Technique for Evaluation of Compliance of Information Security Means with Common Criteria

The problems of certification of information security means according to information security requirements and the peculiarities of evaluation of output compliance with the higher evaluation assurance levels are considered. Certificates that are demanded from the developer during the conduction ofcertification tests as well as peculiarities of their representation using formal and semi-formal styles of writing are given. Based on Common Criteria methodology, a formal description of the compliance evaluation is introduced, which can be used in test laboratories for planning and conduction of certification tests in accordance with requirements of the new normative base of the Federal Service on Technical and Export Control of Russia. Basic methods used in test laboratories during the test conduction (expert-documental method, functional testing, static and dynamical analysis of source texts, testing by penetration), as well as peculiarities of their using in view of the new normative base are considered. The methodic recommendations on optimization of the compliance evaluation are offered, which allow the time and material expenditures to be reduced.

References

[1] Bagaev D.A., Lankin O.V., Rogozin E.A. The way to determine complex defense indicator of automated systems. Vopr. Zashch. Inf. [Probl. Inf. Prot.], 2009, no. 2, pp. 8–10 (in Russ.).

[2] Osovetskiy L.G., Sukhanov A.V., Manuylov N.A. General criteria: myths and reality. Scientific and technological aspects. Mayorovskie Chteniya: Trudy 9 Nauch. Tech. Konf. "Teoriya i tekhnologiya programmirovaniya i zashchity informatsii. Primenenie vychislitel’noy tekhniki" [Mayorovskie Read.: Proc. 9 Sci. Tech. Conf. "Theory and technology of programming and information security. The application of computers"]. St. Petersburg, SPb Gos. Univ. Publ., 2005, pp. 3–5 (in Russ.).

[3] Markov A.S. Statistics of general criteria implementation in foreign countries. Inf. Bezop. [Inf. Secur.], 2006, no. 1–2, pp. 12–15 (in Russ.).

[4] Gribunin V.G. General criteria in Russia. Inf. Bezop. [Inf. Secur.], 2005, no. 1, pp. 22-25 (in Russ.).

[5] Betelin V.V., Galatenko V.A., Kobzar’ M.T., Sidak A.A., Trifalenkov I.A. Protection profiles based on general criteria. Analitical review. Inf. Byull. JetInfo [JetInfo Newsl.], 2003, vol. 118, no. 3, 32 p. (in Russ.).

[6] Grishin M.I., Markov A.S., Barabanov A.V. A formal basis and metabasis for estimating the compliance of information protection means with informatization objects. Izv. Inst. Inzh. Fiz. [Proc. Inst. Eng. Phys.], 2011, no. 3, pp. 82–88 (in Russ.).

[7] Markov A.S., Mironov S.V., Tsirlov V.L. Identification of software vulnerability in the certification process. Izv. Taganrog. Gos. Radio Tekhn. Univ. [Proc. Taganrog State Univ.], 2006, vol. 62, no. 7, pp. 82–87 (in Russ.).

[8] Barabanov A.V., Markov A.S., Tsirlov V.L. A methodology for estimating the compliance of automated information systems with security requirements. Spetstekhn. Svyaz’ [Spec. Equip. Commun.], 2011, no. 3, pp. 48–53 (in Russ.).

[9] Barabanov A.V., Markov A.S., Tsirlov V.L. The development of a firewall testing technique to meet security requirements. Vopr. Zashch. Inf. [Probl. Inf. Prot.], 2011, no. 3, pp. 19–24 (in Russ.).

[10] Barabanov A.V. A method for assessing the compliance of automated systems with the requirements to protect information from unauthorized access by using sampling inspection. Vestn. Mosk. Gos. Tekh. Univ. im. N.E. Baumana, Ser. Priborostr. [Herald of the Bauman Moscow State Tech. Univ. Ser. Instrum. Eng.], 2011, no. 2, pp. 104–115 (in Russ.).