16.02:
BP.16.03:

- 329 -

 C.

BP.16.04:
BP.16.05:
BP.16.06:
BP.16.07:
BP.16.08:
BP.16.09:
BP.16.10:

PA17
BP.17.01:
BP.17.02:
BP.17.03:

BP.17.04:
PA18
BP.18.01:
BP.18.02:
BP.18.03:
BP.18.04:

PA19
BP.19.01:
BP.19.02:
BP.19.03:
BP.19.04:

BP.19.05:

PA20
BP.20.01:
BP.20.02:
BP.20.03:
BP.20.04:
BP.20.05:
BP.20.06:
BP.20.07:
PA21
BP.21.01:
BP.21.02:

BP.21.03:
BP.21.04:
BP.21.05:
BP.21.06:
BP.21.07:
BP.21.08:
PA22
BP.22.01:

BP.22.02:

BP.22.03:
BP.22.04:
BP.22.05:

C.15 IT Baseline Protection Manual (BPM)

IT Baseline Protection Manual(BPM), Bundesamt fr Sicherheit in der Informationstechnik,
Germany. ISBN 3-88784-915-9

1.

1.4 Lightning protection devices

1.1 Compliance with relevant DIN

1.5 Galvanic separation of external lines

standards/VDE specifications

1.6 Adherence to fire protection

1.2 Regulations governing access to

distributors
1.3 Adapted segmentation of circuits

regulations
1.7 Hand-held fire extinguishers
1.8 Room allocation, with due regard to

- 330 -

 C.

fire loads

devices with exchangeable data media,

1.9 Fire sealing of cable routes

and printers

1.10 Use of safety doors and windows

1.33 Safe keeping of laptop PCs during

1.11 Plans detailing the location of

mobile use

supply lines

1.34 Safe keeping of laptop PCs during

1.12 Avoidance of references to the

stationary use

location of building parts requiring

1.35 Pooled storage of a number of

protection

laptop PCs

1.13 Layout of building parts requiring

1.36 Safekeeping of data media before

protection

and after dispatch

1.14 Automatic drainage

1.37 Adequate siting of a fax machine

1.15 Closed windows and doors

1.38 Suitable siting of a modem

1.16 Selection of a suitable site

1.39 Prevention of transient currents on

1.17 Entrance control service

shielding

1.18 Alarm systems

1.40 Appropriate siting of protective

1.19 Protection against break-in

cabinets

1.20 Selection of cable types suited in

1.41 Protection against electromagnetic

terms of their physical/mechanical

irradiation

properties

1.42 Secure siting of Novell Netware

1.21 Sufficient dimensioning of lines

servers

1.22 Physical protection of lines and

1.43 Secure siting of ISDN routers

distributors

1.44 Suitable configuration of a home

1.23 Locked doors

workplace

1.24 Avoidance of water pipes

1.45 Suitable storage of business-related

1.25 Overvoltage protection

documents and data media

1.26 Emergency circuit-breakers

1.46 Use of anti-theft devices

1.27 Air conditioning

1.47 Separate fire cut

1.28 Local Uninterruptible Power Supply

1.48 Fire alarm system

(UPS)

1.49 Technical and organisational

1.29 Adequate siting of an IT system

requirements for the computer centre

1.30 Safeguarding of data media

1.50 Smoke protection

containing data on telecommunications

1.51 Fire load reduction

charges

1.52 Redundancies in the technical

1.31 Remote indication of malfunctions

1.32 Adequate siting of the consoles,

infrastructure
1.53 Video surveillance

- 331 -

 C.

1.54 Early detection of fires / fire

2.16 Supervising or escorting outside

extinguishing technology

staff/visitors

1.55 Perimeter protection

2.17 Entry regulations and controls

1.56 Secondary power supply

2.18 Inspection rounds

1.57 Up-to-date infrastructure and

2.19 Neutral documentation in

building plans

distributors

1.58 Technical and organisational

2.20 Monitoring of existing connections

requirements for server rooms

2.21 Ban on smoking

1.59 Appropriate siting of archival

2.22 Escrow of passwords

systems

2.23 Issue of PC Use Guidelines

1.60 Appropriate storage of archival

2.24 Introduction of a PC Checklist

media

Booklet
2.25 Documentation of the system

2.

configuration

2.1 Specification of responsibilities and

2.26 Appointment of an administrator

of requirements documents for IT uses

2.2 Resource management

and his deputy

2.27 Dispensing with remote

2.3 Data media control

maintenance of the PBX

2.4 Maintenance/repair regulations

2.28 Availability of external

2.5 Division of responsibilities and

telecommunications advisory services

separation of functions

2.29 PBX operating instructions for

2.6 Granting of site access authorisations

2.7 Granting of (system/network) access

users
2.30 Provisions governing the

rights

designation of users and of user

2.8 Granting of access rights

groups

2.9 Ban on using non-approved software

2.31 Documentation on authorised users

2.10 Survey of the software held

2.11 Provisions governing the use of

and on rights profiles

2.32 Establishment of a restricted user

passwords
2.12 Services and counselling for IT

environment
2.33 Division of administrator roles

users
2.13 Correct disposal of resources

under UNIX
2.34 Documentation of changes made to

requiring protection
2.14 Key management

an existing IT system
2.35 Obtaining information on security

2.15 Fire safety inspections

weaknesses of the system

- 332 -

 C.

2.36 Orderly issue and retrieval of a

2.56 Avoidance of confidential

portable (laptop) PC

information on answering machines

2.37 Clean desk policy

2.57 Regular playback and deletion of

2.38 Division of administrator roles in

recorded messages

PC networks

2.58 Limitation of message time

2.39 Response to violations of security

2.59 Procurement of a suitable modem

policies

2.60 Secure administration of a modem

2.40 Timely involvement of the

2.61 Requirements document for modem

staff/factory council

usage

2.41 Employees' commitment to data

2.62 Software acceptance and approval

backup

procedure

2.42 Determination of potential

2.63 Establishing access rights

communications partners

2.64 Checking the log files

2.43 Adequate labelling of data media

2.65 Checking the efficiency of user

for dispatch

separation on an IT System

2.44 Secure packaging of data media

2.66 The importance of certification for

2.45 Controlling the exchange of data

procurement

media

2.67 Defining a security strategy for

2.46 Appropriate key management

peer-to-peer networks

2.47 Designating a person in charge of

2.68 Implementation of security checks

the fax system

by the peer-to-peer network users

2.48 Designating authorised fax operators

2.69 Establishing standard workstations

2.49 Procurement of suitable fax

2.70 Developing a firewall concept

machines

2.71 Establishing a security policy for a

2.50 Appropriate disposal of consumable

fax accessories and spare parts

firewall
2.72 Requirements on a firewall

2.51 Producing copies of incoming fax

2.73 Selecting a suitable firewall

messages

2.74 Selection of a suitable packet filter

2.52 Supply and monitoring of

2.75 Selection of a suitable application

consumable fax accessories

gateway

2.53 Deactivation of fax machines after

2.76 Selection and implementation of

office hours
2.54 Procurement/selection of suitable

suitable filter rules

2.77 Secure configuration of other

answering machines
2.55 Use of a security code

components
2.78 Secure operation of a firewall

- 333 -

 C.

2.79 Determining responsibilities in the

2.99 Secure set-up of Novell Netware

area of standard software

servers

2.80 Drawing up a requirements

2.100 Secure operation of Novell

catalogue for standard software

Netware servers

2.81 Preselection of a suitable standard

2.101 Revision of Novell Netware

software product

servers

2.82 Developing a test plan for standard

2.102 Relinquishing activation of the

software

remote console

2.83 Testing standard software

2.103 Setting up user profiles under

2.84 Deciding on and developing the

Windows 95

installation instructions for standard

2.104 System guidelines for restricting

software

usage of Windows 95

2.85 Approval of standard software

2.105 Obtaining PBX units

2.86 Guaranteeing the integrity of

2.106 Purchase of suitable ISDN cards

standard software

2.107 Documentation of the

2.87 Installation and configuration of

configuration of ISDN cards

standard software

2.108 Relinquishment of remote

2.88 Licence management and version

maintenance of ISDN gateways

control of standard software

2.109 Assigning rights for remote access

2.89 De-installation of standard software

2.110 Data privacy guidelines for

2.90 Checking delivery

logging procedures

2.91 Determining a security strategy for

the Windows NT client-server network

2.111 Keeping manuals at hand

2.112 Regulation of the transport of files

2.92 Performing security checks in the

and data media between home

Windows NT client-server network

2.93 Planning of a Windows NT

workstations and institutions

2.113 Requirements documents

network
2.94 Sharing of directories under

concerning telecommuting
2.114 Flow of information between the

Windows NT
2.95 Obtaining suitable protective

telecommuter and the institution

2.115 Care and maintenance of

cabinets
2.96 Locking of protective cabinets

workstations for telecommuting

2.116 Regulated use of communications

2.97 Correct procedure for code locks

2.98 Secure installation of Novell

facilities
2.117 Regulation of access by

Netware servers

telecommuters

- 334 -

 C.

2.118 Determination of a security policy

for the use of e-mail

2.138 Structured data storage

2.139 Survey of the existing network

2.119 Regulations concerning the use of

e-mail services

environment
2.140 Analysis of the existing network

2.120 Configuration of a mail centre

environment

2.121 Regular deletion of e-mails

2.141 Development of a network concept

2.122 Standard e-mail addresses

2.142 Development of a network

2.123 Selection of a mail provider

realisation plan

2.124 Selection of suitable database

2.143 Development of a network

software

management concept

2.125 Installation and configuration of a

2.144 Selection of a suitable network

database

management protocol

2.126 Creation of a database security

2.145 Requirements for a network

concept

management tool

2.127 Inference prevention

2.146 Secure operation of a network

2.128 Controlling access to a database

management system

system

2.147 Secure migration of Novell

2.129 Controlling access to database

Netware 3.x servers to Novell

information

Netware 4.x networks

2.130 Ensuring the integrity of a

2.148 Secure configuration of Novell

database

Netware 4.x networks

2.131 Separation of administrative tasks

2.149 Secure operation of Novell

for database systems

Netware 4.x networks

2.132 Provisions for configuring database

2.150 Auditing of Novell Netware 4.x

users /user groups

2.133 Checking the log files of a
database system

networks
2.151 Design of an NDS concept
2.152 Design of a time synchronisation

2.134 Guidelines for database queries

2.135 Save transfer of data to a

concept
2.153 Documentation of Novell Netware

database
2.136 Observance of rules concerning

4.x networks
2.154 Creation of a computer virus

workstations and working

environments

protection concept
2.155 Identification of IT systems

2.137 Procurement of a suitable data

potentially threatened by computer

backup system

viruses

- 335 -

 C.

