A Framework for Evaluation of Information Systems Security

Evaluating information systems security is a process which involves identifying, gathering, and analysing security functionality and assurance level against criteria. This can result in a measure of trust that indicates how well the system meets a particular security target. It is desirable that the trust one can have on system is measurable and quantifiable through out the systems life cycle. Generally this is referred to as Information Security Assurance. However, security assurance is costly and time consuming. This can partly be attributed to non technical assurance factors, the choice of assurance technique and tools, composition, lack of reuse, life cycle assurance and lack of metrics which are essential for cost and effort estimation. Assurance for complex systems like electronic commerce is still abstract because when the systems complexity increased, it becomes harder to examine whether security requirements has been met and therefore the concept of perfect security proves to be unachievable goal for both computer systems vendors and consumers. This work is based on the Common Criteria (CC) which is an established method for security functions identification, assurance levels classification and development of Protection Profiles. In this research an Information Security Assurance Framework is proposed. This can be used to address the Information Security Assurance problem taking into consideration non-technical assurance factors, re-use of Protection Profiles and use of security metrics in the process of information assurance. A Protection Profile defines an implementation-independent set of IT security requirements for a category of IT products. Such products are intended to meet common consumer needs for IT security. Consumers can therefore construct or cite a PP to express their IT security needs without reference to any specific product.