20 Is there a criteria for commercial (as opposed to military) systems? (Computer Security Evaluation)
Description
This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.
20 Is there a criteria for commercial (as opposed to military) systems? (Computer Security Evaluation)
The Trusted Product Evaluation Program (TPEP) is prohibited by
the Computer Security Act of 1987 from attempting to directly
address the needs of commercial systems. The TPEP does not
subscribe, however, to the often loudly espoused belief that
the requirements of military systems are entirely divorced from
the requirements of commercial systems. It seems reasonable to
believe that commercial computer system users require many of
the same basic features of military systems: identification and
authentication of the users requesting information or service
from the system; ability to audit the actions of users; and
control of access to information, both at the discretion of the
information owner and by corporate policy. Because the TCSEC
couched its requirements in terms of DoD classifications, many
people have not thought about applying them to similar needs
for mandatory controls on protected information pertaining to
product development, marketing, and personnel decisions. It is
one of the aims of the Common Criteria to provide criteria that
use more general terminology.
Continue to:
My Books
