ImageVerifierCode 换一换
格式:PDF , 页数:14 ,大小:58.59KB ,
资源ID:730931      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-730931.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ETSI ES 202 383-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Security Design Guide Method and proforma for defining Securi_1.pdf)为本站会员(brainfellow396)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ETSI ES 202 383-2005 Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN) Security Design Guide Method and proforma for defining Securi_1.pdf

1、 ETSI ES 202 383 V1.1.1 (2005-04)ETSI Standard Telecommunications and Internet converged Services andProtocols for Advanced Networking (TISPAN);Security Design Guide;Method and proforma for defining Security TargetsETSI ETSI ES 202 383 V1.1.1 (2005-04) 2 Reference DES/TISPAN-07010-Tech Keywords IP,

2、methodology, security, VoIP ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies o

3、f the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF)

4、. In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of

5、 this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as

6、authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2005. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand

7、the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI ES 202 383 V1.1.1 (2005-04) 3 Contents Intellectual Property Rights4 Foreword

8、.4 Introduction 4 1 Scope 5 2 References 5 3 Definitions and abbreviations.6 3.1 Definitions6 3.2 Abbreviations .6 4 Overview 6 5 ST development6 5.1 Introduction 6 5.2 Endorsement Notice .7 5.3 Guidance notes .7 5.3.1 Introduction.7 5.3.2 ST Introduction (C.2.2).8 5.3.2.1 ST identification (C.2.2 b

9、ullet item a).8 5.3.2.2 CC conformance claim (C.2.2 bullet item b) 8 5.3.3 Target Of Evaluation description (C.2.3)8 5.3.4 TOE security environment (C.2.4)8 5.3.4.1 Assumptions (C.2.4 bullet item a).8 5.3.4.2 Threats (C.2.4 bullet item b) .9 5.3.4.3 Organizational security policies (C.2.4 bullet ite

10、m c).9 5.3.5 Security objectives (C.2.5)9 5.3.5.1 Security objectives for the TOE (C.2.5 bullet item b).9 5.3.6 IT security requirements (C.2.6).9 5.3.6.1 TOE security requirements (C.2.6, bullet item a) .9 5.3.6.1.1 TOE security assurance requirements (C.2.6, bullet item a.2) 9 5.3.7 PP claims (C.2

11、.8) 9 5.3.7.1 PP reference (C.2.8 bullet item a) .9 5.3.7.2 PP tailoring (C.2.8 bullet item b) 9 5.3.7.3 PP additions (C.2.8 bullet item c) .9 5.3.8 Rationale (C.2.9).10 5.3.8.1 PP claims rationale (C.2.9 bullet item d).10 Annex A (normative): Security target definition proforma .11 Annex B (informa

12、tive): Bibliography.13 History 14 ETSI ETSI ES 202 383 V1.1.1 (2005-04) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members an

13、d non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org

14、/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essentia

15、l to the present document. Foreword This ETSI Standard (ES) has been produced by ETSI Technical Committee Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN). Introduction The present document has been prepared with the sponsorship of the eEurope program

16、me as part of the ETSI support to the eEurope action line for a secure information infrastructure (item 3: Society). A major part of any security specification, and of a security product, is the measure of assurance it provides with respect to the security it offers. Information security evaluation

17、contributes to the users trust and confidence in communications products and services. The use of common criteria for evaluation (as defined in ISO/IEC 15408 6) has facilitated mutual recognition of results in many European countries and these countries have also entered into an arrangement with the

18、 US and Canada for further mutual recognition of IT security certificates. The present document is part of a set of standards and guidelines which show how the Common Criteria as identified in ISO/IEC 15408 6 can be used effectively within the ETSI standardization process. The documents in this set

19、are: EG 202 387 1: Method for application of Common Criteria to ETSI deliverables; ES 202 382 2: Method and proforma for defining Protection Profiles; ES 202 383: Method and proforma for defining Security Targets. Between them, these documents identify how standards fit to the Common Criteria and ho

20、w developers of standards should prepare their standards with a view to support submission for evaluation of product conforming to the standards. Adoption of Common Criteria objectives in standardization of security countermeasures is also consistent with achieving the objectives and recommendations

21、 of the NIS report. ETSI ETSI ES 202 383 V1.1.1 (2005-04) 5 1 Scope The present document provides guidance on the preparation of Security Targets (ST) based upon ETSI communication standards. The detailed contents of an ST are specified in ISO/IEC 15408-1 4. The present document endorses the require

22、ments for STs expressed in ISO/IEC 15408-1 4 annex C with some specified modifications and additional requirements. A proforma for a Security Target is given in annex A in tabular form to align with the proforma structure defined for Protection Profiles in ES 202 382 2. The use and applicability of

23、the Common Criteria (CC) to the ETSI standardization process is described in EG 202 387 1. Conformance to the present document is established by successful evaluation to the requirements of ISO/IEC 15408-3 5. 2 References The following documents contain provisions which, through reference in this te

24、xt, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. Refere

25、nced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 ETSI EG 202 387: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method for application

26、 of Common Criteria to ETSI deliverables“. 2 ETSI ES 202 382: “Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Security Design Guide; Method and proforma for defining Protection Profiles“. 3 ETSI TS 102 165-1: “Telecommunications and Internet Protoc

27、ol Harmonization Over Networks (TIPHON) Release 4; Protocol Framework Definition; Methods and Protocols for Security; Part 1: Threat Analysis“. 4 ISO/IEC 15408-1: “Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model“. 5 ISO/IEC

28、15408-3: “Information technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance requirements“. 6 ISO/IEC 15408: “Information technology - Security techniques - Evaluation criteria for IT security“. NOTE: When referring to all parts of ISO/IEC 15408 the refer

