1、 Reference number ISO/IEC TR 19791:2010(E) ISO/IEC 2010TECHNICAL REPORT ISO/IEC TR 19791 Second edition 2010-04-01Information technology Security techniques Security assessment of operational systems Technologies de linformation Techniques de scurit valuation de la scurit des systmes oprationnels IS
2、O/IEC TR 19791:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
3、downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in
4、 the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the addr
5、ess given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either
6、 ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2010 All rights reservedISO/IEC TR 19791:2010
7、(E) ISO/IEC 2010 All rights reserved iiiContents Page Foreword .v Introductionvi 1 Scope1 2 Normative references1 3 Terms and definitions .2 4 Abbreviated terms.4 5 Structure of this Technical Report 4 6 Technical approach.5 6.1 The nature of operational systems5 6.2 Establishing operational system
8、security 5 6.3 Security in the operational system life cycle .7 6.4 Relationship to other systems .10 7 Extending ISO/IEC 15408 evaluation concepts to operational systems10 7.1 Overview.10 7.2 General philosophy.10 7.3 Operational system assurance 12 7.4 Composite operational systems 14 7.5 Domain A
9、ssurance16 7.6 Types of security controls18 7.7 System security functionality 20 7.8 Timing of evaluation21 7.9 Use of evaluated products .22 7.10 Documentation requirements 23 7.11 Testing activities .24 7.12 Configuration management25 8 Relationship to existing security standards.25 8.1 Overview.2
10、5 8.2 Relationship to ISO/IEC 15408 .27 8.3 Relationship to non-evaluation standards .27 8.4 Relationship to Common Criteria development.28 9 Evaluation of operational systems28 9.1 Introduction28 9.2 Evaluation roles and responsibilities28 9.3 Risk assessment and determination of unacceptable risks
11、.30 9.4 Security problem definition30 9.5 Security objectives31 9.6 Security requirements.31 9.7 The System Security Target (SST).33 9.8 Periodic reassessment .35 Annex A (normative) Operational system Protection Profiles and Security Targets 36 A.1 Specification of System Security Targets.36 A.2 Sp
12、ecification of System Protection Profiles.42 Annex B (normative) Operational system functional control requirements.49 B.1 Introduction49 B.2 Class FOD: Administration.51 B.3 Class FOS: IT systems59 ISO/IEC TR 19791:2010(E) iv ISO/IEC 2010 All rights reservedB.4 Class FOA: User Assets69 B.5 Class FO
13、B: Business 71 B.6 Class FOP: Facility and Equipment .73 B.7 Class FOT: Third parties .78 B.8 Class FOM: Management 80 Annex C (normative) Operational system assurance requirements84 C.1 Introduction84 C.2 Class ASP: System Protection Profile evaluation89 C.3 Class ASS: System Security Target evalua
14、tion101 C.4 Class AOD: Operational system guidance document .115 C.5 Class ASD: Operational System architecture, design and configuration documentation.120 C.6 Class AOC: Operational System configuration management.131 C.7 Class AOT: Operational System test .136 C.8 Class AOV: Operational System vul
15、nerability assessment 146 C.9 Class APR: Preparation for live operation 154 C.10 Class ASO: Records on operational system 157 Annex D (normative) Operational System evaluation methodology .162 D.1 Technical approach .162 D.2 Class ASP: System Protection Profile evaluation163 D.3 Class ASS: System Se
16、curity Target evaluation178 D.4 Class AOD: Operational system guidance document .195 D.5 Class ASD: Operational system architecture, design and configuration documentation.199 D.6 Class AOC: Operational system configuration management .207 D.7 Class AOT: Operational system test210 D.8 Class AOV: Ope
17、rational system vulnerability assessment.217 D.9 Class APR: Preparation for live operation 228 D.10 Class ASO: Records on operational system 231 Bibliography 235 ISO/IEC TR 19791:2010(E) ISO/IEC 2010 All rights reserved vForeword ISO (the International Organization for Standardization) and IEC (the
18、International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particul
19、ar fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have establis
20、hed a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical
21、 committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report of one of the foll
22、owing types: type 1, when the required support cannot be obtained for the publication of an International Standard, despite repeated efforts; type 2, when the subject is still under technical development or where for any other reason there is the future but not immediate possibility of an agreement
23、on an International Standard; type 3, when the joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example). Technical Reports of types 1 and 2 are subject to review within three years of publica
24、tion, to decide whether they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful. Attention is drawn to the possibility that some of the elements of this documen
25、t may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC TR 19791, which is a Technical Report of type 2, was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security te
26、chniques. This second edition cancels and replaces the first edition (ISO/IEC TR 19791:2006), which has been technically revised. ISO/IEC TR 19791:2010(E) vi ISO/IEC 2010 All rights reservedIntroduction This Technical Report is a support document that defines extensions to ISO/IEC 15408 to enable th
27、e security assessment (evaluation) of operational systems. ISO/IEC 15408, as currently defined, provides support for specifying the IT security functionality that exists in products and systems. However, it does not capture certain critical aspects of an operational system that must be precisely spe
