"b Is for Business : Mandatory Security Criteria and the Oecd Guidelines for Information Systems Security"

This paper sets out the proposition that mandatory security functionality, with its associated enforcement and evaluation criteria, are required in computer and data network systems to meet emerging national and international laws and guidelines for information systems security. The OECD 1992 Guidelines for Information Systems Security are used as a baseline for the consideration of such levels of trusted functionality. Concepts for trusted computer and data network systems, as set out in the original Trusted Computer System Evaluation Criteria (TCSEC) of the United States, the Information Technology Security Evaluation Criteria (ITSEC) of the group of four European nations, the Canadian (CTCPEC) evaluation criteria and the more recent international Common Criteria (CC) are seen as relevant to the distributed and client/server computing environments of information systems in the 1990s and beyond. Overall, it is suggested that security functionality and evaluation/ enforcement, at the level of the earlier TCSEC "B1" as a minimum, are required in networked computer systems to meet emerging national and international legal requirements and I.T. security guidelines.