{"created":"2023-05-15T15:29:16.500541+00:00","id":18924,"links":{},"metadata":{"_buckets":{"deposit":"ab7e8736-b195-4149-b277-ecf642db15b6"},"_deposit":{"created_by":15,"id":"18924","owners":[15],"pid":{"revision_id":0,"type":"depid","value":"18924"},"status":"published"},"_oai":{"id":"oai:sucra.repo.nii.ac.jp:00018924","sets":["94:429:431:432:955"]},"author_link":[],"item_113_alternative_title_1":{"attribute_name":"タイトル（別言語）","attribute_value_mlt":[{"subitem_alternative_title":"ISO/IEC 15408およびISO/IEC 18045に基づくITシステムのセキュリティ評価のための支援環境"}]},"item_113_biblio_info_9":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicIssueDates":{"bibliographicIssueDate":"2019","bibliographicIssueDateType":"Issued"}}]},"item_113_date_35":{"attribute_name":"作成日","attribute_value_mlt":[{"subitem_date_issued_datetime":"2020-03-02","subitem_date_issued_type":"Created"}]},"item_113_date_granted_20":{"attribute_name":"学位授与年月日","attribute_value_mlt":[{"subitem_dategranted":"2019-03-20"}]},"item_113_degree_grantor_22":{"attribute_name":"学位授与機関","attribute_value_mlt":[{"subitem_degreegrantor":[{"subitem_degreegrantor_name":"埼玉大学"}],"subitem_degreegrantor_identifier":[{"subitem_degreegrantor_identifier_name":"12401","subitem_degreegrantor_identifier_scheme":"kakenhi"}]}]},"item_113_degree_name_21":{"attribute_name":"学位名","attribute_value_mlt":[{"subitem_degreename":"博士(工学)"}]},"item_113_description_13":{"attribute_name":"形態","attribute_value_mlt":[{"subitem_description":"viii, 86 p.","subitem_description_type":"Other"}]},"item_113_description_23":{"attribute_name":"抄録","attribute_value_mlt":[{"subitem_description":"  The standardization of IT system security is always a common issue all over the world. The security of a system is only as strong as the weakest link. For software engineering, the link means each task in different process, such as design, implementation, test, operation, maintenance and so on. The whole security of IT systems can be guaranteed only when each task has been performed properly according to consistent standard.\n  ISO/IEC 15408 and ISO/IEC 18045 are a pair of international standards for information security evaluation. Rigorous evaluation based on the two ISO standards provides a unified way of comparisons among IT systems, such that the developers can rationally show the security strength of their products and the customers can easily choose suitable systems according to the evaluation results. ISO/IEC 15408 and ISO/IEC 18045 establish a trustworthy relationship with common basis among all stakeholders of the target system, wherefore ISO/IEC 15408 and ISO/IEC 18045 are widely used as national standard all over the world.\n  Security evaluation based on ISO/IEC 15408 and ISO/IEC 18045 is very complex. The whole security evaluation process can be summarized as evaluators receive the evaluation evidence from the developer performs the evaluation activities and provides the results of the evaluation assessment. Evaluators perform evaluation activities to verify whether the target system complies with ISO/IEC 15408 and ISO/IEC 18045. Although, two ISO standards have given a set of instructions to guide the evaluation activities and specified detailed procedures how to carry out those activities. It is not clear enough and difficult even for experienced evaluators to accomplish the security evaluation. The security evaluation process involves tens of documents and a wide variety of tasks. Such heavy work shall cost lots of time and complex evaluation activities may cause evaluators making mistakes. Moreover, to manage a lot of intermediate data in evaluation process is difficult even for experienced evaluators. It is also difficult to ensure that evaluation is fair and transparent. Although each evaluator tries to evaluate a target system earnestly, evaluation results may be different among evaluators because of evaluators' biases. These issues not only may result in consuming a lot of time, but also may affect the correctness, accuracy, and fairness of evaluation results. Thus, it is necessary to provide a supporting environment that supports all relevant tasks in the evaluation process to reduce the complexity of all evaluators' work and guarantee the quality of evaluation results at the same time. However, there is no such environment existing until now.