2.156 Selection of a suitable computer

strategy

virus protection strategy

2.174 Secure operation of a WWW

2.157 Selection of a suitable computer

server

virus scanning program

2.175 Setting up a WWW server

2.158 Reporting computer virus

2.176 Selection of a suitable Internet

infections

service provider

2.159 Updating the computer virus

2.177 Security during relocation

scanning programs used

2.178 Creation of security guidelines for

2.160 Regulations on computer virus

the use of faxes

protection

2.179 Procedures controlling the use of

2.161 Development of a cryptographic

fax servers

concept

2.180 Configuration of a fax mail centre

2.162 Determining the need to use

2.181 Selection of a suitable fax server

cryptographic procedures and products

2.182 Regular revision of IT security

2.163 Determining the factors influencing

cryptographic procedures and products

measures
2.183 Performing a RAS requirements

2.164 Selection of a suitable

analysis

cryptographic procedure

2.184 Development of a RAS concept

2.165 Selection of a suitable

2.185 Selection of a suitable RAS

cryptographic product

system architecture

2.166 Provisions governing the use of

2.186 Selection of a suitable RAS

crypto modules

product

2.167 Secure deletion of data media

2.187 Definition of a set of RAS

2.168 IT system analysis before the

security guidelines

introduction of a system management

2.188 Security guidelines and rules for

system

the use of mobile phones

2.169 Developing a system management

2.189 Blocking of the mobile phone in

strategy
2.170 Requirements to be met by a
system management system

the event of its loss

2.190 Setting up a mobile phone pool
2.191 Establishment of the IT security

2.171 Selection of a suitable system

management product

process
2.192 Drawing up of an Information

2.172 Developing a concept for using

the WWW

Security Policy
2.193 Establishment of a suitable

2.173 Determining a WWW security

organisational structure for IT security

- 336 -

 C.

2.194 Drawing up a schedule of existing

IT systems

regarding cleaning contractors

2.213 Maintenance of the technical

2.195 Creation of an IT security concept

2.196 Implementation of the IT security

infrastructure
2.214 Concept of IT operations

concept in accordance with an

2.215 Error handling

implementation plan

2.216 Approval procedure for IT

2.197 Drawing up a training concept for

IT security

components
2.217 Careful classification and handling

2.198 Making staff aware of IT security

of information, applications and

issues

systems

2.199 Maintenance of IT security

2.218 Procedures regarding the personal

2.200 Preparation of management reports

transportation of data media and IT

on IT security

components

2.201 Documentation of the IT security

2.219 Continuous documentation of

process
2.202 Preparation of an IT Security
Manual
2.203 Establishment of a pool of

information processing
2.220 Guidelines for access control
2.221 Change management
2.222 Regular checking of technical IT

information on IT security
2.204 Prevention of insecure network

security measures
2.223 Security objectives for the use of

access
2.205 Transmission and retrieval of
person-related data

standard software
2.224 Precautions against Trojan horses
2.225 Assignment of responsibility for

2.206 Planning the use of Lotus Notes

information, applications and IT

2.207 Defining security guidelines for

components

Lotus Notes

2.226 Procedures regarding the use of

2.208 Planning of the domains and

outside staff

certificate hierarchy of Lotus Notes

2.227 Planning the use of Window2000

2.209 Planning the use of Lotus Notes

2.228 Drawing up a set of Window2000

in an intranet
2.210 Planning the use of Lotus Notes
in an intranet with browser access

Security Guidelines
2.229 Planning Active Directory
2.230 Planning of Active Directory

2.211 Planning the use of Lotus Notes

in a demilitarised zone

Administration
2.231 Planning of Group Policy under

2.212 Organisational requirements

Window2000

- 337 -

 C.

2.232 Planning the Window2000 CA

2.249 Planning the Migration of

structure

Exchange 5.5 Servers to Exchange

2.233 Planning the migration from

2000

Windows NT to Window2000

2.250 Determining an outsourcing

2.234 The design of Internet PCs

strategy

2.235 Guidelines for the use of Internet

2.251 Specification of the security

PCs

requirements for outsourcing projects

2.236 Planning the use of Novell

2.252 Choice of a suitable outsourcing

eDirectory

service provider

2.237 Planning of partitioning and

2.253 Contractual arrangements with the

replication in Novell eDirectory

outsourcing service provider

2.238 Specification of Security

2.254 Creation of an IT security concept

Guidelines for Novell eDirectory

for the outsourcing project

2.239 Planning the use of Novell

2.255 Secure migration in outsourcing

eDirectory on the Intranet

projects

2.240 Planning the use of Novell

2.256 Planning and maintenance of IT

eDirectory on the Extranet

security during ongoing outsourcing

2.241 How to carry a teleworkstation

operations

requirements analysis

2.257 Monitoring of the memory

2.242 Electronic archiving objectives

resources of archival media

2.243 Development of an archiving

2.258 Consistent indexing of documents

concept

during archiving

2.244 Determination of the technical

2.259 Introduction of a high-level

influencing factors for electronic

document management system

archiving

2.260 Regular auditing of the archiving

2.245 Determination of the legal

procedure

influencing factors for electronic

2.261 Regular market surveys of archive

archiving

systems

2.246 Determination of the organisational

influencing factors for electronic

2.262 Control of archive system usage

2.263 Regular regeneration of archived

archiving
2.247 Planning the Use of

data resources
2.264 Regular regeneration of encrypted

Exchange/Outlook 2000
2.248 Definition of Security Guidelines

data in archiving
2.265 Proper use of digital signatures in

for Exchange/Outlook 2000

archiving

- 338 -

 C.

2.266 Regular replacement of technical

3.9 Ergonomic workplace

archive system components

3.10 Selection of a trustworthy

2.267 Planning the use of IIS

administrator and his substitute

2.268 Definition of a security policy for

3.11 Training of maintenance and

IIS

administration staff

2.269 Planning the use of an Apache

3.12 Informing all staff members about

web server

possible PBX warning notices,

2.270 Planning the use of SSL on the

warning symbols and acoustic alarm

Apache web server

signals

2.271 Determining a security strategy for

3.13 Increasing staff awareness of

web access

potential threats to the PBX

2.272 Setting up a web editorial team

3.14 Briefing personnel on correct

2.273 Prompt installation of

procedures of exchanging data media

security-relevant patches and updates

3.15 Information for all staff about the

2.274 Deputisation arrangements for

use of faxes

e-mail

3.16 Briefing personnel on the operation

2.275 Setting up function-specific e-mail

addresses

of answering machines
3.17 Briefing personnel on modem usage
3.18 Log-out obligation for users

3.

3.19 Instructions concerning the correct

3.1 Well-regulated familiarisation/training

use of the security functions in

of new staff with their work

Peer-to-Peer services

3.2 Commitment of staff members to

3.20 Instructions concerning the

compliance with relevant laws,

operation of protective cabinets

regulations and provisions

3.21 Training and further education of

3.3 Deputising arrangements

telecommuters as regards

3.4 Training before actual use of a

security-related issues

program

3.22 Regulations concerning substitution

3.5 Education on IT security measures

of telecommuters

3.6 Regulated procedure as regards

3.23 Introduction to basic cryptographic

termination of employment

terms

3.7 Point of contact in case of personal

3.24 Training on the Lotus Notes system

problems
3.8 Avoidance of factors impairing the

architecture for administrators

3.25 Training on Lotus Notes security

organizational climate

mechanisms for users

- 339 -

 C.

3.26 Briefing of staff in the secure

4.8 Protection of the PBX operator's

handling of IT equipment

console

3.27 Training on Active Directory

4.9 Use of the security mechanisms of

administration

X Windows

3.28 User training on Window2000

4.10 Password protection for PBX

security mechanisms

terminals

3.29 Training on the administration of

4.11 Screening of PBX interfaces

Novell eDirectory

4.12 Disabling of unneeded user

3.30 Training on the use of Novell

facilities

eDirectory Client Software

4.13 Careful allocation of identifiers

3.31 Administrator Training on Exchange

4.14 Mandatory password protection

2000 System Architecture and Security

3.32 User Training on Outlook 2000

under UNIX
4.15 Secure log-in

Security Mechanisms

4.16 Restrictions on access to accounts

3.33 Security vetting of staff

and/or terminals

3.34 Basic training on the administration

4.17 Blocking and deletion of

of the archive system

unnecessary accounts and terminals

3.35 Basic user training on how to use

4.18 Administrative and technical means

the archive system

to control access to the

3.36 Administrator training on the secure

installation and configuration of IIS

system-monitor and ingle-user mode

4.19 Restrictive allocation of attributes

3.37 Training the administrators of an

for UNIX system files and directories

Apache web server

4.20 Restrictive allocation of attributes

for UNIX user files and directories

4.

4.21 Preventing unauthorised acquisition

4.1 Password protection for IT systems

of administrator rights

4.2 Screen Lock

4.22 Prevention of loss of confidentiality

4.3 Periodic runs of a virus detection

of sensitive data in the UNIX system

program

4.23 Secure invocation of executable

4.4 Correct Handling of Drives for

files

Removable Media

4.24 Ensuring consistent system

4.5 Logging of PBX administration jobs

4.6 Audit of the PBX configuration
(target/performance reconciliation)

management
4.25 Use of logging in UNIX systems
4.26 Regular security checks of the

4.7 Change of preset passwords

UNIX system

- 340 -

 C.

4.27 Password protection in laptop PCs

environment under WfW

4.28 Software re-installation in the case

4.46 Use of the log-on password under

of change of laptop PC users

WfW and Windows 95

4.29 Use of an encryption product for

4.47 Logging of firewall activities

laptop PCs

4.48 Password Protection under Windows

4.30 Utilisation of the security functions

offered in application programs

NT/2000
4.49 Protection of the Boot-Up

4.31 Ensuring power supply during

Procedure for a Windows NT/2000

mobile use

System

4.32 Physical deletion of data media

4.50 Structured system administration

before and after usage

under Windows NT

4.33 Use of a virus scanning program

4.51 User profiles to restrict the usage

when exchanging of data media and

possibilities of Windows NT

data transmission

4.52 Device Protection under Windows

4.34 Using encryption, checksums or

NT/2000

digital signatures

4.53 Restrictive allocation of access

4.35 Pre-dispatch verification of the data

rights to files and directories under

to be transferred

Windows NT

4.36 Blocking fax recipient numbers

4.54 Logging under Windows NT

4.37 Blocking fax sender numbers

4.55 Secure installation of Windows NT

4.38 Deactivation of unnecessary service

4.56 Secure deletion under Windows

features

operating systems

4.39 Deactivation of answering machines

4.57 Deactivating automatic CD-ROM

for periods of absence

recognition

4.40 Preventing unauthorised use of

4.58 Sharing of directories under

computer microphones

Windows 95

4.41 Use of a suitable PC security

4.59 Deactivation of ISDN board

product

functions which are not required

4.42 Implementation of security functions

4.60 Deactivation of ISDN router

in the IT application
4.43 Fax machine with automatic

functions which are not required

4.61 Use of security mechanisms offered

envelope sealing system

4.44 Checking of incoming files for
macro viruses

by ISDN components
4.62 Use of a D-channel filter
4.63 Security-related requirements for

4.45 Setting up a secure Peer-to-Peer

telecommuting computers

- 341 -

 C.

