Foundations for the Harmonization of Information Technology Security Standards

This paper is the first work product of Joint Task 1 (JT01) defined in the Joint Workplan for cooperation on Security of Information Systems [1]. The objectives of JT01 are to: (a) Establish a common set of security functionality classes, representative of international and regional market-driven needs. (b) Develop a common approach to the creation of profiles from these security functionality classes consistent with current regional and international activities. (c) Create guidelines to support the prototyping of such profiles and their interpretability. This paper provides a base for common understanding of critical terms and concepts. It discusses the efforts and terms used in the four major Information Technology Security efforts: (a) The U. S . Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) [2], also known as the Orange Book. (b) The Information Technology Security Evaluation Criteria (ITSEC) [3]. (c) The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) [4]. (d) Federal Criteria for Information Technology Security [5]. In addition, this paper looks at the terms and concepts used in the development of International Standards Organization (ISO) standards for Open Systems Interconnection (OSI). This paper is presented as a base for the JT01 work and is not intended to analyze the good or weakness of various approaches to defining functionality classes or profiles. It attempts to point out where there are differences or the terminology is not precise to allow for a common international acceptance.