[3385] in WWW Security List Archive
RE: Comparison of ITSEC scheme to Orange/Red book
daemon@ATHENA.MIT.EDU (Hamilton, Ed @ OTT)
Mon Oct 28 12:47:01 1996
From: "Hamilton, Ed @ OTT" <ehamilt@lmcda.lmco.com>
To: "'Www-Security@ns2.rutgers.edu'" <Www-Security@ns2.rutgers.edu>
Date: Mon, 28 Oct 96 09:54:00 EST
Errors-To: owner-www-security@ns2.rutgers.edu
Hi Jon,
I do not pretend to be an expert in the subject, however, this is my
read or the matter:
ITSEC EAL levels do not specifically correlate to the Rainbow series books,
nor were there any intention that they do.
The ITSEC EAL levels are a starting point for assisting in the security
level assessment of an object.
Protection Profiles are what specifically designate what level of security
an object requires. These protection profiles can be loosely translated
into equivalent Rainbow series requirements. It is key to understand that
Protection Profiles can specify requirements for different EAL levels. For
example, CM may be specified at EAL 2, while Development may be specified at
EAL 3.
Now, getting back to your main question, I believe that E-2 is the level as
which an equivalence to Discretionary Access Control is specified (I do not
know what the specific E-2 Requirement is).
As long as the protection profile that you are developing to does not go
beyond the E-2 requirement for this item, you will be O.K., however, you
must be aware of the Mandatory Access Control requirements as well, so that
you will understand when you can not meet a specific protection profile.
I hope that other will correct the errors in my ways,
--- Ed.Hamilton@lmco.com
----------
From: Jon Tegethoff <jet@cypher-sage.com>
Date: Fri, 25 Oct 1996 15:21:55 -0500
----------------------------------------------------------------------------
--
Does anyone have any material or points which compares the ITSEC grades
to the Orange/Red Book grades?
I am specially interested in comparing "Discretionary Access Control" to its
equavalent ITSEC.
How equavalent is E-2 to C-2? Etc?
Jon
