(1.中國電子科技集團公司第十五研究所北京 100083���;
2.信息產業部計算機安全技術檢測中心 北京 100083)
摘 要: 信息安全評估標準CC是旨在對IT產品或系統進行安全性評價的一項通用準則�����,它隨著技術的發展和需求的變化在不斷更新����。本文分析了CC中評估保證級(EAL)的主要內容���,闡釋了更新變化的主要內容���,并對采用CC開展信息安全評估的方法進行了探討��,分析并提出了在使用最新版CC進行信息安全評估時應著重考慮的要點和方法�。
關鍵字: 信息安全���;CC標準���;安全評估����;評估方法
Research on information technology security evaluation and methodology based on CC
LI Guo-jun1 WANG Rui-lin2
(1.China Electronics Technology Group Corporation No.15 Research Institute, Beijing 100083;
2.Computer Technology Security Test Center of MII, Beijing 100083)
Abstract: Information Security Evaluation Criteria (CC) is a general rule designed for security evaluation on IT product or system, it is constantly updated with technology and needs change. This paper analyzes the main elements of evaluation assurance level (EAL) in CC, explains the main updated parts, and discusses how to carry out information security evaluation by using CC, analyzes and presents the key points and methods that should be considered for Information Security Evaluation by using the latest version of the CC.
Key words: information security; Common Criteria; security evaluation; evaluation method
參考文獻:
[1] [CC-1] Common Criteria for Information Technology Security Evaluation, Version 3.1, revision 3, July 2009. Part 1: Introduction and general model.
[2] [CC-2] Common Criteria for Information Technology Security Evaluation, Version 3.1, revision 3, July 2009. Part 2: Functional security components.
[3] [CC-3] Common Criteria for Information Technology Security Evaluation, Version 3.1, revision 3, July 2009. Part 3: Assurance security components.
[4] [CEM] Common Methodology for Information Technology Security Evaluation, Version 3.1, revision 3, July 2009.
[5] [ISO/IEC 27001] Information technology -- Security techniques -- Information security management systems -- Requirements
[6] [ISO/IEC 27002] Information technology -- Security techniques -- Code of practice for information security management
[7] NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems-2007.6
[8]《GB/T18336-2008 信息技術 安全技術 信息技術安全性評估準則》2008
作者簡介:
李國�。1978-)�����,男�����,工學碩士�,主要研究方向:信息安全測評技術����、智能卡安全性評估����。