4.64 Verification of data before

and hardware in network components

transmission / elimination of residual

4.84 Use of BIOS security mechanisms

information

4.85 Design of suitable interfaces for

4.65 Testing of new hardware and

crypto modules

software

4.86 Secure separation of roles and

4.66 Novell Netware - safe transition to

the year 200

configuration with crypto modules

4.87 Physical security of crypto modules

4.67 Locking and deleting database

4.88 Operating system security

accounts which are no longer required

requirements when using crypto

4.68 Ensuring consistent database

modules

management

4.89 Emission security

4.69 Regular checks of database security

4.90 Use of cryptographic procedures on

4.70 Monitoring a database

the various layers of the ISO/OSI

4.71 Restrictive utilisation of database

reference model

links

4.91 Secure installation of a system

4.72 Database encryption

management system

4.73 Specifying upper limits

4.92 Secure operation of a system

4.74 Networked Windows 95 computers

4.75 Protection of the Registry under

management system
4.93 Regular integrity checking

Windows NT/2000

4.94 Protection of WWW files

4.76 Secure system version of Windows

NT

4.95 Minimal operating system

4.96 Deactivating DNS

4.77 Protection of administrator accounts

under Windows NT

4.97 One service per server

4.98 Restricting communication to a

4.78 Careful modifications of

minimum with packet filters

configurations

4.99 Protection against subsequent

4.79 Secure access mechanisms for local

administration
4.80 Secure access mechanisms for
remote administration
4.81 Auditing and logging of activities

changes to information
4.100 Firewalls and active content
4.101 Firewalls and encryption
4.102 C2 security under Novell 4.11
4.103 DHCP server under Novell

in a network
4.82 Secure configuration of active
network components

Netware 4.x
4.104 LDAP Services for NDS
4.105 Initial measures after a Unix

4.83 Updating / upgrading of software

standard installation

- 342 -

 C.

4.106 Activation of system logging

4.124 Configuration of authentication

4.107 Use of vendor resources

mechanisms with browser access to

4.108 Simplified and secure network

Lotus Notes

management with DNS services under

4.125 Instituting restrictions on access to

Novell NetWare 4.11

Lotus Notes databases with browser

4.109 Software reinstallation on

access

workstations

4.126 Secure configuration of a Lotus

4.110 Secure installation of the RAS

Notes client

system

4.127 Secure configuration of browser

4.111 Secure configuration of the RAS

access to Lotus Notes

system

4.128 Secure operation of Lotus Notes

4.112 Secure operation of the RAS

4.129 Secure handling of Notes ID files

system

4.130 Security measures following the

4.113 Use of an authentication server

creation of a new Lotus Notes

within RAS access

database

4.114 Use of the security mechanisms

4.131 Encryption of Lotus Notes

provided on mobile phones

databases

4.115 Safeguarding the power supply of

4.132 Monitoring of a Lotus Notes

mobile phones

system

4.116 Secure installation of Lotus Notes

4.133 Appropriate choice of

4.117 Secure configuration of a Lotus

authentication mechanisms

Notes server

4.134 Choice of suitable data formats

4.118 Configuration as a Lotus Notes

4.135 Restrictive granting of access

server

rights to system files

4.119 Instituting restrictions on access to

Lotus Notes servers

4.136 Secure installation of Window2000

4.137 Secure configuration of

4.120 Configuration of access control

Window2000

lists for Lotus Notes databases

4.138 Configuration of Window2000 as

4.121 Configuration of rights of access

domain controller

to the Lotus Notes Name and Address

4.139 Configuration of Window2000 as

Book
4.122 Configuration for browser access

server
4.140 Secure configuration of important

to Lotus Notes
4.123 Configuration of SSL-protected

Window2000 services
4.141 Secure configuration of DDNS

browser access to Lotus Notes

under Window2000

- 343 -

 C.

4.142 Secure configuration of WINS

2000 servern

under Window2000

4.163 Access rights to objects of

4.143 Secure configuration of DHCP

Exchange 2000

under Window2000

4.164 Browser access to Exchange 2000

4.144 Use of the Window2000 CA

4.165 Secure configuration of Outlook

4.145 Secure configuration of RRAS

2000

under Window2000

4.166 Secure operation of

4.146 Secure operation of Window2000

Exchange/Outlook 2000

4.147 Secure use of EFS under

4.167 Monitoring and logging of

Window2000

Exchange 2000 systems

4.148 Monitoring a Window2000 system

4.168 Choise of a suitable archival

4.149 File and share authorisations under

Window2000

system
4.169 Utilisation of suitable archival

4.150 Configuration of Window2000 as

media

workstation

4.170 Choise of suitable data formats

4.151 Secure installation of Internet PCs

4.152 Secure operation of Internet PCs

for the archival storage of documents

4.171 Shelter of the Integrity of the

4.153 Secure installation of Novell

index-database from archival systems

eDirectory

4.172 Logging of the archival accesses

4.154 Secure installation of Novell

4.173 Regular function and recovery

eDirectory client software

tests for archiving

4.155 Secure configuration of Novell

4.174 Preparing the WindowNT/2000

eDirectory

installation for IIS

4.156 Secure configuration of Novell

4.175 The secure configuration of

eDirectory client software

Windows NT/2000 for IIS

4.157 Configuration of Novell eDirectory

4.176 Selection of an authentication

access authorisations

method for web offerings

4.158 Configuration of LDAP access to

4.177 Assuring the integrity and

Novell eDirectory

authenticity of software packages

4.159 Secure operation of Novell

4.178 Protection of Administrator and

eDirectory

user accounts with IIS

4.160 Monitoring of Novell eDirectory

4.179 Protection of security-critical files

4.161 Secure installation of

with IIS

Exchange/Outlook 2000

4.180 Configuration of authentication

4.162 Secure configuration of Exchange

- 344 -

mechanisms for access to the IIS

 C.

4.181 Running IIS in a separate process

4.200 Handling of USB storage media

4.182 Monitoring of the IIS system

5.

4.183 Ensuring the availability and

5.1 Removal, or short-circuiting and

performance of the IIS

grounding, of unneeded lines

4.184 Deactivation of unnecessary

5.2 Selection of an appropriate network

Windows system services with IIS

topography

4.185 Protection of virtual directories

5.3 Selection of cable types suited in

and web applications with IIS

terms of communication technology

4.186 Removing the sample files and

5.4 Documentation on, and marking of,

administration scripts in IIS

cabling

4.187 Removal of the FrontPage Server

extension of IIS
4.188 Validation of user inputs where

5.5 Damage-minimising routing of cables

5.6 Mandatory use of a network
password

IIS is used
4.189 Protection against unauthorised
program calls with IIS

5.7 Network management

5.8 Monthly security checks of the
network

4.190 Removal of RDS support in IIS

4.191 Verification of the integrity and
authenticity of Apache packages
4.192 Configuration of the operating
system for an Apache web server

5.9 Logging at the Server

5.10 Restrictive granting of access rights
5.11 Blocking the server console
5.12 Setting up an additional network
administrator

4.193 Secure installation of an Apache

web server

5.13 Appropriate use of equipment for

network coupling

4.194 Secure basic configuration of an

Apache web server

5.14 Shielding of internal remote

accesses

4.195 Configuration of access control

under the Apache web server

5.15 Shielding of external remote

accesses

4.196 Secure operation of an Apache

web server
4.197 Server extensions for dynamic

5.16 Survey of network services

5.17 Use of the NFS security
mechanisms

web pages where the Apache web

server is used

5.18 Use of the NIS security

mechanisms

4.198 Installation of an Apache web

server in a chroot cage

5.19 Use of the sendmail security

mechanisms

4.199 Avoiding dangerous file formats

- 345 -

 C.

5.20 Use of the security mechanisms of

rlogin, rsh and rcp

services
5.40 Secure integration of DOS-PCs to a

5.21 Secure use of telnet, ftp, tftp and

Windows NT network

rexec

5.41 Secure configuration of remote

5.22 Compatibility check of the

access under Windows NT

transmission and reception systems

5.42 Secure configuration of TCP/IP

5.23 Selecting suitable types of dispatch

network administration under Windows

for data media

NT

5.24 Use of a suitable fax cover sheet

5.43 Secure configuration of TCP/IP

5.25 Using transmission and reception

network services under Windows NT

logs

5.44 One-way connection setup

5.26 Announcing fax messages via

5.45 Security of WWW browsers

telephone

5.46 Installing stand-alone-systems for

5.27 Acknowledging successful fax

Internet use

reception by telephone

5.47 Configuration of a Closed User

5.28 Acknowledging a correct fax sender

5.29 Periodic checks of destination

Group
5.48 Authentication via CLIP/COLP

addresses and logs

5.49 Callback based on CLIP/COLP

5.30 Activating an existing call-back

5.50 Authentication via PAP/CHAP

option

5.51 Security-related requirements for

5.31 Suitable modem configuration

communications links between

5.32 Secure use of communications

telecommuting orkstations and the

software

institution

5.33 Secure remote maintenance via

5.52 Security-relted requirements for

modem

communications computers

5.34 Use of one-time passwords

5.53 Protection against mail bombs

5.35 Use of UUCP security mechanisms

5.54 Protection against mail overload

5.36 Encryption under UNIX and

Windows NT

and spam
5.55 Checking of alias files and

5.37 Restriction of Peer-to-Peer

distribution lists

Functions in a Server-Supported

5.56 Secure operation of a mail server

Network

5.57 Secure configuration of mail clients

5.38 Secure integration of DOS PC's

into a UNIX network
5.39 Secure use of protocols and

5.58 Installation of ODBC drivers

5.59 Protection against DNS spoofing
5.60 Selection of a suitable backbone

- 346 -

 C.

technology

5.82 Secure Use of SAMBA

5.61 Suitable physical segmentation

5.83 Secure Connection of an External

5.62 Suitable logical segmentation

Network with Linux FreeS/WAN

5.63 Use of GnuPG or PGP

5.84 Use of encryption procedures for

5.64 Secure Shell

Lotus Notes communication

5.65 Use of S-HTTP

5.85 Use of encryption procedures for

5.66 Use of SSL

Lotus Notes e-mail

5.67 Use of a time stamp service

5.86 Use of encryption procedures with

5.68 Use of encryption procedures for

browser access to Lotus Notes

network communications

5.87 Agreement regarding connection to

5.69 Protection against active content

third party networks

5.70 Network address translation (NAT)

5.88 Agreement regarding the exchange

5.71 Intrusion detection and intrusion

of data with third parties

response systems

5.89 Configuration of the Secure

5.72 Deactivation of unnecessary

Channel under Window2000

network services

5.90 The Use of IPSec under

5.73 Secure operation of a fax server

Window2000

5.74 Maintenance of fax server address

5.91 The Use of Personal Firewalls for

books and distribution lists

Internet PCs

5.75 Protecting against overloading the

5.92 Secure Connection to the Internet

fax server

of Internet PCs

5.76 Use of suitable tunnel protocols for

5.93 Security Issues Relating to the Use

RAS communication
5.77 Establishment of Subnetworks

of Web Browsers by Internet PCs

5.94 Security Issues Relating to the Use

5.78 Protection against mobile phone

of E-Mail Clients by Internet PCs

usage data being used to create

5.95 Secure e-Commerce Using Internet

movement profiles
5.79 Protection against call number
identification during use of mobile

PCs
5.96 The Secure Use of Webmail
5.97 Protection of Communications with

phones
5.80 Protection against bugging of

Novell eDirectory
5.98 Missbrauch von kostenpflichtigen

indoor conversations using mobile

phones

Einwahlnummern
5.99 SSL/TLS Protection for Exchange

5.81 Secure transmission of data over

mobile phones

2000
5.100 Use of Encryption and Signature

- 347 -

 C.

