基于国际标准CC 和CEM 的计算机系统信息安全性评估认证支持平台

摘要/Abstract

摘要： 信息系统的整体安全性只有遵照统一的标准来设计、实现、运用、维护,才能在系统的整个生命周期中得到保障.因此，信息系统的安全性标准化工作一直都是世界各国共同关注的问题.CC和CEM是一套信息系统安全性评估和认证的通用标准，并且已经被国际标准化组织ISO收录并颁布.基于CC和CEM标准的评估和认证，可以在被评估认证系统的所有利害相关者之间建立起具有共同基础的信任关系，因此CC和CEM已在世界范围内被广泛应用.然而，基于此套标准的评估和认证过程非常复杂.评估认证过程中的具体工作任务繁杂，涉及的相关文档种类繁多，由人工来进行评估和认证工作需要花费大量的时间，同时需要从事者有极高的专业水平和丰富的经验.并且，由人工进行评估和认证工作，不可避免地会产生人为性错误和由主观倾向导致的偏向性误差，这些问题都会降低评估认证结果的正确性、准确性、公平性.所以，为了提高评估认证工作的效率，保证评估结果的正确性、准确性、公平性，同时降低评估认证工作者的工作难度，一套能够支持评估认证工作整体流程的自动化工具是迫切需要的.但是，以往在世界上并不存在此类工具.为此，提出、设计、开发了世界上第1个基于CC和CEM的评估认证全过程的评估认证支持平台.此平台通过使用自动化方法，帮助相关人员完成评估认证全过程中的各项繁琐的具体工作.介绍了这个基于CC和CEM的评估认证支持平台的设计思想和开发细节.

关键词: CC, CEM, 信息技术, 安全技术, 信息安全性评估认证

Abstract: The whole security of IT systems can be guaranteed only if it is designed, implemented, used, maintained according to some common standards. Therefore, the standardization of IT system security is always a common issue all over the world. CC and CEM are a pair of ISO-NIEC international standards for information security evaluation and certification. CC and CEM establish a trustworthy relationship with common basis among all stakeholders of the target system that is evaluated and certified, and therefore CC and CEM are widely used all over the world. However, evaluation and certification based on CC and CEM is very complex. Evaluation and certification process involves of tens of documents and tasks. Performing evaluation and certification process by human shall cost lots of time. Besides, it is also difficult to ensure that evaluation and certification is fair and no subjective mistakes. These issues not only may result in consuming a lot of time, but also may affect the correctness, accuracy, and fairness of evaluation and certification results. Thus, it is necessary to provide a supporting environment that supports all tasks related to the evaluation and certification process automatically to improve the quality of evaluation results，at the same time reduce the complexity of all evaluator and certifiers work. However, there is no such environment existing until now. This paper presents a supporting environment we are developing for IT system security evaluation and certification based on CC and CEM that provides comprehensive facilities to support the whole evaluation and certification process. This is the first supporting environment to support the whole security evaluation and certification process.

Key words: CC, CEM, information technology, security evaluation, information security evaluation and certification

宝达. 基于国际标准CC 和CEM 的计算机系统信息安全性评估认证支持平台[J]. 信息安全研究, 2017, 3(7): 638-646.

参考文献

［1］Cheng J, Goto Y, Morimoto S, et al. A security engineering environment based on ISOIEC standards: Providing standard, formal, and consistent supports for design, development, operation, and maintenance of secure information systems［C］ Proc of the 2nd Int Conf on Information Security and Assurance. Los Alamitos, CA: IEEE Computer Society, 2008: 350354［2］Cheng J, Goto Y, Horie D. ISEE: An information security engineering environment［C］ Proc of Int Conf on Security and Cryptography. Milan, Italy: INSTICC Press, 2009: 395400［3］Common Criteria Recognition Arrangement. Common Criteria for Information Technology Security Evaluation: Version 3.1 Revision 5［EBOL］. ［20170510］. http:www.commoncriteriaportal.org［4］International Organization for Standardization. ISOIEC 15408: Information Technology—Security Techniques—Evaluation Criteria for IT Security［S］. Geneva: International Organization for Standardization, 2009［5］中国国家标准化管理委员会. GBT 18336信息技术—安全技术—信息技术安全性评估准则［S］. 北京: 中国标准出版社, 2015［6］Common Criteria Recognition Arrangement. Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5［EBOL］. ［20170510］. http:www.commoncriteriaportal.org［7］International Organization for Standardization. ISOIEC 18045: Information Technology—Security Techniques—Methodology for IT Security Evaluation［S］. Geneva: International Organization for Standardization, 2008［8］中国国家标准化管理委员会. GBT 30270信息技术安全技术信息技术安全性评估方法［S］. 北京: 中国标准出版社, 2013［9］Herrmann D S. Using the Common Criteria for IT Security Evaluation［M］. Washington, DC: CRC Press, 2002［10］Chen H, Bao D, Goto Y, et al. A supporting environment for IT system security evaluation based on ISOIEC 15408 and ISOIEC 18045［G］ LNEE 330: Computer Science and Its Applications. Berlin: Springer, 2014: 13591366［11］Chen H, Bao D, Gao H, et al. A security evaluation and certification management database based on ISOIEC standards［C］ Proc of the 12th Int Conf on Computational Intelligence and Security. Los Alamitos, CA: IEEE Computer Society, 2016: 249253［12］Bao D, Miura J, Zhang N, et al. Supporting verification and validation of security targets with ISOIEC 15408［C］ Proc of the 2nd Int Conf on Mechatronic Sciences, Electric Engineering and Computer. Piscataway, NJ: IEEE, 2013: 26212628

[1]	李东张德政. 企业活动目录域服务安全防护措施探讨[J]. 信息安全研究, 2021, 7(1): 95-100.
[2]	张放李朝伟张宁王上. 整机信创生态发展面临的问题及对策研究[J]. 信息安全研究, 2020, 6(10): 0-0.
[3]	刘强. 港口生产业务系统网络安全技术研究[J]. 信息安全研究, 2019, 5(8): 746-751.
[4]	王辉周忠锦王世晋史卓颖. 基于MLP深度学习算法的DGA准确识别技术研究[J]. 信息安全研究, 2019, 5(6): 495-499.
[5]	刘国伟张艺朱岩. 大数据时代网络安全技术的演进[J]. 信息安全研究, 2019, 5(5): 406-413.
[6]	景亮方晖蒋坚迪. 城市轨交AFC系统安全建设方案的设计与分析[J]. 信息安全研究, 2018, 4(1): 91-96.
[7]	闫靖晨. 基于 CC 的安全性规格形式化描述及验证方法[J]. 信息安全研究, 2017, 3(7): 617-623.
[8]	黄旗绅李留英. 网络空间信息内容安全综述[J]. 信息安全研究, 2017, 3(12): 1115-1118.
[9]	刘文. 信息安全审计问题与应用创新策略研究[J]. 信息安全研究, 2017, 3(10): 0-0.
[10]	罗森林. 网络空间安全对抗演练模型研究[J]. 信息安全研究, 2016, 2(8): 0-0.
[11]	吕欣. 大数据安全和隐私保护技术架构研究[J]. 信息安全研究, 2016, 2(3): 244-250.