Browse > Article

A Security Evaluation Model in Aspects of Product, Process and Control  

Lee Jieun (LG전자 홈넷사업팀)
Choi Byoungju (이화여자대학교 컴퓨터학과)
Publication Information
Journal of KIISE:Computing Practices and Letters / v.11, no.2, 2005 , pp. 192-207 More about this Journal
Abstract
As the evaluation for the information security has been an important issue, numerous security evaluation methods have been proposed. Those security evaluation methods can be categorized into three different aspects in large including product, process and control. In this paper we identify the possible problems that may occur when one-sided security evaluation is conducted that is on the aspect of product, process or control alone, present with the actual example of threat, and propose an approach to resolve each problem. Based on these approaches, we propose the security evaluation model, which incorporates these three aspects of product, process and control.
Keywords
Evaluation Methodology; Security Product Evalution; Security Evaluation Model;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Markus Mackenbrock, 'Meeting User Needs by a Combination of Common Criteria and IT-Baseline Protection,' 3rd International Common Criteria Conference, 2002
2 Jeffrey R. Williams, Karan M. Ferraiolo, 'P3I Protection Profile Process Improvement,' 22nd National information System Security Conference, 1999
3 Jieun Lee, SungHee Lee, Byoungju Choi, 'A CC-based Security Engineering Process Evaluation Model,' 27th International Computer Software and Applications Conference (COMPSAC'2003), pp130-135, Dallas USA, 2003
4 TCSEC: Trusted Computer Evaluation Criteria, DOD5200.28STD, 1985
5 ITSEC: Information Technology Security Evaluation Criteria, V1.2, 1991
6 CC; ISO/IEC 15408 Information Technology - Security Technology - Evaluation Criteria for IT security V2.1, 1999
7 SSE-CMM: System Security Engineering Capability Maturity Model, 1999
8 BS7799 - Code of Practice for Information Security Management, British Standards Institute, 1999
9 AAWG Task I Report - An Alternative Assurance Package to the CC's EAL3 assurance level, draft v0.9, 1997
10 ISO/IEC 15443 Information technology - Security techniques - A framework for IT security assurance, 2001
11 M.M. Eloff and S.H. von Solms, 'Information Security Management: An Approach to Combine Process Certification And Product Evaluation,' Computer and Security Journal volume 19, Issue 8, Pages 698-709, 2000   DOI   ScienceOn