Procedures for Exchange 2000

6.7 Responsibilities in an emergency

Communication optional)

6.8 Alert plan

5.101 Deletion of unnecessary ODBC

6.9 Contingency plans for selected

drivers where IIS is used

incidents

5.102 Installation of URL filters where

6.10 Contingency plans for breakdown

IIS is used

of data transmission

5.103 Removal of all network shares

6.11 Development of a post-incident

with IIS

recovery plan

5.104 Configuration of TCP/IP filtering

6.12 Emergency preparedness exercises

with IIS

6.13 Development of a data backup plan

5.105 Prevention of SYN attacks on the

IIS

6.14 Replacement procurement plan

6.15 Agreements with suppliers

5.106 Removal of a non-trusted root

6.16 Taking out insurance

certificates when using IIS

6.17 Alert plan and fire drills

5.107 Use of SSL in the Apache web

6.18 Provision of redundant lines

server

6.19 Data backup on PCs

5.108 Cryptographic protection of e-mail

6.20 Appropriate storage of backup data

5.109 Use of an e-mail scanner on the

media

mail server

6.21 Backup copy of the software used

5.110 Protection of e-mail with SPHINX

6.22 Sporadic checks of the restorability

(S/MIME)

of backups
6.23 Procedures in the event of

6.
6.1 Development of a survey of
availability requirements

computer virus infection

6.24 PC emergency floppy disk
6.25 Regular backup of the server hard

6.2 Definition of "emergency",

person-in-charge in an "emergency"

disk
6.26 Regular backup of PBX

6.3 Development of an Emergency

Procedure Manual
6.4 Documentation on the capacity

configuration data
6.27 Secure update of BIOS
6.28 Agreement on the delivery

requirements of IT applications
6.5 Definition of "restricted IT
operation"
6.6 Study of internally and externally

deadlines for "vital" PBX units

6.29 PBX base line for emergency calls
6.30 Emergency circuit
6.31 Procedural patterns following a loss

available alternatives

of system integrity

- 348 -

 C.

6.32 Regular data backup

network integrity

6.33 Development of a data backup

6.55 Reduction of restart times for

policy

Novell Netware servers

6.34 Determining the factors influencing

6.56 Data backup when using

data backup

cryptographic procedures

6.35 Stipulating data backup procedures

6.57 Creation of an emergency plan for

6.36 Stipulating a minimal data backup

the failure of the management system

policy

6.58 Establishment of a management

6.37 Documenting data backup

system for handling security incidents

procedures

6.59 Specification of responsibilities for

6.38 Back-up copies of transferred data

dealing with security incidents

6.39 Listing dealerships for

6.60 Procedural rules and reporting

re-procurement of fax products

channels for security incidents

6.40 Regular battery checks/replacements

6.61 Escalation strategy for security

6.41 Training data reconstruction

incidents

6.42 Creating start-up disks for Windows

6.62 Specifying priorities for handling

NT

security incidents

6.43 Use of Redundant Windows

6.63 Investigation and assessment of a

NT/2000 Servers

security incident

6.44 Data back-up under Windows NT

6.64 Remedial action in connection with

6.45 Data backup under Windows 95

security incidents

6.46 Creation of rescue disks for

6.65 Notification of parties affected

Windows 95

6.66 Evaluation of security incidents

6.47 Storage of backup copies as part of

6.67 Use of detection measures for

telecommuting

security incidents

6.48 Procedures in case of a loss of

6.68 Testing the effectiveness of the

database integrity

management system for the handling

6.49 Data backup in a database

of security incidents

6.50 Archiving database

6.69 Contingency planning and

6.51 Restoring a database

operational reliability of fax servers

6.52 Regular backup of configuration

6.70 Creation of a contingency plan for

data of active network components

failure of the RAS system

6.53 Redundant arrangement of network

6.71 Data backup for a mobile IT

components
6.54 Procedures in case of a loss of

system
6.72 Precautions relating to mobile

- 349 -

 C.

phone failures

the Failure of Exchange Systems

6.73 Creation of a contingency plan for

6.83 Contingency planning with

failure of the Lotus Notes system

outsourcing

6.74 Emergency archive

6.84 Data backup and archiving of

6.75 Redundant communication links

e-mails

6.76 Creation of a Contingency Plan for

6.85 Creation of a contingency plan

Failure of a Window2000 Network

covering failure of IIS

6.77 Creation of rescue disks for

6.86 Protection against harmful code on

Window2000

the IIS

6.78 Data backup under Window2000

6.87 Data backup on the IIS

6.79 Protection of Data on Internet PCs

6.88 Creation of a contingency plan for

6.80 Creation of a Contingency Plan for

Failure of a Novell eDirectory

the web server

6.89 Contingency planning for an

Directory Service

Apache web server

6.81 Creation of data backups for

6.90 Data backup and archiving of

Novell eDirectory

e-mails

6.82 Creation of a Contingency Plan for

- 350 -

 D. CC 3.1

D. CC 3.1

1.
2. (CAP)
3. (ACO)
4.

D.1
CC 3.1 ACO 2 (component) TOE
(composed) TOE" (C-TOE )
, C-TOE . C-TOE ,
,
o -56) C-TOE
o - -57) (compatible)
o - - C-TOE

o [ D-1] EAL1 ~ EAL7 ,
CC 3.1 C-TOE CAP-A, CAP-B, CAP-C .
[ D-1] CC CAP

56) OS TOE(dominant
peer).
57) TOE(minor peer ).

- 351 -

 D. CC 3.1

ACO

ALC

ASE
ST

ACO_COR
ACO_DEV
ACO_REL
ACO_TBT
ACO_VUL
ALC_CMC
ALC_CMS
ALC_DEL
ALC_DVS
ALC_FLR
ALC_LCD
ALC_TAT
ASE_CCL
ASE_ECD
ASE_INT
ASE_OBJ
ASE_REQ
ASE_SPD
ASE_TSS

CAP-A
1
1
1
1
1
1
2

CAP-B
1
2
2
1
2
1
2

CAP-C
1
3
3
1
3
1
2

1
1
1
1
1

1
1
1
2
2
1
1

1
1
1
2
2
1
1

D.2 (CAP)58)
(CAP: composed assurance packages) C-TOE

. (-
, -) ,
.

(1)
(CAP) TOE ()
C-TOE . EAL ST
. EAL1 C-TOE
. ,
. (EAL1 TOE C-TOE
.) CAP C-TOE EAL1 EAL
.
- IT
- .

. , ,

58) CC 3.1 Part 3, 9

- 352 -

 D. CC 3.1

. C-TOE
.
, C-TOE
CC . CAP CAP
. CAP CAP
(,
) (,
, , / ) .
TOE
.
CAP CC 3 7
. , CAP
.
CAP extended-basic (C-TOE )
.
,
ACO_DEV . , C-TOE
C-TOE
.

(2) A (CAP-A) -

CAP-A C-TOE
. -
- -
.

CAP-A

.
CAP-A C-TOE ST . C-TOE ST SFR
C-TOE TOE
TOE(: ST, ) .
, ,
, , -
- .
C-TOE .
CAP-A C-TOE ( IT TOE
).

- 353 -

 D. CC 3.1

[ D-2] CAP-A
Class

ACO:

AGD:
ALC:

ASE: ST

ACO_COR.1
ACO_CTT.1
ACO_DEV.1
ACO_REL.1
ACO_VUL.1
AGD_OPE.1
AGD_PRE.1
ALC_CMC.1 TOE
ALC_CMS.2 TOE CM
ASE_CCL.1
ASE_ECD.1
ASE_INT.1 ST
ASE_OBJ.1
ASE_REQ.1
ASE_TSS.1 TOE

(3) B (CAP-B) -

CAP-B C-TOE TOE
.
-
CAP-B C-TOE ,

.

CAP-B C-TOE ST . C-TOE ST
SFR TOE ,
TOE , TOE(: ST, )
.
,
, (TOE ) , -
-
. basic
C-TOE .
CAP CAP-A
.

- 354 -

 D. CC 3.1

[ D-3] CAP-B

ACO:

AGD:
ALC:

ASE: ST

ACO_COR.1
ACO_CTT.2
ACO_DEV.2
ACO_REL.1
ACO_VUL.2
AGD_OPE.1
AGD_PRE.1
ALC_CMC.1 TOE
ALC_CMS.2 TOE CM
ASE_CCL.1
ASE_ECD.1
ASE_INT.1 ST
ASE_OBJ.2
ASE_REQ.2 s
ASE_SPD.1
ASE_TSS.1 TOE

(4) C (CAP-C) - ,

CAP-C C-TOE
. -
.
CAP-C
,
.

CAP-C C-TOE ST . SFR
C-TOE ST TOE
(TSF ) TOE(: ST, )
.
, ,
, (TOE )
, - -
. basic basic-extended
C-TOE
.
CAP
CAP-B .