\n  This thesis presents a supporting environment for IT system security evaluation based on ISO/IEC 15408 and ISO/IEC 18045 that integrates various supporting tools to perform a complete process of security evaluation on the target IT system. This supporting environment can provide facilities for evaluators to perform all tasks in the evaluation process in a guided order. This supporting environment can promote each task with locating the relevant contents in tens of documents and providing helpful information or functions for evaluators to determine whether these relevant contents are up to the standard. The supporting environment can provide facilities for evaluator to manage all evaluation-relevant documents, intermediate information and their reviews on the target systems during the evaluation.\n  To provide full facilities for performing the security evaluation process, we firstly analyzed the whole security evaluation process based on ISO/IEC 15408 and ISO/IEC 18045 and clarified 674 necessary evaluation tasks. We also clarified the procedure and detailed actions for each task. Under the consideration that tasks with similar procedural pattern can be supported by the same method, we then classified the detailed evaluation tasks into 7 groups according to the pattern in the procedures and proposed appropriate supporting methods for each group of evaluation tasks. According to these supporting methods, we designed and implemented each necessary supporting tool. Considering the complicated relationship among various evaluation tasks, we clarified the sequence of evaluation tasks and implement a supporting tool to guide evaluators perform all tasks in right order. We analyzed all evaluation-relevant documents, intermediate information and evaluators' reviews, and then designed matched formats to transfer these information into structured data that can be easily managed and used in the evaluation process.\n  We then evaluated the completeness, usability and efficiency of the evaluation supporting environment. We proposed an evaluation method to show the completeness of this supporting environment and evaluated it at design level and implementation level based on the method. We then discussed how this supporting environment is capable and useful to provide comprehensive facilities to perform all tasks in evaluation base ISO/IEC 15408 and ISO/IEC 18045. We also show the efficiency of this supporting environment by comparing the consumed time between evaluation with this supporting environment and a normal evaluation.","subitem_description_type":"Abstract"}]},"item_113_description_24":{"attribute_name":"目次","attribute_value_mlt":[{"subitem_description":"Abstract i\n\nAcknowledgements   iv\n\nList of figures   vii\n\nList of tables   viii\n\n1 Introduction   1\n1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n1.2 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n1.3 Purpose and Objectives . . . . . . . . . . . . . . . . . . . . . . . . 3\n1.4 Structure of This Thesis . . . . . . . . . . . . . . . . . . . . . . . . 3\n\n2 Security Evaluation Based on ISO/IEC 15408 and ISO/IEC 18045   5\n2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\n2.2 ISO/IEC 15408 (Common Criteria) . . . . . . . . . . . . . . . . . . 5\n2.3 ISO/IEC 18045 (Common Evaluation Methodology) . . . . . . . . . 6\n2.4 Security Evaluation and Certification Based on ISO/IEC 15408 and ISO/IEC 18045  . . . . . . .  . . . . . . . . . . 7\n2.5 Difficulties in Security Evaluation Process . . . . . . . . . . . . . . 8\n\n3 Supporting Security Evaluation Process   10\n3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n3.2 Analyze and Clarify Evaluation Tasks Based on ISO/IEC 18045 . . 10\n3.3 Classify Detailed Evaluation Tasks Based on ISO/IEC 18045 . . . . 11\n3.4 Supporting Methods for Security Evaluation Process . . . . . . . . 14\n3.5 Documents in Security Evaluation Process . . . . . . . . . . . . . . 19\n3.6 XML Based Templates for Evaluation-Relative Documents . . . . . 20\n\n4 Supporting Environment for Security Evaluation   22\n4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22\n4.2 Requirement Analysis of the Supporting Environment . . . . . . . . 22\n4.3 Design of Supporting Environment . . . . . . . . . . . . . . . . . . 23\n4.4 Development of Security Evaluation Database . . . . . . . . . . . . 26\n4.4.1 The Data Model for Evaluation-Relative Documents . . . . . 26\n4.4.2 The Implementation of Security Evaluation Database . . . . 26\n4.5 Development of Supporting Tools . . . . . . . . . . . . . . . . . . . 27\n\n5 Evaluation   32\n5.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32\n5.2 Evaluation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 32\n5.3 Evaluation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 33\n\n6 Conclusion   34\n6.