Accession Number:

ADA465540

Title:

Determining Security Requirements for Complex Systems with the Orange Book

Descriptive Note:

Corporate Author:

NAVAL RESEARCH LAB WASHINGTON DC INFORMATION TECHNOLOGY DIV

Personal Author(s):

Report Date:

1985-01-01

Pagination or Media Count:

13.0

Abstract:

The DoD Trusted Computer System Evaluation Criteria define requirements corresponding to specified levels of security functions and assurance. They do not, however, help determine what level system is required for a specific environment. A simplistic technique has been proposed for this purpose that takes into account only the classification of the most sensitive information processed by a system, the clearance of its least-cleared user, and the environment in which it was developed. This paper offers a straightforward but richer technique a developer can use to map a specific system architecture and application environment to a particular requirement level as defined in the Criteria. It accounts for differences in functions provided to different users and the ways users can invoke those functions, as well as for users clearances and the sensitivity of data. This technique is applicable throughout the system life cycle, so that security requirements can be updated as changes to system structure and function occur.

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement:

APPROVED FOR PUBLIC RELEASE