At the risk of generating flame mail on obscure subjects, I would make some
observations on the 'CIA triangle' conversations.
The first known use of the particular diagram was in the mid 1940s in the UK
by the Royal Signals and Radar Establishment, some years before the advent
of the CIA. The RSRE electronics specialist who made that presentation
claims to have based it on a view expressed in ancient Greece, so nothing is
new.
The ITSEC driving countries, UK, Netherlands, Germany and France agreed the
ITSEC draft in 1990 and although TCSEC does not measure outside Assurance,
ITSEC certainly does. Products and systems evaluated and certified under
ITSEC since January 1991 are reported on this basis. For example, TCSEC C2 =
ITSEC F-C2/E2
FC-FIPS drew heavily on ITSEC. The international Common Criteria is supposed
to develop from the joint efforts of the sponsors who are: European Union
(representing the ITSEC driving countries and the existing and prospective
Member countries of the EU), the Government of the United States of America
( through NCSC and NIST) and the Government of Canada. The objective is to
establish a common criteria for mutual acceptance by these nations and the
encouragement of other nations to mutually accept the CC. That means that
the CC will evolve before being accepted and, at present, existing criteria
continue in use.
The International Invitational Workshop held in June 94 in support of the CC
programme produced several divergent views and demonstrated a number of
vested interests Therefore, progress may not be as rapid as many of us
hope.
I would suggest that this activity should be of keen interest to firewallers
because it has many implications for the development of risk policies and
for procurement of technology. The primary objective behind the ITSEC
programme was make effective and appropriate risk management of IT systems
available and affordable to all users.
Ian J-B.
|
|
