Computer systems security classes. International Standard ISO/IEC 15408

Table of contents:

Computer systems security classes. International Standard ISO/IEC 15408
Computer systems security classes. International Standard ISO/IEC 15408

Modern computer systems are equipped with certain ways to protect information from outsiders and intruders. Without it, it is impossible to imagine any program or a whole complex of information technologies. Security grades are essential for computer systems as more personal data and intellectual property find their way onto the web, and the degree to which it is protected directly impacts people's lives. In this regard, existing types of information protection should be considered.

General information

Thanks to the standardization and systematization of the requirements and characteristics of information complexes with protection, a system of national and international standards in the field of information protection and security has emerged, which includes more than a hundred documents. One of the main places in this system is the ISO standard. IEC 15408, otherwise known as Common Criteria.

computer security tool
computer security tool


The beginning of the creation of an international standard for safety assessment and safety classes began in 1990 by the International Organization for Standardization. The United States, Canada, Germany, England and France took part in the development. The development was carried out for a decade by the best specialists in the world, and more than once it was edited. The version 2.1 standard was approved on June 8, 1999. The general name of the Common Criteria, or "General criteria for assessing the security of information systems".

The "Common Criteria" created combined knowledge and experience in using the "Orange Book", advanced the European and Canadian system security criteria, and created a real framework for US federal criteria protection profiles.


The general provisions classify a wide range of requirements for computer security, define the structure of the grouping and how to use it. The main advantage of this system was the complete statement of security requirements and their ordering, flexibility in use and opportunities for further development. The world's leading technology manufacturers of the time immediately created and delivered to customers products that met the requirements of the common criteria.

computer security
computer security

They have been developed to satisfy the following groups of professionals: manufacturers, consumers of IT products andexperts in assessing the level of technology safety. The introduced standard has provided a basis for the selection of information products that must fulfill the requirements for functioning under a security threat, and serves as a basis for developers of security systems for these products. The technology for creating such systems and assessing the achieved level of security is also regulated.

With the introduction of criteria, information security is considered as a combination of the integrity and confidentiality of data that processes an information product, and sets the goal of protecting the product and countering threats that may be relevant in the operation of a particular product. It follows that the combined criteria include all parts of the design, creation and use of information products that operate under certain security threats.


The named ISO 15408 standard includes three parts:

  • Introduction and overview.
  • Functional security requirements.
  • Security assurance requirements.

From this list, it becomes clear that the general criteria provide for two types of requirements for information protection: functional and guaranteed. The former are related to security services, which include authentication, identification, access control, auditing, and more. Warranty includes technology development, testing, vulnerability analysis, operation, maintenance, etc.

safety criteriacomputer systems
safety criteriacomputer systems

All security classes and their requirements share a common style and are organized in a hierarchy. There may be dependencies between them, provided that the component's capabilities are insufficient to fulfill the security goal and another component is required.

Threat models

For the effective use and development of a security profile, in the process of its creation, an analysis of all threats that may be feasible against the technology of this group is performed. During this, threat models are compiled which include the following:

  • threat life cycle;
  • direction of the threat;
  • source;
  • at risk systems;
  • assets in need of protection;
  • methods and algorithms for implementing the threat;
  • possible problems;
  • risks and other aspects.
iso IEC 15408 standard
iso IEC 15408 standard

Design a threat model

It is not enough just to guess what dangers the system being created can expect. In addition, at present their number is huge and ensuring protection from all will require a lot of time and money. In this connection, a general list of possible hazards relevant to systems in a given area is established, on the basis of which criteria for determining the security of computer systems of this type will be established in the future.

orange book
orange book

The procedure for creating a threat model is similar to performing a risk analysis. So, in the process of describing threats from intentional human activity, the format is evaluatedsource by means of the threat implementation and the probability of its implementation.

Safety classes

The standard defines a security function as the part of a system that implements a subset of the rules of their security policy. Durability is added to a security function, a characteristic that communicates the minimum necessary impact on its security that would violate the function's security policy. Its meanings are as follows:

  • Basic. The function guarantees security against accidental violations, provided that the intruder has a low attack potential.
  • Average. Provides protection against targeted security breaches by attackers with a moderate attack rate.
  • High. Guarantees protection against planned and organized violations from attackers with a high level of skill.
data protection
data protection

There is also a separate scheme for determining the potential of an attack, which takes into account certain factors:

  1. When identifying a vulnerability:

      Time needed to identify the problem. The level of training required. Knowledge of the project and its operation. Software and other hardware.

  2. When using:

      Time spent using the problem. Level of preparation. Acquaintance with the project of functioning. Required software products.

Protection of computer systems is the main task of any software product responsible for computer security. At the same time, the quality of the performance of this function and information about the threats that the system can withstand have their own classification, approved in advance at the development stage. Thanks to this, computer security has high quality indicators.

Popular topic

Editor's choice

  • The PHP mail function: description, application features
    The PHP mail function: description, application features

    E-mail is an integral part of any modern project or business. Nowadays, speed and responsiveness are of great value, especially when it comes to customer feedback. This is a decisive factor that users consider when making purchases

  • Shareware - what is it List of programs, description of programming principles
    Shareware - what is it List of programs, description of programming principles

    Shareware has battled the stigma of misunderstanding for decades. While enterprise software giants can no longer ignore the marketing potential of a trial, small startups still struggle with new software challenges and costs

  • What is var in Pascal
    What is var in Pascal

    Variable var is a name that the user assigns to computer memory cells and uses to store values in a computer program. It defines the type of information stored, describes the format of the value of the occupied memory and methods for manipulating the content

  • Java library: creating, processing, working with files
    Java library: creating, processing, working with files

    Experienced Java developer has extensive knowledge of APIs including JDK, libraries for everyday projects including Log4j, JSON parsing, Jackson. The problem is that not all Java library designers think about their users, how the API will be used in practice, and how the code will look and be tested

  • Compression algorithms: description, basic techniques, characteristics
    Compression algorithms: description, basic techniques, characteristics

    Currently, processor processing power is increasing faster than storage capacity and network bandwidth. Therefore, in order to compensate for the increase in the amount of data, they compress them. The compressor uses an optimization algorithm of the appropriate type. For subsequent recovery, a decompressor with the opposite direction of the process is required