04/30091043 DC : DRAFT DEC 2004
Superseded
A superseded Standard is one, which is fully replaced by another Standard, which is a new edition of the same Standard.
View Superseded by
ISO/IEC 19791 - INFORMATION TECHNOLOGY - SECURITY TECHNIQUES - SECURITY ASSESSMENT OF OPERATIONAL SYSTEMS
30-06-2006
23-11-2012
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviated terms
5 Structure of this Technical Report
6 Technical approach
6.1 The nature of operational systems
6.2 Establishing operational system security
6.3 Security in the operational system lifecycle
6.4 Security assurance for operational systems
6.5 Relationship to other systems
6.6 Composite operational systems
7 Extending ISO/IEC 15408 evaluation concepts to
operational systems
7.1 Overview
7.2 General philosophy
7.3 Types of security controls
7.4 Additional evaluation requirements
7.5 Timing of evaluation
7.6 Use of evaluated products
7.7 Documentation requirements
7.8 Testing activities
7.9 Configuration management
8 Relationship to existing security standards
8.1 Overview
8.2 Relationship to ISO/IEC 15408
8.3 Relationship to non-evaluation standards
9 Evaluation of operational systems
9.1 Introduction
9.2 Evaluation roles and responsibilities
9.3 Risk assessment and determination of risk
tolerance threshold
9.4 Security problem definition
9.5 Security objectives
9.6 Security requirements
9.7 The system security target (SST)
9.8 Periodic reassessment
Annex A (normative) Operational system Protection Profiles and
Security Targets
A.1 Specification of System Security Targets
A.2 Specification of System Protection Profiles
Annex B (normative) Operational system functional control
requirements
B.1 Introduction
B.2 Class FOD: Administration
B.3 Class FOS: IT systems
B.3 Class FOA: User Assets
B.5 Class FOB: Business
B.6 Class FOP: Facility and Equipment
B.7 Class FOT: Third parties
B.8 Class FOM: Management
Annex C (normative) Operational system assurance requirements
C.1 Introduction
C.2 Class ASP: System Protection Profile evaluation
C.3 Class ASS: System Security Target evaluation
C.4 Class AOD: Operational system guidance document
C.5 Class ASD: Operational System Architecture, Design
and Configuration Documentation
C.6 Class AOC: Operational System Configuration Management
C.7 Class AOT: Operational System Test
C.8 Class AOV: Operational System Vulnerability Analysis
C.9 Class AOL: Operational system life cycle support
C.10 Class ASI: System security installation and delivery
C.11 Class ASO: Records on operational system
Bibliography
Committee |
IST/33
|
DocumentType |
Draft
|
PublisherName |
British Standards Institution
|
Status |
Superseded
|
SupersededBy |
ISO/IEC TR 15443-1:2012 | Information technology Security techniques Security assurance framework Part 1: Introduction and concepts |
ISO/IEC 21827:2008 | Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®) |
ISO/IEC 17799:2005 | Information technology Security techniques Code of practice for information security management |
ISO/IEC TR 15446:2017 | Information technology Security techniques Guidance for the production of protection profiles and security targets |
ISO/IEC 15408-1:2009 | Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |
ISO/IEC TR 15443-2:2012 | Information technology Security techniques Security assurance framework Part 2: Analysis |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.