RE: C2 security standards

From: Zuska, John (zuska.j@ic.grainger.com)
Date: 05/24/02


From: "Zuska, John" <zuska.j@ic.grainger.com>
To: "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com>
Date: Fri, 24 May 2002 10:27:41 -0500

I found this information off of Sun's website.

"C2 Auditing, also called Controlled Access Protection, can produce a more
detailed audit report. The Department of Defense defined C2 auditing as part
of it's guidelines for various levels of computer security in the 1980's.
These requirements are outlined in the Orange Book or Trusted Computer
Systems Evaluation Criteria (TC-SEC). Security levels are listed starting
with D for the lowest, up to A1 for the highest. The National Computer
Security Center (NCSC) evaluates systems based on this criteria."

additionally the NCSC papers are availible here
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html
and
http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.html

-John Zuska
UNIX System Administrator
Grainger E-Business