标准摘要
[中文适用范围]: 本技术报告为操作系统的安全评估提供了指导和标准。 它通过考虑 ISO/IEC 15408 评估中未涉及的操作系统的许多关键方面,扩展了 ISO/IEC 15408 的范围。 所需的主要扩展涉及对 TOE 周围操作环境的评估,以及将复杂操作系统分解为可以单独评估的安全域。 本技术报告提供了 a) 操作系统的定义和模型; b) 评估此类操作系统所需的 ISO/IEC 15408 评估概念扩展的描述; c) 对操作系统进行安全评估的方法和过程; d) 额外的安全评估标准,以解决 ISO/IEC 15408 评估标准未涵盖的操作系统方面的问题。 本技术报告允许将根据 ISO/IEC 15408 评估的安全产品纳入使用本技术报告作为整体评估的操作系统中。 本技术报告仅限于操作系统的安全评估,不考虑其他形式的系统评估。 它没有定义识别、评估和接受操作风险的技术。 [外文原描述]: ISO/IEC TR 19791:2006 provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408, by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated. ISO/IEC TR 19791:2006 provides a definition and model for operational systems;a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems;a methodology and process for performing the security evaluation of operational systems;additional security evaluation criteria to address those aspects of operational systems not covered by the ISO/IEC 15408 evaluation criteria. ISO/IEC TR 19791:2006 permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using ISO/IEC TR 19791:2006. ISO/IEC TR 19791:2006 is limited to the security evaluation of operational systems and does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk.
英文名称Information technology - Security techniques - Security assessment of operational systems