TCSEC (Orange Book) Definition
TCSEC stands for (Trusted Computer System Evaluation Criteria), commonly known as (Orange Book), which describes the properties that systems must meet to contain sensitive or classified information. The NCSC developed this criterion, a branch of the NSA, in 1983 and then updated in 1985. The development of the international standard “Common Criteria” published in 2005 replaced it.
TCSEC established the essential requirements and standards to evaluate the effectiveness of computer security controls built into a system. The use of this manual is to determine, catalog and also select computer systems dedicated to the process, storage. Also recovery of sensitive or classified information.
Features of TCSEC
The book is a gem today, and it is still curious to have a look and, undoubtedly, yet very useful. According to this treaty, security policies must be explicit, well defined and also applied exclusively for the computer system in question.
- Considering the three security policies as basic: mandatory, trademark, and discretionary.
- Responsibility is another leg of the fundamental objectives since there must be a secure means for ensuring the access of an authorized and competent agent who can evaluate the account information within a reasonable time and without undue difficulties, all under three requirements: identification, authentication, and audit.
- Also, the manual highlights the software and hardware assurance and the documentation process as two of the essential formalities.
- TCSEC (Orange Book) is a myth in the world of computer security and the hacking world of the eighties and nineties.
- TCSEC was one of the first models to evaluate information systems in terms of increasing security.
Different Classes of TCSEC (Orange Book)
TCSEC defines seven sets of evaluation criteria called classes:
Division A: Verified protection.
- After A1: Beyond current technology.
- Class A1: Verified design In practice, it is the same as level B3, but security must be defined in the system analysis phase.
Division B: Mandatory protection.
- Class B3: Security domains the systems must be designed to be highly resistant to the entry of unauthorized persons.
- B2 Class: structured Protection Systems must be designed to be resistant to access by unauthorized persons.
- Class B1: Qualified security protection. Equivalent to level C2 but with greater individual protection for each file.
Division C: Discretionary protection.
- Class C2: Controlled access protection. Controlled access to the SI. And also, it Logs and system audit files.
- Class C1: Discretionary security protection and Limitations of data access.
Division D: Minimum protection. Without security.