Nederlands
Contact
Sitemap
Search
OrganisationEEMCS EPrints Service
 |
|
|
||||||||||||||||||||||||||||
|
|
|
|
|
||||||||||||||||||||||||||
|
|
|
||||||||||||||||||||||||||||
|
|
|
|
|
||||||||||||||||||||||||||
|
|
Morali, A. and Zambon, Emmanuele and Houmb, S.H. and Sallhammar, K. and Etalle, S.
(2008)
Extended eTVRA vs. Security Checklist: Experiences in a Value-Web.
Technical Report TR-CTIT-08-62,
Centre for Telematics and Information Technology University of Twente, Enschede.
ISSN 1381-3625
There is a more recent version of this eprint available. Click here to view it. Full text available as:
 AbstractSecurity evaluation according to ISO 15408 (Common Criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a Common Criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a Common Criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (Protection Profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider. The new SIM card should comply with Evaluation Assurance Level 4 or 4+ according to Common Criteria.
Available Versions of this Item
Export this item as: To correct this item please ask your editor Repository Staff Only: edit this item |
|
|
||||||||||||||||||||||||||
|
|
|
||||||||||||||||||||||||||||
|
|
|
|
|
||||||||||||||||||||||||||
|
|
|
||||||||||||||||||||||||||||
