Lacy’s manager has tasked her with researching an intrusion detection system for a new dispatching center. Lacy identifies the top five products and compares their ratings. Which of the following are the evaluation criteria most in use today for these types of purposes?

A.
ITSEC

B.
Common Criteria

C.
Red Book

D.
Orange Book

Explanation:
B: The Common Criteria were created in the early 1990s as a way of combining the strengths of both the Trusted Computer System Evaluation Criteria (TCSEC) and
Information Technology Security Evaluation Criteria (ITSEC) while eliminating their weaknesses. These evaluation criteria are more flexible than TCSEC and more
straightforward than ITSEC. Because it is recognized globally, the Common Criteria help consumers by reducing the complexity of the ratings and eliminating the need
to understand the definition and meaning of different ratings within various evaluation schemes. This also helps manufacturers because now they can build to one
specific set of requirements if they want to sell their products internationally, instead of having to meet several different ratings with varying rules and requirements.
A is incorrect because ITSEC, or the Information Technology Security Evaluation Criteria, is not the most widely used. ITSEC was the first attempt at establishing a
single standard for evaluating security attributes of computer systems and products by many European countries. Furthermore, ITSEC separates functionality and
assurance in its evaluation, giving each a separate rating. It was developed to provide more flexibility than TCSEC, and addresses integrity, availability, and
confidentiality in networked systems. While the goal of the ITSEC was to become the worldwide criteria for product evaluation, it did not meet that goal and has been
replaced with the Common Criteria.
C is incorrect because the Red Book is a U.S. government publication that addresses security evaluation topics for networks and network components. Officially titled
the Trusted Network Interpretation, the book provides a framework for securing different types of networks. Subjects accessing objects on the network need to be
controlled, monitored, and audited.
D is incorrect because the Orange Book is a U.S. government publication that primarily addresses government and military requirements and expectations for
operating systems. The Orange Book is used to evaluate whether a product contains the security properties the vendor claims it does and whether the product is
appropriate for a specific application or function. The Orange Book is used to review the functionality, effectiveness, and assurance of a product during its evaluation,
and it uses classes that were devised to address typical patterns of security requirements. It provides a broad framework for building and evaluating trusted systems
with great emphasis on controlling which users can access a system. The other name for the Orange Book is the Trusted Computer System Evaluation Criteria
(TCSEC).