Evaluation model for computer security software products based on ISO/IEC 15408 Common Criteria
DOI:
https://doi.org/10.18046/syt.v9i19.1095Keywords:
Assessment model, Common Criteria, performance, levels, TOE, STAbstract
This article presents a model that enables software developers to evaluate their products under the ISO / IEC 15408 Common Criteria, starting with a risk analysis to several companies in Colombia, selected by the obligations to comply in the level of security law information, with an unfavorable outcome that demonstrate the need to implement the standard. From these results we developed a model, which achieves software conceptualized in a TOE (Target of evaluation) which corresponds to an ICT (Information and Communications), and evaluated according to a ST (Secure Target) Common Criteria portal officer, under the functions and required levels in order to identify shortcomings in compliance and safety recommendations for improvement.
References
Aceituno, V (2006). ISM3 1.0. Information security management maturity model. Barcelona, España: ISECOM. http://hades.udg.es/~xavier/downloads/White_Papers/ISM3.es.1.0.pdf
Almanza, A. (2011). Seguridad informática en Colombia: tendencias 2010-2011. Sistemas, 119, 46-73. http://www.acis.org.co/fileadmin/Revista_119/Investigacion.pdf
APM Group (2007). Welcome to the official ITIL® Website. http://www.itil-officialsite.com/
Apuestas para crecer (2008, Octubre). Revista Dinero, 312, Recuperado de: http://www.dinero.com/caratula/edicion-impresa/articulo/apuestas-para-crecer/69337
Cano, J. (2004). Inseguridad informática: un concepto dual en seguridad informática. Revista de Ingeniería (19), 40-44. http://revistaing.uniandes.edu.co/pdf/Rev19-4.pdf
Cano, J., Samudio, E., Prandini, P., Corozo, E., & Almanza, A. (2011). III Encuesta latinoamericana de seguridad de la información. ACIS, 2011 [Slides]. Recuperado de http://www.acis.org.co/fileadmin/Base_de_Conocimiento/XI_JornadaSeguridad/Presentacion_Jeimy_Cano_III_ELSI.pdf
COACT Inc. (2006). Secureinfo risk management system Version 3.2.06.12 Security Target. San Antonio, TX: SecureInfo. Recuperado de http://www.commoncriteriaportal.org/labs/
Common Criteria (s.f). Licensed laboratories. Recuperado de: http://www.commoncriteriaportal.org/labs/
Common Criteria. (2000). Arrangement on the recognition of Common Criteria certificates in the field of information technology security. Recuperado de http://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf
Computer Security Institute [CSI]. (2011). 2010/2011 Computer crime and security survey. New York, NY: CSI
Dirección General para el Impulso de la Administración Electrónica. (2011). Magerit versión 2. Recuperado de http://administracionelectronica.gob.es/?_nfpb=true&_pageLabel=PAE_PG_CTT_General&langPae=es&iniciativa=184
European Network of Information Security Agency [ENISA] (2011). About Enisa. Recuperado de: http://www.enisa.europa.eu/publications/studies
Fernández, E., Moya, R., & Piattini, M. (2003). Seguridad de las tecnologías de la información: la construcción de la confianza para una sociedad conectada. Madrid, España: Aenor. ISBN 84-8143-367-5
Fraude en impuestos (2011, Noviembre 30). El Espectador.com. Recuperado de: http://www.elespectador.com/impreso/bogota/articulo-314297-fraude-impuestos
Herzog, P. (2010). OSSTMM 3 – The open source security testing methodology manual. Barcelona, España: ISECOM. http://www.isecom.org/mirror/OSSTMM.3.
Information Systems Audit and Control Association [ISACA]. (2011). Cobit framework for IT governance and control. Recuperado de http://www.isaca.org/knowledge-center/cobit/pages/overview.aspx
Instituto Colombiano de Normas Técnicas [ICONTEC] (2006). Norma técnica NTC-ISO-IEC 27001:2005, Anexo A. Bogotá, Colombia: ICONTEC.