- 355 -

 D. CC 3.1

[ D-4] CAP-C

ACO:

AGD:
ALC:

ASE: ST

ACO_COR.1
ACO_CTT.2
ACO_DEV.3
ACO_REL.2
ACO_VUL.3
AGD_OPE.1
AGD_PRE.1

ALC_CMC.1 TOE
ALC_CMS.2 TOE CM
ASE_CCL.1
ASE_ECD.1
ASE_INT.1 ST
ASE_OBJ.2
ASE_REQ.2 s
ASE_SPD.1
ASE_TSS.1 TOE

D.3 ACO: 59)

ACO 5 .
. C-TOE SW (
HW .
IT , CC

IT . IT (
). C-TOE
, .
. ACO
TSF
TOE CC
C-TOE . (C-TOE
- ACO
.)
CC 7.3 9 C-TOE
. EAL , EAL
EAL . EAL SAR
C-TOE . TOE
CC B.3 C-TOE
59) CC 3.1 Part 3, 17

- 356 -

 D. CC 3.1

. C-TOE EAL
.
, CAP
.
C-TOE
. -
- . -
(, ,
) C-TOE . ACO
TOE CAP
.
ACO
TOE ADV, ATE AVA
. C-TOE
. ,
-
(ACO_REL). - - SFR
-
. ACO_DEV
- . ACO_DEV

C-TOE
TSF ADV_TDS . ,
TOE .
ACO_DEV .
ACO_COR . ACO_COR ACO_DEV ACO_REL
,
. C-TOE
(ACO_VUL) (ACO_CTT) .
C-TOE C-TOE C-TOE SFR
. C-TOE
.
C-TOE
. C-TOE C-TOE
.

.
ACO ( B-1) .
,

- 357 -

 D. CC 3.1

C-TOE SFR
.

( D-1) ACO

(1) (ACO_COR)
o : -
.
o : .
ACO_COR.1
o : ACO_DEV.1
ALC_CMC.1 TOE
ACO_REL.1
o :
ACO_COR.1.1D - .
o :
ACO_COR.1.1C , - - TSF
, -
- .

o :
ACO_COR.1.1E
(confirm).

- 358 -

 D. CC 3.1

(2) (ACO_DEV)
o : - ((set
out). -
. (
)
o : ,
.
o
- TSF
. - TSF - SFR
- . -
SFR - .
- TSF
- TSFI .
SFR TSF TSF IT
.
TSF TSF
. , -
.
/ TSF . -
- TSF
- (ACO_REL) .
- . ADV
- , C-TOE
-
. - -
(ACO_DEV) .
TOE
.
. -
- .
ACO_DEV.1
o : ACO_REL.1
o : - -
. -
.
o :

- 359 -

 D. CC 3.1

ACO_DEV.1.1D - .
o :
ACO_DEV.1.1C C-TOE -
(purpose) .

ACO_DEV.1.2C - TSF -
- (C-TOE )

(show).
o :
ACO_DEV.1.1E
.

ACO_DEV.1.2E -
(determine).

ACO_DEV.2
o : ACO_REL.1
o : - -
. -
. , - TSF
- .
o :
ACO_DEV.2.1D - .
o :
ACO_DEV.2.1C C-TOE -
.

ACO_DEV.2.2C - SFR , -
.

ACO_DEV.2.3C - TSF -
- (C-TOE )

(show).
o :
ACO_DEV.2.1E
.

ACO_DEV.2.2E -
.

ACO_DEV.3

- 360 -

 D. CC 3.1

o : ACO_REL.2
o : - -
. -
. -
- TSF
.
o :
ACO_DEV.3.1D - .
o :
ACO_DEV.3.1C C-TOE -
.

ACO_DEV.3.2C C-TOE -
- .

ACO_DEV.3.3C - SFR , -
.

ACO_DEV.3.4C -
.

ACO_DEV.3.5C - TSF -
- (C-TOE )

(show).
o :
ACO_DEV.3.1E
.

ACO_DEV.3.2E -
.

(3) - (ACO_REL)
o : - -
. C-TOE

. TOE TSFI
, C-TOE
- .
o : - -
.
o
- (ACO_REL) , - -

- 361 -

 D. CC 3.1

-
.
- -
. -
. , (: ) CC SFR
- ST (: FIA() SFR
). -
- ,
(TSFI) .
, TSFI TSF
. TSF
- (ACO_REL)
.

ACO_REL.1
o :
o :
ACO_REL.1.1D - .
o :
ACO_REL.1.1C - TSF -
HW, / SW .
ACO_REL.1.2C - -
.

ACO_REL.1.3C -
TSF .

o :
ACO_REL.1.1E
(confirm).

ACO_REL.2
o :
o :
ACO_REL.2.1D - .
o :
ACO_REL.2.1C - TSF -
HW, / SW .

- 362 -

 D. CC 3.1

ACO_REL.2.2C - -
.

ACO_REL.2.3C
.

ACO_REL.2.4C -
TSF .

o :
ACO_REL.2.1E
(confirm).

(4) C-TOE (ACO_CTT)

o : C-TOE C-TOE -
.
o : TSF C-TOE SFR

.
o : :
-
- ;

TOE C-TOE SFR C-TOE

TSF SFR
- ,
C-TOE . , -
-
, TOE . SFR C-TOE TSF
- -
.
-
. - TSFI ATE : -
. ,
(ACO_COR) - . TSF
- , -
- . ACO_CTT.1.1E
- ATE :
,
-
, .

- 363 -

 D. CC 3.1

(-(ACO_REL) )
.

ACO_CTT.1
o : ACO_REL.1
ACO_DEV.1
o : - -
.
o :
ACO_CTT.1.1D C-TOE .
ACO_CTT.1.2D - .
ACO_CTT.1.3D TOE .
ACO_CTT.1.4D - -
.

o :
ACO_CTT.1.1C C-TOE - ,
.

ACO_CTT.1.2C C-TOE TSF

.

ACO_CTT.1.3C - -
- .

ACO_CTT.1.4C - .
o :
ACO_CTT.1.1E
(confirm).

ACO_CTT.1.2E
.

ACO_CTT.1.3E TSF (demo.)

C-TOE TSF .
ACO_CTT.2
o : ACO_REL.2
ACO_DEV.2
o : - -
.
o :

- 364 -

 D. CC 3.1

ACO_CTT.2.1D C-TOE .
ACO_CTT.2.2D - .
ACO_CTT.2.3D C-TOE .
ACO_CTT.2.4D - -
.

o :
ACO_CTT.2.1C C-TOE - ,
.

ACO_CTT.2.2C C-TOE TSF

.

ACO_CTT.2.3C - -
-
.

ACO_CTT.2.4C - .
:

ACO_CTT.2.1E
(confirm).

ACO_CTT.2.2E
.

ACO_CTT.2.3E TSF (confirm)

C-TOE TSF .

(5) (ACO_VUL)
o :
.
o :

.

.
. C-TOE
.
C-TOE C-TOE ( ST
) . C-TOE ST
C-TOE ASE
. ,
- ST -

- 365 -

 D. CC 3.1

ACO_REL, ACO_DEV ACO_COR . (, C-TOE

- ST -)

.
.
C-TOE -
, C-TOE -
.

ACO_VUL.1
o : ACO_DEV.1
o :
ACO_VUL.1.1D C-TOE .
o :
ACO_VUL.1.1C C-TOE .
o :
ACO_VUL.1.1E
(confirm).

ACO_VUL.1.2E -
TOE
.

ACO_VUL.1.3E C-TOE -
.

ACO_VUL.1.4E C-TOE basic

(demonstrate)
.

ACO_VUL.2
o : ACO_DEV.2
o :
ACO_VUL.2.1D C-TOE .
o :
ACO_VUL.2.1C C-TOE .
o :
ACO_VUL.2.1E
(confirm).

ACO_VUL.2.2E -

- 366 -

 D. CC 3.1

TOE
.

ACO_VUL.2.3E C-TOE -
.

ACO_VUL.2.4E C-TOE , ,
TOE ,

ACO_VUL.2.5E C-TOE basic

(demonstrate)
.

ACO_VUL.3 -
o : ACO_DEV.3
o :
ACO_VUL.3.1D C-TOE .
o :
ACO_VUL.3.1C C-TOE .
o :
ACO_VUL.3.1E
(confirm).

ACO_VUL.3.2E -
TOE
.

ACO_VUL.3.3E C-TOE -
.

ACO_VUL.3.4E C-TOE , ,
TOE ,

ACO_VUL.3.5E C-TOE extended-basic

(demonstrate) ,
.

D.4 (ACO)60)
(1) C-TOE
IT / .

60) CC 3.1 Part 3, B

- 367 -

 D. CC 3.1

PC HW SW / OS
. , OS
. IT .

. ,
,
/ .
- EAL2
-
. , -
EAL2
.
IT
ACO . -
, - .
. , (-) OS(-
) . ,
OS , HW
(peer-to-peer) . (peer)
, -, -
.
- - .
ACO
.
( C-TOE -
- - C-TOE)
.

. C-TOE
- . , -
C-TOE .
- .
.
o / : -
- ,
.
o :
() - - (:

- 368 -

 D. CC 3.1

- )
. , -
. , -
ACO_CTT , - -
( ) - .
- C-TOE .
- C-TOE
. - - .
ACO_VUL .
- -
C-TOE .
- C-TOE TSF -
. - TSF
.
- ACO
.
ACO_VUL
. ACO_DEV
- -
. , CAP C-TOE
EAL4 TOE
. , C-TOE EAL4 .

(2) C-TOE ST
ST (- + -) TOE
.
ST C-TOE .
ST
. ST
C-TOE ST .
ST .
C-TOE ST ST , ST
C-TOE ST ST C-TOE ST ST
.
C-TOE ST ASE_CCL , C-TOE ST
ST . TOE ST
. C-TOE
-
C-TOE .

- 369 -

 D. CC 3.1

.
. .
C-TOE SFR SFR .
SFR , SFR
. C-TOE
.
o ASE : ASE C-TOE ST ST :
ST .
ST C-TOE ST ST
. : C-TOE ST SFR
ST ,
(ASE_REQ.*.3C
.).

(3) IT
- TSF
. - TSF, - TSF
- .
- TSF - SFR
.
- TSFI TSF
- . TSF SFR
IT
. , TSFI TSF
, -
. TSF .
(: ) , CC SFR -
ST , - -
( , FIA : ,
).
- (TSFI)
, - . -
-
.
- TSFI . (:
TSF API. - )

- 370 -

 D. CC 3.1

IT
TSFI

TSFI

TSF

TOE -TSF
TOE(-)
-TOE

(boundary)
( D-2) -

- - . SFR
TSFI ADV_FSP
. TSF (SFR ) , SFT , TSF
. - , -
ST . , TSF
(-) (ADV_FSP)
. -
ST .
- .

-TOE
TOE

TSFI

TOE -TSF

TSF

SFR-

( D-3) -

- - , -
TSF SFR -
, . -
TSF , - TSFI,

- 371 -

 D. CC 3.1

- .
, - TSF - TSF
(, - -TOE
- -TOE ), - TSF
, - TSFI
. - -
(ACO_REL) .
- TSF - ,
- -TSF ( ) C-TOE TSF .
C-TOE TSF TSF .

