4th CACR Information Security Workshop
Andrew Webber, Logica
What about the ITSEC?
The ITSEC was published in 1991 and has been adopted by the European
Commission for use across Europe and was also adopted in Australia
and New Zealand as the default criteria for performing IT security
evaluations. The ITSEC was one of the source criteria used in the
Common Criteria effort, leading to ISO Standard 15408 - the
"Common Criteria for Information Technology Security Evaluation".
Since the Common Criteria is intended to supersede all the source
criteria, what future is there for the ITSEC and why should anyone
invest in understanding it? This presentation will detail some of
the reasons why the ITSEC will still be relevant for several years
A greater understanding of the Common Criteria can be acquired by
understanding something of the source criteria. Understanding of the
ITSEC will help to interpret the meaning of existing evaluation
certificates and how they relate to evaluations against other criteria.
This presentation will outline the concepts of the ITSEC and how they
have been assimilated in the Common Criteria.
Two of the most important contributions that the ITSEC has made to IT
security evaluation is the growing acceptance of evaluation results in
other countries and experience of maintaining assurance through change.
This presentation will outline the difficulties and progress on mutual
recognition of ITSEC certificates. This helps to show how recognition of
Common Criteria and other evaluation schemes is likely to progress. It will
also address the experiences of the maintenance of assurance despite
A number of ITSEC evaluations have been performed in the UK of IT solutions
that make extensive use of encryption. This presentation will discuss the
extent of the ITSEC evaluation and the other (non-ITSEC) assessments
performed. This will outline the UK approach to FIPS 140 and how it
interacts with an ITSEC (or CC) evaluation.
Andy Webber is a senior evaluator in Logica's CLEF (CommerciaL Evaluation
Facility) and a consultant in Logica's Security Practice. Andy joined the
CLEF is 1990 and has worked on evaluations against many criteria. Andy has
been involved in a number of projects involving cryptography as a key
element, predominantly to the ITSEC, and at all assurance levels.