1999 Conferences

4th CACR Information Security Workshop

Andrew Webber, Logica

What about the ITSEC?

The ITSEC was published in 1991 and has been adopted by the European Commission for use across Europe and was also adopted in Australia and New Zealand as the default criteria for performing IT security evaluations. The ITSEC was one of the source criteria used in the Common Criteria effort, leading to ISO Standard 15408 - the "Common Criteria for Information Technology Security Evaluation". Since the Common Criteria is intended to supersede all the source criteria, what future is there for the ITSEC and why should anyone invest in understanding it? This presentation will detail some of the reasons why the ITSEC will still be relevant for several years to come.

A greater understanding of the Common Criteria can be acquired by understanding something of the source criteria. Understanding of the ITSEC will help to interpret the meaning of existing evaluation certificates and how they relate to evaluations against other criteria. This presentation will outline the concepts of the ITSEC and how they have been assimilated in the Common Criteria.

Two of the most important contributions that the ITSEC has made to IT security evaluation is the growing acceptance of evaluation results in other countries and experience of maintaining assurance through change. This presentation will outline the difficulties and progress on mutual recognition of ITSEC certificates. This helps to show how recognition of Common Criteria and other evaluation schemes is likely to progress. It will also address the experiences of the maintenance of assurance despite changes.

A number of ITSEC evaluations have been performed in the UK of IT solutions that make extensive use of encryption. This presentation will discuss the extent of the ITSEC evaluation and the other (non-ITSEC) assessments performed. This will outline the UK approach to FIPS 140 and how it interacts with an ITSEC (or CC) evaluation.

Speaker Bio
Andy Webber is a senior evaluator in Logica's CLEF (CommerciaL Evaluation Facility) and a consultant in Logica's Security Practice. Andy joined the CLEF is 1990 and has worked on evaluations against many criteria. Andy has been involved in a number of projects involving cryptography as a key element, predominantly to the ITSEC, and at all assurance levels.