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34\n6.2 FutureWorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34\n\nPublications   36\n\nAppendixes   40\n\nA All Detailed Evaluation Tasks   41\nA.1 168 Detailed Tasks about\nEvaluation on Security Targets . . . . . . . . . . . . . . . . . . . . 41\nA.2 129 Detailed Tasks about\nEvaluation on Development Process . . . . . . . . . . . . . . . . . . 49\nA.3 11 Detailed Tasks about\nEvaluation on Guidance Document Process . . . . . . . . . . . . . . 57\nA.4 133 Detailed Tasks about\nEvaluation on Life-cycle Support Process . . . . . . . . . . . . . . . 59\nA.5 70 Detailed Tasks about\nEvaluation on Test Process . . . . . . . . . . . . . . . . . . . . . . . 68\nA.6 86 Detailed Tasks about\nEvaluation on Vulnerability Assessment Process . . . . . . . . . . . 72\nA.7 77 Detailed Tasks about\nEvaluation on Composition Process . . . . . . . . . . . . . . . . . . 80","subitem_description_type":"Other"}]},"item_113_description_25":{"attribute_name":"注記","attribute_value_mlt":[{"subitem_description":"指導教員 : 後藤祐一","subitem_description_type":"Other"}]},"item_113_description_33":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"subitem_description":"text","subitem_description_type":"Other"}]},"item_113_description_34":{"attribute_name":"フォーマット","attribute_value_mlt":[{"subitem_description":"application/pdf","subitem_description_type":"Other"}]},"item_113_dissertation_number_19":{"attribute_name":"学位授与番号","attribute_value_mlt":[{"subitem_dissertationnumber":"甲第1135号"}]},"item_113_identifier_registration":{"attribute_name":"ID登録","attribute_value_mlt":[{"subitem_identifier_reg_text":"10.24561/00018893","subitem_identifier_reg_type":"JaLC"}]},"item_113_publisher_11":{"attribute_name":"出版者名","attribute_value_mlt":[{"subitem_publisher":"埼玉大学大学院理工学研究科"}]},"item_113_publisher_12":{"attribute_name":"出版者名（別言語）","attribute_value_mlt":[{"subitem_publisher":"Graduate School of Science and Engineering, Saitama University"}]},"item_113_record_name_8":{"attribute_name":"書誌","attribute_value_mlt":[{"subitem_record_name":"博士論文（埼玉大学大学院理工学研究科（博士後期課程））"}]},"item_113_text_3":{"attribute_name":"著者 ローマ字","attribute_value_mlt":[{"subitem_text_value":"BAO, Da"}]},"item_113_text_31":{"attribute_name":"版","attribute_value_mlt":[{"subitem_text_value":"[出版社版]"}]},"item_113_text_36":{"attribute_name":"アイテムID","attribute_value_mlt":[{"subitem_text_value":"GD0001106"}]},"item_113_text_4":{"attribute_name":"著者 所属","attribute_value_mlt":[{"subitem_text_value":"埼玉大学大学院理工学研究科（博士後期課程）理工学専攻"}]},"item_113_text_5":{"attribute_name":"著者 所属（別言語）","attribute_value_mlt":[{"subitem_text_value":"Graduate School of Science and Engineering, Saitama University"}]},"item_113_version_type_32":{"attribute_name":"著者版フラグ","attribute_value_mlt":[{"subitem_version_resource":"http://purl.org/coar/version/c_970fb48d4fbd8a85","subitem_version_type":"VoR"}]},"item_access_right":{"attribute_name":"アクセス権","attribute_value_mlt":[{"subitem_access_right":"open access","subitem_access_right_uri":"http://purl.org/coar/access_right/c_abf2"}]},"item_creator":{"attribute_name":"著者","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"宝, 達","creatorNameLang":"ja"},{"creatorName":"ホウ, タツ","creatorNameLang":"ja-Kana"}]}]},"item_files":{"attribute_name":"ファイル情報","attribute_type":"file","attribute_value_mlt":[{"accessrole":"open_date","date":[{"dateType":"Available","dateValue":"2020-03-02"}],"displaytype":"detail","filename":"GD0001106.pdf","filesize":[{"value":"2.1 MB"}],"format":"application/pdf","licensetype":"license_note","mimetype":"application/pdf","url":{"label":"GD0001106.pdf","objectType":"fulltext","url":"https://sucra.repo.nii.ac.jp/record/18924/files/GD0001106.pdf"},"version_id":"fb4d64fc-e555-40de-b714-9bce83167f5b"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"eng"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourcetype":"doctoral thesis","resourceuri":"http://purl.org/coar/resource_type/c_db06"}]},"item_title":"Supporting Environment for IT System Security Evaluation based on ISO/IEC 15408 and ISO/IEC 18045","item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Supporting Environment for IT System Security Evaluation based on ISO/IEC 15408 and ISO/IEC 18045","subitem_title_language":"en"}]},"item_type_id":"113","owner":"15","path":["955"],"pubdate":{"attribute_name":"PubDate","attribute_value":"2020-03-02"},"publish_date":"2020-03-02","publish_status":"0","recid":"18924","relation_version_is_last":true,"title":["Supporting Environment for IT System Security Evaluation based on ISO/IEC 15408 and ISO/IEC 18045"],"weko_creator_id":"15","weko_shared_id":-1},"updated":"2023-06-23T02:08:42.894419+00:00"}