Description

This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.

13 What is the ITSEC (as opposed to the ITCSEC)? (Computer Security Evaluation)

The Information Technology Security Evaluation Criteria (ITSEC)
is a European-developed criteria filling a role roughly
equivalent to the TCSEC. While the ITSEC and TCSEC have many
similar requirements, there are some important distinctions.
The ITSEC places increased emphasis on integrity and
availability, and attempts to provide a uniform approach to the
evaluation of both products and systems. The ITSEC also
introduces a distinction between doing the right job
(effectiveness) and doing the job right (correctness). In so
doing, the ITSEC allows less restricted collections of
requirements for a system at the expense of more complex and
less comparable ratings and the need for effectiveness analysis
of the features claimed for the evaluation. The question of
whether the ITSEC or TCSEC is the better approach is the
subject of sometimes intense debate. The ITSEC is available in
postscript at
<http://www.radium.ncsc.mil/tpep/library/non-US/ITSEC-1.2.html>.

On 21 August 1995, The National Institute of Standards and
Technology (NIST) released a draft National Computer Systems
Laboratoty (NCSL) Bulletin. This draft bulletin adresses the
relationship of low assurance products evaluated under the
TCSEC, ITSEC, and CTCPEC. In the case of the ITSEC, it is
recommended that if an appropriate C2 rated product is not
available, that ITSEC rated FC2/E2 products be used.

Continue to:

• prev: 12 What is the Interpreted TCSEC (ITCSEC)? (Computer Security Evaluation)
• Index
• next: 14 What is the CTCPEC? (Computer Security Evaluation)