-
-
TSF

-T
SF
-

C-TOE

TSF

( D-4) C-TOE

- TSFI -
. , - TSFI .
.
E
E
TSF-a

ACO-REL
(-a)
ADV-FSP
(-b)

TSFI-b
C

C
TSF-b

- -a

-TSF-a

ACO-DEV
(-b)

D
-TSF-b

D
- -b

( D-5) ( )

- 372 -

 D. CC 3.1

o --a (A B) =
(- );
o -b (C D) =

o = ;
o () =
.
a(-) b(-) : TSF-a
TSF-a TSFI(a); , TSF-b (C)
TSFI(b). . -a
; TSF(a) A
B .
-a b , 4 (, -a
b ) . .
. TSF-a TSF-b (A C );
C -b FSP .
, a b .
. -TSF-a TSF-b (B C );
C -b FSP ,
.
. TSF-a -TSF-b (A D );
a b . b
(, ST FIA SFR ) , a
. D (
TSFI (b) , -b FSP .).
. -TSF-a -TSF-b (B D
); D
, , .
.
(: , C-TOE TSF TSF-a +
TSF-b + Non-TSF-B . , C-TOE TSF TSF-a + TSF-b.)
C-TOE .
:
o (ADV_FSP) (-b ) C
o - (ACO_REL) A .
o (ACO_DEV) C D

- 373 -

 D. CC 3.1

(underlying) OS DBMS .
DBMS DBMS (
): TSF , TSF
,
TSF (: , , ) , TSF
, ... .
, DBMS DBMS OS
. DBMS ST OS ,
OS . DBMS ST OS SFR
(instantiate) . , DBMS ,
ADV OS
. - (ACO_REL) .
- (ACO_REL) -
- . -
. -
.
(ACO_DEV) - ,
- .
- . ( -
- ,
(ACO_COR) .). ACO_DEV
.
- -
(ACO_COR) . -
- -
. -
, - TSF
.

- 374 -

 E.

E.

1. ITSEM (ITSEM V1.0, 1993.9)
2. 19791
3. CC 3.0 (ADV )
4. PP/ST TOE PP
5. CCEVS
CC 3.1 E

E.1 ITSEM (ITSEM V1.0, 1993.9)

(1) (composition)

E .
- TOE
-
y .
.

y E , 2
.
y ,
.
y .

y TOE
. TOE ITSEC
(, TOE ).
y
( )
.
y .
- P
-

- 375 -

 E.

y
-

y
y
y

P .
(ST .) (,
) .
.

. .

.
2 .
-IT
( ITSEC .).
IT
. IT
. .
. ,
IT-
. -IT
.
.
.
( H-1).
, .
, -IT .

- 1
y C1 C2 .
C1 . C2 C1
.
.
y 1 :
- C1:
- C2:
y ( E-2) 1 . C2
C1 C2 .

- 376 -

 E.

( E-2) ( 1)

( E-1) TOE

- 2
y C1 C2 . C1
C2
y 2
- C1: (VMM);
- C2:
y VMM
.
y 2 ( B-3)
- 3
y C1 C2 , C2
C1 . C1 C2

y 3 ( H-4)

y C3. P3
, ,
.

- 377 -

 E.

( E-3) ( 2)

y
-

( E-4) ( 3)

, 1 3
C3 .
1: C1 .
2: C2 .
3: C1 C2
.
4: P1 P2 P3 . P3 P1 P2
.
5: P2 C2 . C2
P2 .
6: P1 C1 . C1
P1 .
7: C2 P1 .
8: C1 C2() .

y :
- 1 2 . C1
C2 .
- 3 . .
C1 C2 .
C1 C2 .
(C1) (C2)
.
- P1 P2 , P1 P2 P3

- 5 6 .
C1 C2 .

- 378 -

 E.

- , .
y ,
, C1 C2
. , P3 P2
. 2
.
y P1 P2 , P1
P2 P3 .

E.2 19791 61)

(1) (composed operational system)
(operational system)
. .
, ,
, / ,
/ .
.
, :

. ,
() .

.
.

.
()

. (
) (need)
.
, ,
.

61) ISO/IEC 19791, 2005.5

- 379 -

 E.

()
.

.
.

.
. , , , ,
.
, , , .

. ST
.
. ( E-5) .

( E-5)

. . (:
, , OS SW) .

SW .
, ,
.
(ETR) ,
.

- 380 -

 E.

( E-6) . SW A
, CC . B CC
(: ADO AGD ATE_FUN)
(;ADV AVA ATE_COV/DPT)
.
.
( E-7) CC
.
( X) .

( E-6)

( E-7)

E.3 CC 3.0 (ADV )

(1) ADV_FSP: TSFI
( E-8) TOE . DBMS TOE ( IT
) HW SW . TOE TSF

(boundary) . TSF, IT
. TSF DB, GUI (, PLG )
OS . TSF OS (,

OS
) .
ST .

- 381 -

 E.

( E-8) DBMS

IT OS (SRV) . OS TSF
IT . ( H-10) TSFI
Ax , ACO Bx
. .
A1 TSFI , DB
.
A2 OS
TSFI . B3(, IT
) .
A3 IT TSFI . ,

DBMS (proprietary)
. IT (: Ethernet, IP, TCP) ,

DBMS TSFI,
. TSF /
.

Bx IT . TSFI
, TOE ACO (composite)

TOE .
(2) ADV_INT.1: (Subset Modularity)
, /
, TOE TSFI ,

- 382 -

 E.

(: (isolation)) . , TSF
TSF (: TSF
).
TOE (incorporated) SW
. SW, TOE (crucial) /
, SFR
. , TOE OS (:
, , ). , OS TSF internals

(ADV_INT) (levied) (adhere) .

, SFR- SW
.
,
.
. ,
OS ,

TSF . ,
, , SW
, TSFI ,
SW .

( E-9) TSF (assigned) SFR-(enforcement) TSF SFR . TSF -SFR- SFR-(support)

SFR--(non-interference) .

SFR-

SFR-

-SFR-
( E-9) SFR- SFR-

SFR- - SFR-
. , SFR-
SFR SFRI
. - SFR- (ADV_INT.1.3C) , - SFR-

- 383 -

 E.

, SFR-
. ( E-10) , TSFI - SFR- ,

TSFI (designation)
(; X, Y, X). SFR-(; D, E, F)

TSFI (, A
, SFR- .).
TSFI SFR-

TSFI SFR-

TSF

X
F

B
D

Y
Z

- SFR-

- SFR-

( E-10) - SFR-

(3) ADV_TDS:
ADV_TDS TDS
. ,
.

( E-11) TSF ,
(, );
(: ,
). (, ) , (,
) .
.

- 384 -

 E.

TOE1 ()

TOE2 ()

( E-11)

TOE .
TOE(: , )
. ,
(even be uneven in scope) .

TSF (, TSF TOE )

. , SFR
( ) , TSF . ,
(A.1 ) HW SW (
, SFR- ),
TSF . , SDF
(: ), TSF
.
( )
(, TSF ) TSF
, . (
) ( ) .
SFR
.

SFR- TSP
RSP .
SFR- TSFI (), SFR-.
SFR- SFR- . SFR-
SFR SFR- , SFR . SFR- SFR
( ) .

- 385 -

 E.

TSF internals(ADV_INT)
. ADV_TDS.3 Basic modular design( )

TSF

internals

(ADV_INT)

PP

ST

TOE

design(ADV_TDS) TSF internals(ADV_INT)

. ,
.

TOE , .
ADV_TDS.1 Basic design ADV_TDS.2 Architectural design(
) , TSF
. ADV_TDS.3 Basic modular design ( ) ,
. (
) . ,
. TOE,
; ,
. TOE, (TSF )
. ( B-13) .

SFR- ST (SFR) .
SFR- TSFI , SFR (:
) TSFI (tie) .
, SFR- SFR- , SFR
. SFR- SFR
.

. ,
1 2
. SFR- TSFI
( )
. . ,
SFR , SFR .
, 1)
TSF , 2)

TSF . , RFC 793 TCP

. .
, . RFC

- 386 -

 E.

. , (:
) . TCP (RFC

793 ) TCP(TSF
) .
, ()
: ; ; ;
;
.

.

. explicit (:
) implicit (: )
. .
. (: falg
) ,
. ,
.
.
.(: C++
/ ). (implicit) CC 3.0(2005 7)

223 .
, .
,
.
. , A
B , A B

double_bubble() .
A double_bubble ;

double_bubble() ,
access_allowed
.. . A
.

- 387 -

 E.

.

. -, (ADV_TDS.3
) .
. , ,
. TOE
.
.
, . ,
. .
.
, (, (SFR-, SFR, SFR-)
. ,
. , TSF ,
(SFR-, SFR-, SFR-)
. (
)
.

E.4 PP/ST PP/ST 62)

(1) TOE PP ST
(composability)
.
a) TOE(C-TOE) PP/ST. C-TOE 2
C-TOE PP/ST(
PP ST ) .
b) IT TOE( )
PP/ST. C-TOE (: -IT
, PP/ST
.)
62) Guide for the protection profile and security targets, ISO/IEC PDTR 15446, Version 0.9,
January 4, 2000.

- 388 -

 E.

:
a) ST ,
C-TOE ST . , C-TOE ST ,

.
b) C-TOE PP
PP . C-TOE PP . ,
C-TOE ST PP
.
.
C-TOE PP/ST C-TOE .
(composability) ,
.

(2) TOE (C-TOE)

PP/ST
PP/ST (descriptive) TOE , TOE
, C-TOE . TOE
PP/ST TOE C-TOE PP/ST
.
TOE
C-TOE PP/ST TOE :
a) C-TOE (,
, PP ),
b) , OSP PP/ST
, (
).
C-TOE PP ,
TOE (significant degree of uniformity)
, . , PP
TOE .
PP/ST .
, C-TOE
. , C-TOE PP/ST
. , (threat agent) (,
) PP/ST
(needs) (context) .
ISO/IEC 15408 TOE TOE
( ), (,

- 389 -

 E.

) .
C-TOE PP/ST PP/ST
.

PP/ST C-TOE PP/ST
. ,
, C-TOE PP/ST .
, C-TOE ST ST
, C-TOE
.

PP/ST IT C-TOE PP/ST
. ,
, C-TOE PP/ST
.
C-TOE . ,
PP/ST , (C-TOE PP/ST)
.

, C-TOE PP/ST . ,

. ISO/IEC 15408 ,

(end up)
.
C-TOE PP/ST ,
.
, ,
(pragmatic).

(: ).
C-TOE PP/ST , C-TOE TOE
,
. , C-TOE PP/ST IT C-TOE(
) IT
.
TOE
C-TOE ST ST TOE
. C-TOE ST IT

- 390 -

 E.

