Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

A Security Policy Statements Generation Method for Development of Protection Profile

PP 개발을 위한 보안정책 문장 생성방법

  • 고정호 (영진전문대학 컴퓨터정보기술계열) ;
  • 이강수 (한남대학교 정보통신ㆍ멀티미디어공학부)
  • Published : 2003.08.01
Download PDF
⟨ Previous Next ⟩

Abstract

The Protection Profile(PP) is a common security function and detailed statement of assurance requirements in a specific class of Information Technology security products such as firewall and smart card. The parts of TOE security environment in the PP have to be described about assumption, treat and security policy through analyzing purpose of TOE. In this paper, we present a new security policy derivation among TOE security environment parts in the PP. Our survey guides the organizational security policy statements in CC scheme through collected and analyzed hundred of real policy statements from certified and published real PPs and CC Toolbox/PKB that is included security policy statements for DoD. From the result of the survey, we present a new generic organizational policy statements list and propose a organizational security policy derivation method by using the list.

보호프로파잎(PP)은 특정제품군에 대한 공통 보안기능 및 보증 요구사항 명세서라 할 수 있다. 특히, PP내의 TOE(평가대상물) 보안환경 부분은 TOE의 물리적 환경, 보호해야할 자산 및 TOE의 용도를 분석하여 가장사항, 위협 및 보안정책을 기술해야한다. 본 연구에서는 PP내의 보안환경 부분 중 보안정책을 개발 또는 작성하는 방법을 제시한다. 정보보호부문에서의 보안정책에 대한 표준이나 지침을 조사 및 분석하여 보안정책 문서와 관련된 기반개념을 정리하고, 기존 PP들에서 실제 사용한 보안정책 문장, 미 국방부의 보안정책 문장, CC의 기능 및 보증요구사항 클래스를 조사 분석하였으며, 이를 토대로 하여 새로운 일반 보안정책 문장 목록과 이를 이용한 보안정책 문장 생성방법을 제시하였다.

Keywords

References

  1. Security Policy Project SANS
  2. Site Security Handbook, SEI/CMU B.Fraser(ed.)
  3. A Introduction to Computer Security : The NIST Handbook NIST
  4. ISO/IEC TR 13335-1,2,3, IT 보안 개념 및 모델, IT 보안 관리 및 계획, IT 보안 관리 기법
  5. Information Technology Security Evaluation Criteria(ITSEM)(Ver.1.0) European Community
  6. IT 보안 해설서, Boran Consulting Sean Boran;이혜련(번역)
  7. Site Security Policy Development R.Macmillan
  8. Developing an Information Security Polic Alan Robiette
  9. Information Security Policy Kingston University
  10. Electronic Information Systems: Security Policy Lancaster University
  11. University Rules for Computer Use Oxford University
  12. Policies and Procedures Computer Use Policy Washington University
  13. Policies and Procedures, Information Security Policy
  14. CCMB-99-031 Common Criteria for Information Technology Securtiy Evaluation, Version 2.1 CC
  15. CEM-99/045 Common Evaluation Methodology, Version 1,0 CC
  16. ISO/IEC PDTR 15446 Information technology - Security techniques - Guide for the production of protection profiles and security targets
  17. DBMS Protection Profile Oracle
  18. Traffic Filter Firewall Protection Profile For Medium Robustbess Environments NSA
  19. Traffic Filter Firewall Protection Profile for Low Risk Environments NSA
  20. Application Level Firewall Protection Profile for Low Risk Environments NSA
  21. Peer-to-Peer Wieless Local Area Network (WLAN) for Sensitive But Unclassified Environments BHTT
  22. Protection Profile for Switches and Routers NSA
  23. A Goal VPN Protection Profile For Protecting Sensitive Information(V2.0) NSA
  24. Infrastructure Wireless Local Area Network (WLAN) BHTT
  25. Labeled Security Protection Profile NSA
  26. Controlled Access Protection Profile NSA
  27. Protection Profile for Multileval OS NSA
  28. Protection Profile for Single-level OS's in Environments Requiring Medium PP NSA
  29. Directory for DoD Class 4 PKI PP NSA
  30. Trusted Platform Module(TPM) PP TCPA
  31. Certificate Issuing and Management Components NSA
  32. Role-Based Access Control PP NIST
  33. Privilege Directed Content PP Authorizor
  34. Key Recovery for Third Party Requestors NSA
  35. Key Recovery for Agent Systems NSA
  36. Key Recovery for End Systems NSA
  37. Role-Based Access Control PP NIST
  38. Intrusion Detection System Analyzer -Draft 3 NSA
  39. Intrusion Detection System Sensor NSA
  40. Smart Card Protection Profile SCSUG
  41. Postage Meter Approval Protection Profile Consignia
  42. Biometric System. Protection Profile For Medium Robustness Environments DoD Biometrics Management Office1. U.S. Department of Defense Biometrics Office
  43. CC Toolbox Reference Manua(Version 6.0f) NIAP
  44. CC Profiling Knowledge base Report List of Threat, Attack, Policy, Assumption, and Environment Statement Attribute NIAP