Consequently, six trust-level ratings were delineated, ranging from C1 (the lowest trust level) to A1 (the highest trust level). Besides the Orange Book, a series of books known as Â“the rainbow seriesÂ” also gives trust-level details for networks and databases.
In the 1980s in the United Kingdom, similar developments were under way.
For example, the Department of Trade and Industry noted the need for the delineation of criteria for trusted IT products and systems for the private sector. Consequently, the U.K.Â’s Commercial Computer Security Centre was charged with developing useful criteria in this regard, and in 1989 the Â“Green BooksÂ” containing such information were published. At about the same time, Germany and France published similar criteria, known respectively as the Â“Green BookÂ” and the Â“Blue-White-Red Book.Â”
After their publication, the United Kingdom, France, Germany, and the Netherlands noted the considerable overlap present in the criteria in the various colored publications. They therefore decided to merge their efforts and produce just one set of criteria. This merger resulted in the 1991 publication of the Information Technology Security Evaluation Criteria (ITSEC). The latter, complemented two years later with a methodology for evaluation, resulted in the publication of the Information Technology Security Evaluation Manual (ITSEM). ITSEC has six assurance levels, with E1 representing the lowest level of assurance and E6 representing the highest level.
During the 1990s, ITSEC had become the most successful computer security evaluation criteria because it had greater flexibility than the Orange Book and was cheaper and easier to use. By March 1998, the United Kingdom, France, Finland, Germany, Greece, the Netherlands, Norway, Portugal, Spain, Sweden, and Switzerland signed an agreement stating that ITSEC certificates given by any of the certification bodies would be recognized by the remaining countries. Finally the European and North American efforts were merged into the Common Criteria. The CC were accepted as ISO standard 15408 in 1999.
See Also: Rainbow Series Books; Organe Book; Tiger Team or Sneakers.
See Common Criteria in Computer
(Common Criteria for Information Technology Security) An international standard process for defining security objectives and for evaluating compliance with those objectives. The Common Criteria have largely replaced the Trusted Computer Security Evaluation Criteria (TCSEC), the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) and the European Information Technology Security Evaluation Criteria (ITSEC). See NCSC.