Acrónimos:
ITSEC
Ver:
·
TCSEC -
Trusted Computer System Evaluation Criteria
http://en.wikipedia.org/wiki/ITSEC
Ha surgido de
la armonización de varios sistemas europeos de criterios de seguridad en TI.
Tiene un enfoque más amplio que TCSEC.
Los criterios
establecidos en ITSEC permiten seleccionar funciones de seguridad arbitrarias
(objetivos de seguridad que el sistema bajo estudio debe cumplir teniendo
presentes las leyes y reglamentaciones).
Se definen
siete niveles de evaluación, denominados E0 a E6, que representan una confianza
para alcanzar la meta u objetivo de seguridad. E0 representa una confianza
inadecuada. E1, el punto de entrada por debajo del cual no cabe la confianza
útil, y E6 el nivel de confianza más elevado. Por ello, los presentes criterios
pueden aplicarse a una gama de posibles sistemas y productos más amplia que los
del TCSEC.
El objetivo
del proceso de evaluación es permitir al evaluador la preparación de un informe
imparcial en el que se indique si el sistema bajo estudio satisface o no su
meta de seguridad al nivel de confianza precisado por el nivel de evaluación
indicado.
http://www.csi.map.es/csi/silice/Segurd21.html
(en) Information Technology
Security Evaluation Criteria (ITSEC)
(N) A Standard [ITSEC]
jointly developed by France, Germany, the Netherlands, and the United Kingdom
for use in the European Union; accommodates a wider range of security assurance
and functionality combinations than the TCSEC. Superseded by the Common Criteria.
[RFC4949:2007]
Germany, the Netherlands and
the United Kingdom published the Information Technology Security Evaluation
Criteria (ITSEC) based on existing work in their respective countries.
Following extensive international review, Version 1.2 was subsequently
published in June 1991 by the Commission of the European Communities for
operational use within evaluation and certification schemes.
The ITSEC is a structured
set of criteria for evaluating computer security within products and systems.
The product or system being evaluated, called the target of evaluation, is
subjected to a detailed examination of its security features culminating in
comprehensive and informed functional and penetration testing.
The degree of examination
depends upon the level of confidence desired in the target. To provide
different levels of confidence, the ITSEC defines evaluation levels, denoted E0
through E6. Higher evaluation levels involve more extensive examination and
testing of the target.
Unlike earlier criteria,
notably the TCSEC developed by the US defense establishment, the ITSEC did not
require evaluated targets to contain specific technical features in order to
achieve a particular assurance level. For example, an ITSEC target might
provide authentication or integrity features without providing confidentiality
or availability. A given target's security features were documented in a Security
Target document, whose contents had to be evaluated and approved before the
target itself was evaluated. Each ITSEC evaluation was based exclusively on
verifying the security features identified in the Security Target.
Since the launch of the
ITSEC in 1990, a number of other European countries have agreed to recognise
the validity of ITSEC evaluations.
The ITSEC has been largely
replaced by Common Criteria, which provides similarly-defined evaluation levels
and implements the target of evaluation concept and the Security Target
document.
http://en.wikipedia.org/wiki/ITSEC