欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PDF文档下载
    分享到微信 分享到微博 分享到QQ空间

    ISO IEC TR 19791-2010 Information technology - Security techniques - Security assessment of operational systems《信息技术 保密技术 操作系统安全评估》.pdf

    • 资源ID:1257406       资源大小:2MB        全文页数:242页
    • 资源格式: PDF        下载积分:10000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要10000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    ISO IEC TR 19791-2010 Information technology - Security techniques - Security assessment of operational systems《信息技术 保密技术 操作系统安全评估》.pdf

    1、 Reference number ISO/IEC TR 19791:2010(E) ISO/IEC 2010TECHNICAL REPORT ISO/IEC TR 19791 Second edition 2010-04-01Information technology Security techniques Security assessment of operational systems Technologies de linformation Techniques de scurit valuation de la scurit des systmes oprationnels IS

    2、O/IEC TR 19791:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

    3、downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in

    4、 the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the addr

    5、ess given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either

    6、 ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2010 All rights reservedISO/IEC TR 19791:2010

    7、(E) ISO/IEC 2010 All rights reserved iiiContents Page Foreword .v Introductionvi 1 Scope1 2 Normative references1 3 Terms and definitions .2 4 Abbreviated terms.4 5 Structure of this Technical Report 4 6 Technical approach.5 6.1 The nature of operational systems5 6.2 Establishing operational system

    8、security 5 6.3 Security in the operational system life cycle .7 6.4 Relationship to other systems .10 7 Extending ISO/IEC 15408 evaluation concepts to operational systems10 7.1 Overview.10 7.2 General philosophy.10 7.3 Operational system assurance 12 7.4 Composite operational systems 14 7.5 Domain A

    9、ssurance16 7.6 Types of security controls18 7.7 System security functionality 20 7.8 Timing of evaluation21 7.9 Use of evaluated products .22 7.10 Documentation requirements 23 7.11 Testing activities .24 7.12 Configuration management25 8 Relationship to existing security standards.25 8.1 Overview.2

    10、5 8.2 Relationship to ISO/IEC 15408 .27 8.3 Relationship to non-evaluation standards .27 8.4 Relationship to Common Criteria development.28 9 Evaluation of operational systems28 9.1 Introduction28 9.2 Evaluation roles and responsibilities28 9.3 Risk assessment and determination of unacceptable risks

    11、.30 9.4 Security problem definition30 9.5 Security objectives31 9.6 Security requirements.31 9.7 The System Security Target (SST).33 9.8 Periodic reassessment .35 Annex A (normative) Operational system Protection Profiles and Security Targets 36 A.1 Specification of System Security Targets.36 A.2 Sp

    12、ecification of System Protection Profiles.42 Annex B (normative) Operational system functional control requirements.49 B.1 Introduction49 B.2 Class FOD: Administration.51 B.3 Class FOS: IT systems59 ISO/IEC TR 19791:2010(E) iv ISO/IEC 2010 All rights reservedB.4 Class FOA: User Assets69 B.5 Class FO

    13、B: Business 71 B.6 Class FOP: Facility and Equipment .73 B.7 Class FOT: Third parties .78 B.8 Class FOM: Management 80 Annex C (normative) Operational system assurance requirements84 C.1 Introduction84 C.2 Class ASP: System Protection Profile evaluation89 C.3 Class ASS: System Security Target evalua

    14、tion101 C.4 Class AOD: Operational system guidance document .115 C.5 Class ASD: Operational System architecture, design and configuration documentation.120 C.6 Class AOC: Operational System configuration management.131 C.7 Class AOT: Operational System test .136 C.8 Class AOV: Operational System vul

    15、nerability assessment 146 C.9 Class APR: Preparation for live operation 154 C.10 Class ASO: Records on operational system 157 Annex D (normative) Operational System evaluation methodology .162 D.1 Technical approach .162 D.2 Class ASP: System Protection Profile evaluation163 D.3 Class ASS: System Se

    16、curity Target evaluation178 D.4 Class AOD: Operational system guidance document .195 D.5 Class ASD: Operational system architecture, design and configuration documentation.199 D.6 Class AOC: Operational system configuration management .207 D.7 Class AOT: Operational system test210 D.8 Class AOV: Ope

    17、rational system vulnerability assessment.217 D.9 Class APR: Preparation for live operation 228 D.10 Class ASO: Records on operational system 231 Bibliography 235 ISO/IEC TR 19791:2010(E) ISO/IEC 2010 All rights reserved vForeword ISO (the International Organization for Standardization) and IEC (the

    18、International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particul

    19、ar fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have establis

    20、hed a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical

    21、 committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report of one of the foll

    22、owing types: type 1, when the required support cannot be obtained for the publication of an International Standard, despite repeated efforts; type 2, when the subject is still under technical development or where for any other reason there is the future but not immediate possibility of an agreement

    23、on an International Standard; type 3, when the joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example). Technical Reports of types 1 and 2 are subject to review within three years of publica

    24、tion, to decide whether they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful. Attention is drawn to the possibility that some of the elements of this documen

    25、t may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC TR 19791, which is a Technical Report of type 2, was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security te

