International, Functional

Some international organizations have developed policies that attempt to organize and direct the flow of information and the conduct of trade between countries. There policies frequently are mutually agreed upon by participating countries, and often have little or no provision for enforcement. Developed to facilitate communication, these policies are easily translated and provide the basis for effective and efficient conveyance of tangible and intellectual property. Examples of these types of policies are international copyright provisions, IEEE electrical component standards, and data communications exchange protocols and formats. The risk of noncompliance is more a failure to operate properly than breach of agreement. In this regard, these types of policies are selfenforcing.

In other instances, standards are functional and provide more instructional and directive guidance. The enforcement of these policies is often relegated to participant discussions and expectations of cooperation. Several examples exist of these types of policies, especially in the Computer and Information Security arena. Consider the following:

TCSEC, ITSEC, Common Criteria

The Trusted Computer Security Evaluation Criteria (TCSEC) developed by the U.S. government and the Information Technology Security Evaluation Criteria (ITSEC) initiated in the European community along with a third document, known as the Common Criteria form the basis for measuring and evaluating systems with regard to their security capabilities.

The TCSEC standard takes into account five aspects of security: the system’s ability to provide security defined by a security policy, the accountability mechanisms, the operational aspect of security, system life cycle security assurance, and the documentation developed and maintained about the system’s security aspects.

The ITSEC standard was initiated by combining the British, German, and French standards into a single European policy.

The Common Criteria is an attempt in progress to normalize both the TCSEC and ITSEC to make it universally acceptable.

Security Technical Reference Materials

Numerous organizations and sponsors have drafted technical documents for general reference as policies and for establishing security measurements in the public and private sector. NIST maintains a clearinghouse for such documents published in public sectors and contributed by private organizations. Other organizations maintain numerous reference materials. Because this list is growing continuously, the most up-to-date reference for the documents in this category can be found by browsing the Internet with the subject “Security and Privacy.”

Trusted Computing

Several important documents also exist to help establish policies and standards for trusted computing systems, trusted data bases, and trusted communications protocols. The most common reference policies dealing with trusted computing in the U.S. are the documents of the Trusted Computer System Evaluation Criteria (DoD 5200.28-STD), also known as the “Orange Book”.

Security Classes

Common evaluation procedures have been applied to various systems in an attempt to group the commercial products into common categories according to their capability of securing data and procedures they administer. As a result of this evaluation, security classes have been established and are used by system suppliers to place their security capabilities in one of several categories. The TCSEC offers the following four categories:

A  — Formal proven security provisions.

B  — Mandatory access policies enforced.

C  — Discretionary access protection.

D  — Minimal security enabled.

The ITSEC offers two categories for each system. One category for the security Functionality (F), and a second category for the European assurance (E). Therefore, a classification under the ITSEC policy might look like F4/E3.

Classes also exist in the Common Criteria, but since this document, intended as a universal interpretation of both the TCSEC and ITSEC, is still in draft, it should be referenced directly before using any information attributed to the Common Criteria.

More information is available regarding these categories in the TCSEC, ITSEC, or Common Criteria documents.

Transborder Data Controls

Several policies and standards exist to identify policies regarding transmission of data between countries. Because the individual countries can change their regulations and because technology often presents many new challenges not anticipated by existing regulations, the source of the most thorough and accurate data control policies exists on the Internet. One of the recent documents available on the Internet is from the Netherlands. To reference it, use a world wide Web browser with the subject “Transborder data security.”

National

In the U.S., two publications represent the most widely referenced security policies. Often used as a model for organizational policies large and small, the DoD Orange Book, and the National Computer Security Center (NCSC) Technical Guidelines known as the “Rainbow Series” because the topics are published individually in a small booklet, each of which has a different brightly colored cover. Contact the NCSC or National Institute of Standards and Technology (NIST) to obtain more information or to be placed on the mailing list to receive updated copies of these publications.