INFORMATION TECHNOLOGY SECURITY EVALUATION CRITERIA (ITSEC) - A CONTRIBUTION TO VULNERABILITY

On initiative of the Commission of the European Communities, the Information Technology Security Evaluation Criteria (ITSEC) are designed to provide a yardstick for the evaluation and certification of the security of IT systems. To improve the usefulness of resulting evaluations and certificates for procurers, users, and manufacturers the ITSEC are intended to undergo further extensive review. We discuss weaknesses, remaining questions, and possible improvements concerning the current version 1.2 of ITSEC. Our criticism focusses on the intended scope, the functionality aspects, the assessment of effectiveness and correctness, and problems arising after the evaluation of IT systems. Additionally, the ITSEC development and the accompanying discussion are criticized and improvements are proposed