IT , IT
.
ST TOE
, C-TOE
C-TOE , C-TOE IT
.
PP
C-TOE PP TOE
, IT
. PP PP
. :
a) , C-TOE C-TOE
, C-TOE PP
. ,
(argument)
. C-TOE PP
, PP .
b) IT ,
C-TOE PP
. C-TOE PP , C-TOE
(demonstration), 2
.
c) IT , PP
. , C-TOE PP
.
- PP IT ,
C-TOE , C-TOE IT
() (C-TOE PP ) PP .
- C-TOE , PP
PP

.
d) IT (mutually supportive) ,
IT (interrelationship)
PP . , C-TOE PP
IT
(discuss) . , PP
(address) .
ST
C-TOE ST C-TOE PP

- 391 -

 E.

. :
a) TOE IT
, ST .
b) IT ,
ST . ,
ST IT
.
E.5

CCEVS

(1)
Scheme Policy Letter #2 (Reuse of Previous Evaluation Results and

Evidence, 4 March 2002) .

-
.
,
,
.

.
63).

(2)
ETR
. ST VR(Validation Report) .

(
, .).
:

ST . ( H.14)
.

(ST, VR) CRD(Composition Requirements Definition)

. (
63) .

,
.

- 392 -

 E.

) . ( E-12) .

( E-12)

CRD :

-
-
-

- .
, .
( )
.
.

-
. .
- CRD
-
. (

TSF ), CRD
. ( - ,
) , TSF
, .
,
.

CRD CCEVS .
ETR
( ) ;
, ,

CCEVS ,

- 393 -

 E.

64) .

(3) CVR
TOE ( ) .
CRD
. (( E-13) A); TOE TOE
.

( E-13) TOE

(4)
TOE (HLD) (LLD)
.

"" (
).

ETR CRD
.

ETR CRD :
y

TOE
. TSFI

TSFI .
y

/
''.

TOE CRD ( )
.
.
( )
.

TOE .
y

TOE TOE

64) .
(; OS).
.

- 394 -

 E.

.
.
. ( )
.

TOE ,
TOE ' '

ETR (
, , )
.

.
. CRD
CCEVS
.

ETR,
,

- - (ACM, ADO, AGD, ALC) , ETR

. :

;
.

TOE
.
,
.

TOE (,
) .

, .

.

ETR CCEVS .
TOE
TOE

- 395 -

 F.

F.
F-1. (TOE) 65), 1.0

IT (UK-ITSEC)
.
.

1.
(TOE) .
TOE
(TSM) (TSR) .

z . TOE
.

z TOE
.
TOE
.
.
.

.
UKSP01 UKSP03 .

2.

.
.
. (TSR)
TOE .

TOE

65) (TOE) , 2005. 7. 1.0.

http://www.cesg.gov.uk/site/iacs/itsec/media/formal-docs/TOEscoping_1.0.pdf

- 396 -

 F.

. CC 2.2 EAL4 ASE CC

2 CC (ST)
. CC ST ITSEC ST .
.

z CC (PP) PP
. TOE PP
.

z TOE
(TSR)
.
.

3.
( )
.
TOE
.
HLD.2
EAL1 . HLD.1 EAL2
.

CC EAL4 : ASE_REQ.1.2C (EAL )

ASE_REQ.1.3C
()
PC

TOE .

.

CC EAL4 : ASE_ENV.1.2C
( )

TOE . TOE

.
TOE HW SW
. TOE

- 397 -

 F.

TOE .
TOE
.
TOE
.

CC EAL4 : ASE_DES.1.1C
ASE_OBJ.1.1C (TOE IT )
TOE ( )
TOE
. TOE
TOE
.

CC EAL4 criteria: ASE_ENV.1.1C

ASE_ENV.1.3C
( )
TOE
. TOE
.

z TOE , , ,

z , ,

TOE
.

CC EAL4 : ASE_ENV.1.2C
ASE_TSS.1.1C (IT )
TOE ( )
, , TOE
. TOE
TOE
.

CC EAL4 : ADV_FSP.2.5C
AVA_MSU.2.1C

- 398 -

 F.

TOE ()

TOE
. , , ,
, .
TOE TOE
TOE
.
TOE TOE .
TOE
. TOE
. TOE
.
TOE HW, SW . TOE
TOE
.
TOE TOE
. .

z
z TOE
z
z SW HW
z

HW SW
TOE .

z (
)

z
TOE TOE .
. , HW,
. TOE

TOE
. HW
.
TOE TOE
.

- 399 -

SW

 F.

. .

TOE . SW HW
. HW SW .
.

TOE HW SW
. SW HW
.
.
.

CC EAL4 : ASE_ENV.1.1C, ADO_IGS.1.1C ( )

ADV_FSP.2.3C, ADV_FSP.2.4C
ADV_HLD.2.3C ADV_HLD.2.9C
AVA_VLA.2.2C AVA_VLA.2.4C
TOE
.
(, ).

.
.
.

- 400 -

 F.

(usage)

IDS

/
?

TOE
()

.
,

OS

()

( F-1)

TOE .

.

.
. .
.
. SW HW
.
. TOE
.
.
TOE . TOE
. .

z
z

- 401 -

 F.

z
z SW
z
z
z
z
TOE TOE
.
.

z
z (
)

z (
)
COTS
GUI

GUI SW

SW
IDS
SW

SW
COTS OS

SW

SW

SW

COTS OS

OS

SW

. ,
. COTS(, ) .
,
( F-2) 2 ( )

SW
.
SW

- 402 -

 F.

. SW .

PC

PC
GUI

IDS

GUI

SW

GUI

SW

COTS OS

SW

SW

PC

COTS OS

SW

COTS OS

OS

SW

OS

<SW PC , PC HW . (,
PC PC .)
( . )
( F-3) SW HW

SW HW .

F-2. (TOE) 66)

1.
TOE . TOE
. TOE CC
. . ,
, CC .
,
. .
a. .
b. CC
c. TOE
d. CC TOE
66) , 1.0 , January 2006.

- 403 -

 F.

e. UK
TOE CC
.
.
a. CC TOE CCPn
.
b. UK SPn
.
c. UK CC
EPn .
TOE
.
. .

. TOE
.
CC CC 3
(composed) TOE CC 2.3 CC 3 ITSEC TOE
. TOE
UKSP01 UKSP03 .
2. TOE
CC
(SFR), TOE
.
a. TOE .
b. SFR .
c. IT .
d. .
CC .
y EP1. TOE SFR
.
y EP2. TOE
.
y CCP1. TOE . ,
.
CC / TOE
.
.

- 404 -

 F.

CCP2. IT
.
,
.
CC . .
UK .
y SP1. TOE .
y SP2. TOE .
y EP3. IT IT
.
UK TOE
.
y SP3. TOE IT
. TOE
, IT .
y SP4. -CC
. (: )
y SP5. .
TOE
.
y SP6. .
(PP) . UK PP
PP
.
, TOE
, ST, ''
TOE .
3. TOE (scoping)
TOE UK
. .
.
<> CC
.

TOE .
a. .
y . <SP1>

- 405 -

 F.

.
<CCP1>
y
. <CCP1>
y TOE
. <CCP1>
b. .
y
.
,
TOE . <SP6>
y
. ,
(; ), (
) .
,
(; ). <SP1,EP2>
3 (; ) TOE
. .
y 3 .
<SP3>
y 3
MMI . 3
TOE ,
. <CCP1>
y 3 TOE .
, TOE
. <SP1, EP3>
DB
.
. ,
.
.
y TOE
. <SP1, SP3>
y IT
.
.

- 406 -

 F.

. <SP1, 54: SP3, 63>

TOE .
y .
.

.
y
.

TOE . ,
, , ,
.
.
a. TOE ( )
. <SP1, SP2>
b. .

. .
.
i. TOE .
.
y (;
). <SP3>
y . <CCP1>
ii. API
.
y TOE
. <SP3>
y IT
. <SP3, 63>
(; VPN
, , , , , ) TOE
.
a.
. <SP1>
y .
b. -CC .

- 407 -

 F.

y
y

. <SP4>
CC (; )
, CC
. <SP4>

.
y
TOE . <EP1>
y
TOE . <EP1>
TOE
.
y . <SP2>
y . <SP5>
y . ;
. <SP1>
y TOE
. <CCP1>
3 TOE .
y 3
. <CCP1>
y 3 . 3
. <EP3>


. , , ,
IT .
TOE . <SP2>.
IT
.
y IT TOE . <SP3>
y IT . <EP3>
y IT
. <73 - 75>
.

. <EP3>

- 408 -

 F.

IT 3 .
, .

4. CC TOE
, TOE TSF
CC TOE .
a.
b. TOE
c. TSF

.
. .
.
. ,
, (
) .
TOE (
).
a. .
b. .
.
TOE ST .
a. TOE
.
b. TOE .
y
y TOE IT
y TOE IT
c. .
EP1. TOE SFR
.
TOE (TSP) TOE SFR
. TSP SFR .
; CC Part 2 SFR
.
TSF67) - TSP TOE . CC
67) TSF CC 2.2 TOE CC 3 TOE

- 409 -

 F.

TSF . TOE TSP

.
.
( F-4) . F1 F2 F3 C1
C2 C3 I1 I2 I3
. D1 D2
D C1 C2 F1 F2 . F3
C3 .
TOE SFR F3 F1 . F1 F2
C1, C2, D TSF . C2 SFR F2
TSF . SFR F2 . ;
F1 , F2 .
F1

F2

F3

I1

I2

I3

C1

C2

C3

ID1

ID2

D
( F-4) 1

TOE
EP2. TOE
.
. TOE CC
.
. ; .
TOE ST
. .
.

CCP1. TOE . ,
.

- 410 -

 F.

TSFI68) TSF . TSFI

69) TOE .
a. TSFI TSF . ,
CC TSF TSFI TSF
TSFI TSF
. 1, TSFI TSF
I1 I2 .
b. TSFI TOE TSF TSF TSFI
. 1, I1 I2 TSFI TOE
.
c. TOE TSFI TOE .
TSF TOE
. TSF
, CC
. 1, TOE C2 I2 TSFI
. ID2 TSFI
TSFI .
d. -TOE
TOE .
. 1 I3 TOE
TOE F3 C3 I3 .
.
SI1 SI2 GI1 GI2 F1
F2 . TOE GI1, GI2, SI1 ,SI2 TSFI
GUI . TOE SI1 SI2
TSFI . , GUI .

68) CC 2.2 TSFI (TOE ) TSF

. CC 3 TSFI (TOE )
. TSFI .
69) TSFI TOE CC ,
. CCP1 .
CC .

- 411 -

 F.

F2

F1

GI2

GI1

GUI

GC1

GC2

SI1

SI2

C1

C2

( F-5)
TSFI ST TOE
. CC Part 2 TOE
. SFR .
SFR . SFR
. , TOE SFR IT
.

CC TOE
.
. ,
.

.
. ,
TOE
(, ST, '' ).
TOE TOE
. TOE
TOE TOE
. TOE
TOE . CC
TOE .
CCP2. IT .
, ,
.
TOE .

