Information Technology Reference
In-Depth Information
State Analyzer,
• Security State Scope,
• Access Control Rules Scope,
• Security Criteria Scope,
• Security Criteria Manager,
• Security Flaws Explorer,
• Evaluation Reporter.
This seven join to the integrated evaluation framework called Safety Evaluation
Workshop, SEW (Fig. 4).
('
)*
&'
)*
!
)*
,
-
%
&'
%
+
. +
Fig. 4. SEW Structure
Automated Evaluation
For the selected type of the system (such as operating systems, firewalls, etc.) we
have to formulate three scopes, develop an automatic State Analyzer, interactive Se-
curity Criteria Manager, and Flaws Explorer. SPR and Evaluation Reporter are the
task-independent ones.
At first, system to be evaluated and the model having been implemented in the sys-
tem need to be specified in SPSL in the form of the scopes.
Security State Scope is delivered by the State Analyzer automatically. In Windows
2000 a special executable collects the system security state. In the Windows terms
this means that the State Analyzer gathers information about users, groups, their ac-
cess rights, registry entries values, etc.
Security Criteria Scope is interactively configured by evaluator. Security criteria
are the subjective one, because only person may estimate the value of information and
the constraints on its access. The special tool is used by evaluator to set the criteria,
the Security Criteria Manager. In Windows 2000 it is a special interactive dialog ap-
plication asking the evaluator for the security criteria, editing, and saving them.
Access Control Rules Scope, the only scope which is predefined, may be formu-
lated as the requirements of the security policy. The access control rule says when the
Search WWH ::




Custom Search