28、cified in order to effectively evaluate such a system. This Technical Report provides extended evaluation criteria and guidance for assessing both the information technology and the operational aspects of such systems. It is primarily aimed at those who are involved in the development, integration,
29、deployment and security management of operational systems, as well as evaluators seeking to apply ISO/IEC 15408 to such systems. It will be relevant to evaluation authorities responsible for approving and confirming evaluator actions. Evaluation sponsors, and other parties interested in operational
30、system security, will be a secondary audience, for their background information. Considering the complexity of this project and the need for additional work, the target has been defined to be a Technical Report Type 2. In the future, once additional experience has been gained in this area, it is hop
31、ed that it may be possible to convert this Technical Report into an International Standard to support evaluations of operational systems. Until some formalisation of an approach is performed, it is considered unlikely that many operational system evaluations of this nature will be undertaken due to
32、the lack of specific guidance available, a gap that this Technical Report is designed to fill. There are fundamental issues in regards to the definition and use of the term system. ISO/IEC 15408, with its focus on product evaluation, uses the term system to include only the information technology (I
33、T) aspects of the system. The term operational system, as used within this Technical Report, covers the combination of personnel, procedures and processes integrated with technology-based functions and mechanisms, applied together to establish an acceptable level of residual risk in a defined operat
34、ional environment. This is a revised edition, updated for compatibility with the third edition of ISO/IEC 15408. TECHNICAL REPORT ISO/IEC TR 19791:2010(E) ISO/IEC 2010 All rights reserved 1Information technology Security techniques Security assessment of operational systems 1 Scope This Technical Re
35、port provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408, by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are requ
36、ired address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated. This Technical Report provides a) a definition and model for operational systems, b) a description
37、 of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems, c) a methodology and process for performing the security evaluation of operational systems, d) additional security evaluation criteria to address those aspects of operational systems not covered by t
38、he ISO/IEC 15408 evaluation criteria. This Technical Report permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using this Technical Report. This Technical Report is limited to the security evaluation of operational systems and
39、 does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the e
40、dition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 15408-1, Information technology Security techniques Evaluation criteria for IT security Part 1: Introduction and general model ISO/IEC 15408-2, Information technolo
41、gy Security techniques Evaluation criteria for IT security Part 2: Security functional components ISO/IEC 15408-3, Information technology Security techniques Evaluation criteria for IT security Part 3: Security assurance components ISO/IEC 18045, Information technology Security techniques Methodolog
42、y for IT security evaluation ISO/IEC TR 19791:2010(E) 2 ISO/IEC 2010 All rights reserved3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 15408-1, ISO/IEC 18045 and the following apply. 3.1 component identifiable and distinct portion of an operatio
43、nal system that implements part of that systems functionality 3.2 external operational system separate operational system which interfaces to the operational system that is the subject of evaluation 3.3 management controls security controls (i.e., safeguards and countermeasures) for an information s
44、ystem that focus on the management of risk and the management of information system security NIST SP 800-53 3.4 operational controls security controls (i.e., safeguards and countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems) NIST S
45、P 800-53 3.5 operational system information system, including its non-IT aspects, considered in the context of its operating environment 3.6 residual risk risk remaining after risk treatment ISO/IEC Guide 73:2002 3.7 risk potential that a given threat will exploit vulnerabilities of an asset or grou
46、p of assets and thereby cause harm to the organization NOTE This definition is identical to that of information security risk in ISO/IEC 27005:2008. 3.8 risk analysis systematic use of information to identify sources and to estimate the risk ISO/IEC Guide 73:2002 3.9 risk assessment overall process
47、of risk analysis and risk evaluation ISO/IEC Guide 73:2002 ISO/IEC TR 19791:2010(E) ISO/IEC 2010 All rights reserved 33.10 risk management coordinated activities to direct and control an organization with regard to risk ISO/IEC Guide 73:2002 3.11 risk treatment process of selection and implementatio
48、n of options to modify risk ISO/IEC Guide 73:2002 3.12 security controls management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information NIST SP 80
49、0-53 NOTE This definition is intended to include controls that provide accountability, authenticity, non-repudiation, privacy and reliability, which are sometimes considered as distinct from confidentiality, integrity and availability. 3.13 security domain portion of an operational system that implements the same set of security policies 3.14 subsystem one or more operational system components that are capable of execution separately from the rest of the system 3.15 system target of eval