International Organization for Standardization [ISO/IEC]. (2005a). 15408-1 Information Technology — Security techniques — Evaluation criteria for IT security part 1: Security functional requirements. Ginebra, Suiza: ISO
International Organization for Standardization [ISO/IEC]. (2005b). 15408-2 Information Technology — Security techniques — Evaluation criteria for IT security part 2: Security functional requirements. Ginebra, Suiza: ISO
International Organization for Standardization [ISO/IEC]. (2005c). 15408-3 Information Technology — Security techniques — Evaluation criteria for IT security part 3: Security assurance requirements. Ginebra, Suiza: ISO
Internet Crime Complaint Center [IC3]. (2010). Internet crime report. Richmond, VA: NWC3. http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf [Citado el 4 de Diciembre 2011
López, A., & Ruiz, J. (2005a). La serie 27000. Recuperado de http://www.iso27000.es/iso27000.html#section3b
López, A., & Ruiz, J. (2005b). ISO27000. Recuperado de: http://www.iso27000.es/iso27000.html
National Institute of Standards and Technology [NIST] (2011). Computer security division. Computer security resource center. Recuperado de http://csrc.nist.gov/
PoisAnon (2011). PoisAnon - Operation:RobinHood [Video]. Recuperado de http://www.youtube.com/watch?v=aymM8ONuQpg
SANS Institute (2011). Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines. Recuperado de http://www.sans.org/critical-security-controls/
Software Engineering Institute [SEI]. (2008). Octave. Recuperado de http://www.cert.org/octave/
SYMANTEC (2011). Descripción general de la tecnología. Recuperado de: http://www.symantec.com/es/es/about/profile/Technology.jsp
Zone-h.org (2010). Ataque a UNE. Recuperado de http://www.zone-h.org/mirror/id/10272455
Almanza, A. (2011). Seguridad informática en Colombia: tendencias 2010-2011. Sistemas, 119, 46-73. http://www.acis.org.co/fileadmin/Revista_119/Investigacion.pdf
APM Group (2007). Welcome to the official ITIL® Website. http://www.itil-officialsite.com/
Apuestas para crecer (2008, Octubre). Revista Dinero, 312, Recuperado de: http://www.dinero.com/caratula/edicion-impresa/articulo/apuestas-para-crecer/69337
Cano, J. (2004). Inseguridad informática: un concepto dual en seguridad informática. Revista de Ingeniería (19), 40-44. http://revistaing.uniandes.edu.co/pdf/Rev19-4.pdf
Cano, J., Samudio, E., Prandini, P., Corozo, E., & Almanza, A. (2011). III Encuesta latinoamericana de seguridad de la información. ACIS, 2011 [Slides]. Recuperado de http://www.acis.org.co/fileadmin/Base_de_Conocimiento/XI_JornadaSeguridad/Presentacion_Jeimy_Cano_III_ELSI.pdf
COACT Inc. (2006). Secureinfo risk management system Version 3.2.06.12 Security Target. San Antonio, TX: SecureInfo. Recuperado de http://www.commoncriteriaportal.org/labs/
Common Criteria (s.f). Licensed laboratories. Recuperado de: http://www.commoncriteriaportal.org/labs/
Common Criteria. (2000). Arrangement on the recognition of Common Criteria certificates in the field of information technology security. Recuperado de http://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf
Computer Security Institute [CSI]. (2011). 2010/2011 Computer crime and security survey. New York, NY: CSI
Dirección General para el Impulso de la Administración Electrónica. (2011). Magerit versión 2. Recuperado de http://administracionelectronica.gob.es/?_nfpb=true&_pageLabel=PAE_PG_CTT_General&langPae=es&iniciativa=184
European Network of Information Security Agency [ENISA] (2011). About Enisa. Recuperado de: http://www.enisa.europa.eu/publications/studies
Fernández, E., Moya, R., & Piattini, M. (2003). Seguridad de las tecnologías de la información: la construcción de la confianza para una sociedad conectada. Madrid, España: Aenor. ISBN 84-8143-367-5
Fraude en impuestos (2011, Noviembre 30). El Espectador.com. Recuperado de: http://www.elespectador.com/impreso/bogota/articulo-314297-fraude-impuestos
Herzog, P. (2010). OSSTMM 3 – The open source security testing methodology manual. Barcelona, España: ISECOM. http://www.isecom.org/mirror/OSSTMM.3.
Information Systems Audit and Control Association [ISACA]. (2011). Cobit framework for IT governance and control. Recuperado de http://www.isaca.org/knowledge-center/cobit/pages/overview.aspx
Instituto Colombiano de Normas Técnicas [ICONTEC] (2006). Norma técnica NTC-ISO-IEC 27001:2005, Anexo A. Bogotá, Colombia: ICONTEC.
International Organization for Standardization [ISO/IEC]. (2005a). 15408-1 Information Technology — Security techniques — Evaluation criteria for IT security part 1: Security functional requirements. Ginebra, Suiza: ISO
International Organization for Standardization [ISO/IEC]. (2005b). 15408-2 Information Technology — Security techniques — Evaluation criteria for IT security part 2: Security functional requirements. Ginebra, Suiza: ISO
International Organization for Standardization [ISO/IEC]. (2005c). 15408-3 Information Technology — Security techniques — Evaluation criteria for IT security part 3: Security assurance requirements. Ginebra, Suiza: ISO
Internet Crime Complaint Center [IC3]. (2010). Internet crime report. Richmond, VA: NWC3. http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf [Citado el 4 de Diciembre 2011
López, A., & Ruiz, J. (2005a). La serie 27000. Recuperado de http://www.iso27000.es/iso27000.html#section3b
López, A., & Ruiz, J. (2005b). ISO27000. Recuperado de: http://www.iso27000.es/iso27000.html
National Institute of Standards and Technology [NIST] (2011). Computer security division. Computer security resource center. Recuperado de http://csrc.nist.gov/
PoisAnon (2011). PoisAnon - Operation:RobinHood [Video]. Recuperado de http://www.youtube.com/watch?v=aymM8ONuQpg
SANS Institute (2011). Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines. Recuperado de http://www.sans.org/critical-security-controls/
Software Engineering Institute [SEI]. (2008). Octave. Recuperado de http://www.cert.org/octave/
SYMANTEC (2011). Descripción general de la tecnología. Recuperado de: http://www.symantec.com/es/es/about/profile/Technology.jsp
Zone-h.org (2010). Ataque a UNE. Recuperado de http://www.zone-h.org/mirror/id/10272455
Downloads
Published
2011-12-04
Issue
Section
Original Research
License
This journal is licensed under the terms of the CC BY 4.0 licence (https://creativecommons.org/licenses/by/4.0/legalcode).