- 412 -

 F.

5. UK TOE

TOE
.
-
SP1. TOE .
TOE
. (,
)
TOE .
TOE .
a.
b. TOE IT
c. IT TOE
- TOE
SP2. TOE .
TOE
. TOE
. TOE IT
.
TOE .

. TOE .
-
EP3. IT IT
.
TOE EP2 .
IT TOE
.
a.
b. TOE
TOE IT ST
.
. . ;
.

- 413 -

 F.

(viability)
TOE .

. IT
, ,
.
:- IT
SP3. TOE IT
. TOE
, IT .
IT API
IT IT
TOE
54 .
CC
.
IT API
IT EP3 .
IT
. ; TOE .
IT IT
API . IT .
IT
.
CC TOE .
TOE .
:
SP4. -CC
. (: )
.
a. CC .
b. CC
.
.
a. CC TOE .
TOE .

- 414 -

 F.

CCP1
.
b. TOE
.
c. TOE

.
: (State of the Art)
SP5. .
. ,
,
. .

TOE
.

.
SP6. .

TOE
.
a. .
.

. TOE

.
b.
.
z TOE SP3, SP4 SP5
. SP4
.
z TOE IT IT
TOE
.
.

- 415 -

 F.

.
PP
ST PP PP
TOE .
PP PP TOE
.
TOE
TOE
. ST ''
TOE .
TOE .
ST ''
.
. ST ''
.

- 416 -

 G.

G.
y

ISO/IEC TR 19791


.

G.1
G.1.1 ,

.
( ) ,
.
, .

(ISM; information security management): ISM

() ()
. ISO/IEC-13335(GMIT), BS-7799(ISO/IEC-17799), BSI(Bundesamt
Fur Sicherheit in der Informarionstechnik) BSI IT Baseline Protection Manual,
SSE-CMM, ISM
.
(IRM; information risk management): IRM ISM

. ,

.
(IRA; information risk analysis) : IRA
(RI; risk identification) (RA; risk assessment) . RI
RA

.

G.1.2
.
.

.

- 417 -

 G.

.

.

. 1
.
,

.
(, , , )
.
,
.

.
[ G.1]

G.2

.
, .
.
.

- 418 -

 G.

[ G.2]

4
5

(Project definition)

(Project preparation)

(Administration)

(Data gathering)
(Technical)

(Physical)



(Risk analysis)



(Risk mitigation)

(Recommendations)

G.2.1

.
.
.
.

.
.
[25].

.
, .
. ,

.

- 419 -

 G.

G.2.2
1
.
.
. ,
.
.
G.2.2.1 .

.

.

.
.

.

.
? CobiT(Control Objectives for
Information and Related Technology) ITGI(T Governance Institute) IT
Governance Maturity Model .
CobiT .
CobiT
. ISO(International Standards
Organization) Information technology - Code of practice for information security
management(ISO 17799) .

.
[ G.3]

( ) ,
.
.

. .
,

- 420 -

 G.

.
.
.
.
, ,


. ,
.

.

. ,
. ,
.
.
, ,
, ,
.
,
,
. ,

.
,

.
, (

) .
,
.
.

G.2.2.2
.
,
.
0 5 .
, ,
.

.
3
. ,

,

- 421 -

 G.

.
, IT( )
.

.

.

.

.

.

.
.
,
.
,

.
.
,
.

.
, ,
.

.
3
.
.
0 85 , .

51
. 34 50
,
.

. 34

- 422 -

 G.

.


.
.
.

. ,
.
.
y
y
y
y

?
?
?

?

: (NIST)
IT .
G.2.2.3

.

.
[ G.4]

(, ,
, ) .

CEO( ) CIO( )
.
.
.
.

,

- 423 -

 G.

.

.

IT
.
IT , .
.
.
.

. .
.

. IT
.

, IT
. .
.

Microsoft .
IT (, ) .

.
.
,
.

. , , IT
. .
[24].

G.2.2.4

.
. ,

.

.

- 424 -

 G.

.

.

G.2.2.5

.
.


.
. ,

.

. ,
.
,
.
.

: ,
,
.

.
,
.

.
.

G.2.3
, ,
. ,
,
. , , .

- 425 -

 G.

, .
.

. , ,

.
.
.

G.2.3.1
100 .
, .
, , .
.
y
y : . , ,
(), ,

y :
.
, 1866 .
120million 3% 95% ()
.
.

.
y : .
.
: (). .

.
:
.
, () ,

y 68% 1
y 95% 2
S =

- 426 -

 G.

y 99.7% 3
.
90 .
. 58% X .
3%. 95% ( 3%)
( 58%) 2 .
(1)
.
y - , ,
. .
y -
. How much How many
. ,
(2)
.
.

.
. .
y - . 2000
20 (1 2000
20 20 ).
y - , 2000 20 2000
a)100 b) 1 100 (37)
c) (137,237,337,447...)
,
.
y - .

.
y -
. ()
. 500 10%
, 50 10 5
.
y - .

- 427 -

 G.

. .

(3)

. ,

. ,
.
1 :
.

, , , .
. 20 , 5, 3,
800
(4, 2, 3, 50).
.
.
.
. ,
, .
2
.

. , 50
30
.
y IT 10
y R&D 5
y 5
y Help-Desk 5
y 3
y 2
,
.
.

.

- 428 -

 G.

, .

,
.
.
G.2.3.2
, , , ,
.
, , .

. ,
, .

.
.
(1)
y - .
, , .
y - ,
. .
y -
.
(2)
, ,
, .
y Review Documents - , , ,
.
, , , , ,
.
y Interview Key Personnel -
.
y Inspect Security Control - , , ,
. ,
.

- 429 -

 G.

Observe Personnel Behavior - , ,

.
.
Test Security Control - , , ,
.
.

.

, (Review Documents)
.
.
.

. desk job .
.

1)

.( , , )
.(, )
.

.
.
2)
.


. .
3)
.
, , .
y -
.

.

- 430 -

 G.

y
y

-
.
-
.
.
GAPS -
. .

(Interview Key Personnel)

. ,
.
y
y
y
y

, ,



,
, ( ) .

1)
(, , ).

,
.
, ( ,
, , )

, ,
2)
y -
. ,

y - 1:1 , 2:1 .
. ( )
( , ) ,
y - , , .

- 431 -

 G.

- ( ) . .

-
-
-
- .

- .
.
- . .
.
Open-ended - . .
.

3)
.
.
y - .
.( )
y -



.
. . .
.
y -

-

:
?
- .
( )
:
.
-
: ?
y -

- 432 -

 G.

-
.
- -

-
-

() -

-
. , , .
- ,

-

4)
(), , , ,
( ) .
5)
.
.
.
.

. (
)
6)
, ,
. .(
, , - )
(Inspect Security Control)
.
. ,
( ). ( )
. .
.

- 433 -

 G.

.

y - .
.
, , , , ( )

y - , ,
.

.
y - .

.
.
y - ()
.
y
.

(Observe Personnel Behavior)

.
. ,

. .
.( )
.

.
. .
.
1)
.
(, ).
. .
y - .
, ,

y -

- 434 -

 G.

y
y

( , )
-
( , , )
-
( , )

(Test Security Control)

.
.
.

.
.
. .

.

3 1)
2) .
1)
. live
.
y - .
.
, ,
. .
.
y -
.

. .
.
.
.
y -
y
y

- 435 -

 G.

y
y
y

2)
.
( , , )

-
.
. 550
, 10, 5, 2, 4 , 3
, 4 , 588
. ( )
(200)
( ) .
( )

3)
.
.
.
.
- .
(, )
y - .

y - .
information flow, ,
. .
y - ,
( ).
.

4)

.

- 436 -

 G.

.
( )

5)
.
.
G.2.4
.
, ,
.
, .
.
.
, .
G.2.4.1
.
.
. , , , ,
.
. ,
.
,
.
.
, .
, .
.
(1)

.
.
.
.
.
.
.

- 437 -

 G.

.
.

.
.
.

.
.

(2)
.
.

.
, .
.
, , .
IT 3 .
IT . , IT
,
. IT
IT .
,
.
. IT
, , , .
(3)
.
.
. .

.
.
"HBI(
), "MBI( )", "LBI( )" .

. .

- 438 -

 G.

,
.

.
:
(NIST) 800-60 , "Mapping Types of
Information and Information Systems to Security Categories" FIPS(Federal
Information Processing Standards) 199, "Security Categorization of Federal
Information and Information Systems" .

,
.
, ,
. HBI
.
- , .
- .
- GLBA, HIPAA, CA SB1386
EU .
PII(Personally Identifiable Information) -
.
- .
- .
- .

.

.
.

,
.

.

, ,
.

- 439 -

 G.

. MBI
.
- , ,
,
.

HBI MBI LBI ,
.
, ,

.

LBI , .
.
IT .
.
.
, , .
.

G.2.4.2
. ISO 17799
. NIST
entity .
, .
.
.
. , , ,
.

.
.
.

. ,
,
,

- 440 -

 G.

.
.
-
. , " ?" "
?" .
,
.
.
.

.

(1)
.
. .
y - .
, ( )
.
y - ,
.

.
y -
.
() ,
.
y -
. ,
, .
y -
.
.
(2)
,
. .
y - , , ,
,
. ,

- 441 -

 G.

.
() - .
.
,
.
.
-
. .
. ,
, , .
-
.
,
. , ,
.
- .
.
. .
-

. , , ,
.
() -
.
. .
.

(3)

.

.
.
.
y - , 1
y - , 2-3
y - , 3
.

- 442 -

 G.

.

.
.
.
[18].

G.2.4.3

.
. NIST (
),
. ,
.
.
.
.
.
. .
.

. , , ,
.
, . ,
, .
, , . ,
, , , .
.
, .

.
.
. ,

.

.
G.2.4.4

- 443 -

 G.

. ( ) , , ()
.
.
.
.
,
.

.
.
.
, , .
.
.

G.2.5

.
, , ,
. .
[25].
G.2.5.1 ()
, . ,
.
, , .
. , ,
.
. , .

. , , .
. ,
.
,

.
.
,

- 444 -

 G.

.
.

G.2.5.2
.

. 7
. , .

. ,
100% ( 0% )
.
. :
.
.
.( ,
.


.
.
G.2.6
.

.
() .
.
.
G.2.6.1

. ,
.

. .

.

- 445 -

 G.

. .
.

.
.

G.3
, ,


.

.

,
.

.
,

.
.
,

, .

.

, , , .


, ,
,
.

- 446 -


2006

11

2006

11

:
:
78
IT()
Tel: (02) 4055-114
:
Tel: (042) 672-5171

<>
1.
Dynamic u-korea .
2.
Dynamic u-korea
.
3. ,
.

- 447 -