Evaluation of the security of components in distributed information systems
Publish date: 2003-01-01
Report number: FOI-R--1042--SE
Written in: English
A networked defense, and the networked information society, requires both trustworthy information systems and that users and societies trust these systems. Since the trustworthiness of systems depends on the level of IT security, the ability to assess the IT security ability is vital. Currently, there are no efficient methods for establishing the level of IT security in information systems. This far, most methods are targeted at parts of a system, this is a severe limitation since it rather is the system perspective that should be in focus. The main results produced by the efforts described in this report are: a survey of contemporary security assessment techniques for distributed information systems, a set of terms for the field of security assessment, a framework structuring the security evaluation process and enabling different aspects of the modeled system to be emphasized, a set of security functions needed in systems, based on the security functional requirements of the Common Criteria (CC, 1999), and a method using the set of security functions to assess the securability of distributed information systems.