29、ence above is used. ETSI ETSI ES 202 383 V1.1.1 (2005-04) 6 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in EG 202 387 1 apply. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply:

30、CC Common Criteria EAL Evaluation Assurance Level IT Information TechnologyPP Protection Profile ST Security Target TOE Target Of Evaluation 4 Overview The evaluation criteria for IT security, generally referred to as the “Common Criteria (CC)“, are defined in the multipart standard, ISO/IEC 15408 6

31、 and are used as the basis for evaluation of security properties of IT products and systems. CC evaluation involves the preparation of a Security Target (ST) that specifies the security requirements for an identified Target Of Evaluation (TOE) and describes the functional and assurance security meas

32、ures offered by that TOE to meet the stated requirements. As an ST is directly related to the final TOE and is therefore prepared by the TOE developer there is no impact on the standardization process. ISO/IEC 15408-3 5 states that although an ST is not directly evaluated by itself it does describe

33、the TOE that is evaluated. 5 ST development 5.1 Introduction This clause endorses the content of ISO/IEC 15408-1 4 annex C and identifies interpretations and guidelines to standards developers of specific clauses in the endorsed standard. As stated in clause 4 “an ST specifies the security requireme

34、nts for an identified Target Of Evaluation (TOE) and describes the functional and assurance security measures offered by that TOE to meet the stated requirements. Although an ST is likely to refer to one or more PPs, it is prepared by the TOE developer and has no impact on the standardization proces

35、s“. However whilst the present document acts as an endorsement of the annex C of ISO/IEC 15408-1 4 this clause gives interpretations and guidance that may be applied when the supporting rationale and PP is derived from an ETSI standard. As stated in clause 5.1 of ISO/IEC 15408-1 4 evaluation of an S

36、T gives an intermediate result in the path towards an evaluated TOE. This is in contrast to the outcome of a PP evaluation where the results are catalogued and made available for STs to be developed from. The ST expresses the security requirements that are evaluated in the TOE evaluation process. ET

37、SI ETSI ES 202 383 V1.1.1 (2005-04) 7 ST indentificationST overviewCC conformanceST IntoductionTOE DescriptionAssumptionsThreatsOrganisational security policiesTOE Security environmentSecurity objectives for the TOESecurity objectives for the environmentSecurity objectivesTOE security functional req

38、uirementsTOE security assurance requirementsTOE security requirementsSecurity requirements for the IT environmentIT security requirementsTOE security functionsAssurance measuresTOE summary specificationPP referencePP tailoringPP additionsPP claimsSecurity objectives rationaleSecurity requirements ra

39、tionaleTOE summary specification rationalePP claims rationaleRationaleSECURITY TARGETFigure 1: Security Target content Figure 1 identifies the content of an ST and the notes that follow are given with respect to both the ST structure and to the content of annex C of ISO/IEC 15408-1 4. 5.2 Endorsemen

40、t Notice The text of ISO/IEC 15408-1 4 annex C is endorsed in full. 5.3 Guidance notes 5.3.1 Introduction The following clauses offer additional guidance to that found in ISO/IEC 15408-1 4. The notes in the present document are intended to assist standards developers identify from existing standards

41、 development practices an approach to the development of STs. Not all parts of the required content of an ST are commented upon. Where no guidance notes are provided the existing text in ISO/IEC 15408-1 4 should be taken as a whole. ETSI ETSI ES 202 383 V1.1.1 (2005-04) 8 5.3.2 ST Introduction (C.2.

42、2) 5.3.2.1 ST identification (C.2.2 bullet item a) The identification of an ST is not required for cataloguing so is not defined with the same rigour as that of a PP (see 2). However by following the practice of identification identified for PP in 2 a consistent naming criteria for STs can be establ

43、ished. This is particularly true when the ST may need to be revisited over the life of the TOE. 5.3.2.2 CC conformance claim (C.2.2 bullet item b) The conformance claim made for the ST has to use one of the terms identified in clause 5.4 of ISO/IEC 15408 -1 4. The claims are summarized in table 1. T

44、able 1: Conformance claim in STs and TOEs Claim Summary Condition a Part 2 conformant The functional requirements are based only on functional components in part 2 b Part 2 extended The functional requirements include functional components not found in part 2 Only one of a or b shall be chosen c Par

45、t 3 conformant The assurance requirements are based only on assurance components in part 3 d Part 3 augmented The assurance requirements are based on an EAL plus other assurance components from part 3 (e.g. complies with all of the requirements of EAL4 and includes compliance with other assurance pa

46、ckages relevant only for higher EALs) e Part 3 extended The assurance requirements are based on assurance components either not in part 3, or in addition to those in part 3 Only one of c or d or e shall be chosen f Conformant to PP Conforms to all parts of a PP None Where conformance to a PP is clai

47、med the PP has to be identified. A later section of the ST, “PP Claims“, provides additional detail on the scope of the PP conformance. Where PP conformance is declared the PP will have identified the assurance packages, normally this is done by reference to an EAL, sometimes by reference to an exte

48、nsion of an EAL (i.e. an EAL with additional evaluation components drawn from part 3). Similarly a PP will have stated the security requirements in terms of part 2 or may base its security functional requirements in a manner where “Part 2 extended“ applies. In large systems where an ST may define on

49、ly a part of the scope of a PP the claim “Conformant to PP“ should not be used. 5.3.3 Target Of Evaluation description (C.2.3) This should describe both the hardware and software of the TOE. Where the system has been formally modelled in UML the deployment diagram may be used to illustrate this clause. The tone of the text should be not very technical as it is intended to give an understanding of the security requirements being fulfilled by the TOE. Where UML or similar graphical tools are used in the developm

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1