GISA, the German Information Security Agency, recently awarded security approval to Tandem Computers Inc’s Guardian operating system on the basis of its Green Book classification (CI No 1,441). The Book is the first European attempt to address the problems that many companies face when they apply for US Orange Book classification, which is accused of being difficult to obtain and oriented towards military rather than commercial needs. The Agency says that the Green Book’s information security criteria have been developed for the the evaluation of the degree of trust that can be placed in information technology systems. The book and criteria are divided into six chapters. Chapter 1 introduces the objectives underlying the criteria, and focuses on the difficulties of evaluating the degree of trust that that can be placed in a system. Chapter 2 lays the foundations that form the structure and content of security criteria, and it defines the three basic threats as loss of confidentiality, loss of integrity, and loss of availability. Chapter 3 introduces the basic security functions of secure systems. These are identification and authentication, administration of rights, verification of rights, audit, object reuse, error recovery, continuity of service, and data communications security. Chapter 4 describes the points to be satisfied by a mechanism for each security function in order to achieve an assurance rating, and these ratings relate to the degree of trust that can be placed in a mechanism. Chapter 5 describes 10 different classes of functionality. The first five describe the security policy derived from the Orange Book, and the rest show various security requirement combinations to be enforced by differing systems. The number of classes of functionality is not limited so that future advanced systems can also be evaluated. Chapter 6 contains a detailed list of the criteria that enable the degree to which a system can be trusted to be rated. The eight assurance levels are arranged hierarchically and Q0 applies to those systems which do not meet the requirements of the higher levels. The principal features considered in rating are the the quality of security policy; quality of the specification of the system components to be evaluated; quality of mechanisms used; quality of the separation from system components not to be evaluated; quality of the software development process; quality of the operational behaviour; and quality of user documentation. The UK, Germany, and France are to publish jointly agreed security stand-rds later this year, but copies of the Green Book may be obtained from GISA, which is based in Cologne. – Janice McGinn