Determining Security Requirements for Complex Systems with the Orange Book

Landwehr, Carl E.; Lubbes, H. O.

Determining Security Requirements for Complex Systems with the Orange Book

Active / Technical Report | Accession Number: ADA465540 |

Open PDF

Abstract:

The DoD Trusted Computer System Evaluation Criteria define requirements corresponding to specified levels of security functions and assurance. They do not, however, help determine what level system is required for a specific environment. A simplistic technique has been proposed for this purpose that takes into account only the classification of the most sensitive information processed by a system, the clearance of its least-cleared user, and the environment in which it was developed. This paper offers a straightforward but richer technique a developer can use to map a specific system architecture and application environment to a particular requirement level as defined in the Criteria. It accounts for differences in functions provided to different users and the ways users can invoke those functions, as well as for users clearances and the sensitivity of data. This technique is applicable throughout the system life cycle, so that security requirements can be updated as changes to system structure and function occur.

Author(s):

Landwehr, Carl E. ; Lubbes, H. O.

Author Organization(s):

NAVAL RESEARCH LAB WASHINGTON DC INFORMATION TECHNOLOGY DIV

Supplementary Note:

Prepared in cooperation with Space and Naval Warfare Systems Command, Washington, DC. DOI: 10.21236/ADA465540

Pagination:

0013

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Monitor Series:

NRL

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_2_Battlespace Awareness; JCA_2.1_Planning and Direction; JCA_5.4_Decide; JCA_2.1.1_Define and Prioritize Requirements; JCA_6_Net Centric; JCA_6.1.1_Wired Transmission; JCA_6.1_Information Transport; JCA_5.4.3_Establish Rule Sets; JCA_5.4.5_Intuit; JCA_1_Force Support; JCA_7.2.1_Mitigate Lethal Effects; JCA_7.2_Mitigate; JCA_7_Protection; JCA_1.2_Force Preparation; JCA_1.2.4_Doctrine; JCA_8_Building Partnerships; JCA_5.3_Planning; JCA_6.4.1_Secure Information Exchange; JCA_4.3_Maintain; JCA_8.2_Shape

Modernization Areas:

Fully Networked C3

Communities of Interest:

Materials and Manufacturing Processes

Descriptor(s):

*REQUIREMENTS, *SECURITY, *CLEARANCES, COMPUTER ARCHITECTURE, SYSTEMS ANALYSIS

Field(s)/Group(s):

Computer Systems Management and Standards

Keyword(s):

TRUSTED COMPUTER SYSTEMS

Report Date:

1985 Jan 01

Creation Date:

2007 Jun 06