    26、chniques. This second edition cancels and replaces the first edition (ISO/IEC TR 19791:2006), which has been technically revised. ISO/IEC TR 19791:2010(E) vi ISO/IEC 2010 All rights reservedIntroduction This Technical Report is a support document that defines extensions to ISO/IEC 15408 to enable th

    27、e security assessment (evaluation) of operational systems. ISO/IEC 15408, as currently defined, provides support for specifying the IT security functionality that exists in products and systems. However, it does not capture certain critical aspects of an operational system that must be precisely spe

    28、cified in order to effectively evaluate such a system. This Technical Report provides extended evaluation criteria and guidance for assessing both the information technology and the operational aspects of such systems. It is primarily aimed at those who are involved in the development, integration,

    29、deployment and security management of operational systems, as well as evaluators seeking to apply ISO/IEC 15408 to such systems. It will be relevant to evaluation authorities responsible for approving and confirming evaluator actions. Evaluation sponsors, and other parties interested in operational

    30、system security, will be a secondary audience, for their background information. Considering the complexity of this project and the need for additional work, the target has been defined to be a Technical Report Type 2. In the future, once additional experience has been gained in this area, it is hop

    31、ed that it may be possible to convert this Technical Report into an International Standard to support evaluations of operational systems. Until some formalisation of an approach is performed, it is considered unlikely that many operational system evaluations of this nature will be undertaken due to

    32、the lack of specific guidance available, a gap that this Technical Report is designed to fill. There are fundamental issues in regards to the definition and use of the term system. ISO/IEC 15408, with its focus on product evaluation, uses the term system to include only the information technology (I

    33、T) aspects of the system. The term operational system, as used within this Technical Report, covers the combination of personnel, procedures and processes integrated with technology-based functions and mechanisms, applied together to establish an acceptable level of residual risk in a defined operat

    34、ional environment. This is a revised edition, updated for compatibility with the third edition of ISO/IEC 15408. TECHNICAL REPORT ISO/IEC TR 19791:2010(E) ISO/IEC 2010 All rights reserved 1Information technology Security techniques Security assessment of operational systems 1 Scope This Technical Re

    35、port provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408, by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are requ

    36、ired address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated. This Technical Report provides a) a definition and model for operational systems, b) a description

    37、 of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems, c) a methodology and process for performing the security evaluation of operational systems, d) additional security evaluation criteria to address those aspects of operational systems not covered by t

    38、he ISO/IEC 15408 evaluation criteria. This Technical Report permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using this Technical Report. This Technical Report is limited to the security evaluation of operational systems and

    39、 does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the e

    40、dition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 15408-1, Information technology Security techniques Evaluation criteria for IT security Part 1: Introduction and general model ISO/IEC 15408-2, Information technolo

    41、gy Security techniques Evaluation criteria for IT security Part 2: Security functional components ISO/IEC 15408-3, Information technology Security techniques Evaluation criteria for IT security Part 3: Security assurance components ISO/IEC 18045, Information technology Security techniques Methodolog

    42、y for IT security evaluation ISO/IEC TR 19791:2010(E) 2 ISO/IEC 2010 All rights reserved3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 15408-1, ISO/IEC 18045 and the following apply. 3.1 component identifiable and distinct portion of an operatio

    43、nal system that implements part of that systems functionality 3.2 external operational system separate operational system which interfaces to the operational system that is the subject of evaluation 3.3 management controls security controls (i.e., safeguards and countermeasures) for an information s

    44、ystem that focus on the management of risk and the management of information system security NIST SP 800-53 3.4 operational controls security controls (i.e., safeguards and countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems) NIST S

    45、P 800-53 3.5 operational system information system, including its non-IT aspects, considered in the context of its operating environment 3.6 residual risk risk remaining after risk treatment ISO/IEC Guide 73:2002 3.7 risk potential that a given threat will exploit vulnerabilities of an asset or grou

    46、p of assets and thereby cause harm to the organization NOTE This definition is identical to that of information security risk in ISO/IEC 27005:2008. 3.8 risk analysis systematic use of information to identify sources and to estimate the risk ISO/IEC Guide 73:2002 3.9 risk assessment overall process

    47、of risk analysis and risk evaluation ISO/IEC Guide 73:2002 ISO/IEC TR 19791:2010(E) ISO/IEC 2010 All rights reserved 33.10 risk management coordinated activities to direct and control an organization with regard to risk ISO/IEC Guide 73:2002 3.11 risk treatment process of selection and implementatio

    48、n of options to modify risk ISO/IEC Guide 73:2002 3.12 security controls management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information NIST SP 80

    49、0-53 NOTE This definition is intended to include controls that provide accountability, authenticity, non-repudiation, privacy and reliability, which are sometimes considered as distinct from confidentiality, integrity and availability. 3.13 security domain portion of an operational system that implements the same set of security policies 3.14 subsystem one or more operational system components that are capable of execution separately from the rest of the system 3.15 system target of eval


    注意事项

    本文(ISO IEC TR 19791-2010 Information technology - Security techniques - Security assessment of operational systems《信息技术 保密技术 操作系统安全评估》.pdf)为本站会员(王申宇)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开