摘要
介绍了信息安全评估的定义、标准及其发展,重点讨论了可信计算机系统评估准则中机构化保护级评估标准安全策略中的自主访问控制、客体重用、标记(标记完整性和标记信息的输出)和强制访问控制;责任中的身份鉴别和审计;保证中的操作保证(系统结构、系统完整性、隐蔽信道分析和可信设施管理)和生命周期保障(安全测试、设计说明书和检验以及配置管理);文档中的安全特征用户指南、可信设施指南、测试文档和设计文档。最后,将机构化保护级与信息技术安全评估通用准则中的测试级5进行了比较分析。
This paper introduces the definition, standard and development on evaluation of information security; emphasis on Class of B2 in TCSEC, especially the security policy of B2, such as discretionary access control, object reuse, Labels (label integrity and exportation of labeled information) and mandatory access control. this paper also studies and analyses the other requirements for class B2, such as identification and authentication in the requirement of accountability; operational assurance (system architecture, system integrity, covert channel analysis and trusted facility management) and life-cycle assurance (security testing, design specification and verification and configuration management) in the requirement of assurance; security features user’s guide, trusted facility manual, test documentation and design documentation in the requirement of documentation. in the end of this paper, we study and comparatively analyses the class of B2 with the class of EAL5 in CC.
出处
《电子科技大学学报》
EI
CAS
CSCD
北大核心
2005年第3期373-376,共4页
Journal of University of Electronic Science and Technology of China
基金
四川省科技攻关项目(03FG013-008)
关键词
信息安全
评估
可信计算机系统评估准则
可信计算基
information security
evaluation
trusted computer system evaluation criterial
trusted calculate base
