COMMERCIAL IN CONFIDENCE

Transcription

1 Copy No. Doc Ref. 7163/T/1 Client Icelandic Data Protection Commission Project Title Icelandic Health Database Security Target for an Icelandic Health Database Date 22 January 2000 Review & Approval Issue: 1.0 R&A Number: 7163/RA/6 Originator: John Arnold Approval (PM): Gary Smith Approval (QAR): Paul Morrison Admiral Management Services Limited Kings Court High Street Camberley Surrey GU15 3RN Tel: (01276) Fax: (01276) Copyright Admiral Management Services 2000 COMMERCIAL IN CONFIDENCE Page 1 of 46

2 Contents 1 Introduction 1.1 General 1.2 Terminology 1.3 References 2 ST Introduction 2.1 Identification 2.2 Overview and Scope 2.3 CC Conformance 3 TOE Description 3.1 Overview of the TOE 4 Security Environment 4.1 Assumptions 4.2 Threats 4.3 Organisational Security Policies 5 Security Objectives 5.1 Security Objectives for the TOE 5.2 Security Objectives for the Environment 6 TOE Security Functional Requirements 6.1 Introduction 6.2 Security Audit 6.3 Cryptographic Support 6.4 User Data Protection 6.5 Statistical Database Security 6.6 Identification and Authentication 6.7 Management of Functions in TSF 6.8 Protection of the TOE Security Functions 6.9 TOE Access 7 TOE Security Assurance Requirements 7.1 Introduction 7.2 Assurance Requirements for the TOE 7.3 Assurance Requirements for the Environment 7.4 Strength of Function Requirement 8 TOE Summary Specification 8.1 TOE Security Features 8.2 Assurance Measures 9 Rationale 9.1 Security Objectives Rationale 9.2 Security Requirements Rationale 9.3 TOE Assurance Level Rationale 9.4 Environmental Assurance Level Rationale 9.5 Strength of Function Rationale COMMERCIAL IN CONFIDENCE Page 2 of 46

3 1 Introduction 1.1 General This document proposes a Security Target (ST) for use with the Common Criteria (CC, ISO 15408) An ST is a description of the security requirements for a particular IT system (or IT product). It describes the environment and purpose of the system, the threats against it and the security objectives of the system. It describes the system s security functional requirements (i.e. what the system must do). A ST must also describe the system s assurance requirements (i.e. how the system is to be developed and tested, so that those who rely upon the system can have confidence that it can be operated securely) A ST follows the standard format for STs defined in [CC] A system can be evaluated against its ST, to show that: a) the system behaves as claimed in the ST functional requirements b) the system was developed and tested such that users can have the stated degree of assurance that no security flaws remain undiscovered To summarise, a ST can act as: a) a means of stating security requirements and claims b) a baseline for system development c) a baseline for system evaluation. 1.2 Terminology This document uses the terminology of [CC]. Part 1 of the CC introduces some of the concepts underlying the CC and includes a glossary in section In this document, the present tense is used throughout The following terms and abbreviations are used in this ST. CC Common Criteria. CM Configuration Management. DGPH Director General of Public Health DMU Database Maintenance Unit. This is the party responsible for managing the IHD. DPC Data Protection Commission. An independent Icelandic agency. GL Genealogy Database. An external database dealing with genealogic information. GT Genotype Database. An external database dealing with individuals genetic makeup. H Health Database. The part of the IHD dealing with individuals health records. COMMERCIAL IN CONFIDENCE Page 3 of 46

4 IE Íslensk erfðagreining ehf, an Icelandic company that has applied for the license to create and operate the Icelandic Health Database. IES Identity Encryption Service. This is a body controlled by the DPC. It is responsible for encrypting personal identifiers during input of the H, GL and GT data sets. IHD Icelandic Health Database. The central database which stores medical records. IT Information Technology. MCHSD Monitoring Committee on the Health Service Database. A body appointed by the Minister of Health to ensure that the creation and operation of the IHD are in keeping with the terms of [Act] and associated regulations and conditions, in so far as this does not fall within the ambit of the DPC. MoH Ministry of Health. OLH PID PN Operating License Holder Personal Identification. This is any data field which is intended to be used for the purpose of individual identification. For instance, social security number. Personal Number. PN is a field in IHD records. Two records containing the same PN refer to the same person. PP Protection Profile. SF Security Function. SFP Security Function Policy. SOF Strength of Function. ST Security Target. TL Transfer Layer TOE Target of Evaluation. TSC TSF Scope of Control TSF TOE Security Functions. That part of the TOE which enforces security. TSP TOE Security Policy. 1.3 References [Act] Act on a Health Sector Database, Icelandic Parliament, Act No. 139/1998 [BS7799] BS7799:1999 Information Security Management, BSI, [CC] ISO/IEC :1999(E) Information Technology - Security Techniques - Evaluation Criteria for IT Security, Date: [DDXD.001] Technology, Security and Architecture: Concept and Requirements, IE, DDXD.001 Version 1.0, 31 August 1999 COMMERCIAL IN CONFIDENCE Page 4 of 46

5 [DDXD.002] Production and Operation of a Centralised Health Sector Database, IE, DDXD.002 Version 1.0, 31 August 1999 [Denning] Cryptography and Data Security, Dorothy Denning, Addison Wesley, 1982 [Keys] Selecting Cryptographic Key Sizes, Arjen K. Lenstra and Eric R. Verheul, October [Rowe] Diophantine Inference on a Statistical Database, Neil C. Rowe, Information Processing Letters, 18 (1984) COMMERCIAL IN CONFIDENCE Page 5 of 46

6 2 ST Introduction 2.1 Identification The title of this ST is Security Target for an Icelandic Health Database. 2.2 Overview and Scope This ST describes the security requirements of a database system being developed by the OLH. The system holds health information for the population of Iceland. The security requirements are primarily concerned with protecting information in the database from unauthorised disclosure, but are also concerned with the process of transferring data from the health institutions and selfemployed health workers to the database This ST is not concerned with ensuring the correctness, completeness or availability of the information stored in the database This ST gives rules for the management of medical data in the database. Data from GT and GL are covered in order to specify rules for joining with the medical database, for which separate permissions are required from the DPC. Note that the permissions to build the medical database and to join with other databases are covered by different licenses. Legal aspects of database joining are covered in [Act] Article 10, Paragraph Initial technical information about the TOE is given in [DDXD.001]. Higher level management and planning information is given in [DDXD.002]. These are English translations of IE s proposals as written in IE s application for the operating license, as required by [Act]. 2.3 CC Conformance This section comments on the level of conformance between this ST and the CC The ST is part 2 extended, that is, it includes functional requirements which are not derived from Part 2 of the CC The ST is part 3 extended, that is, it is based on a recognised evaluation level described in Part 3 of the CC, augmented by non-standard assurance components. The ST also includes non-standard assurance components for evaluating the non-it environment See Section 5.4 of the CC for more information about CC conformance statements. 3 TOE Description 3.1 Overview of the TOE COMMERCIAL IN CONFIDENCE Page 6 of 46

7 3.1.1 The TOE is the IHD, a database for storing and processing medical data for research purposes. This ST also covers the special processes for joining data from the IHD, GL and GT databases, although a separate license is required for using them. Data is held on the Icelandic population except for individuals who choose to abstain The database is derived from records stored by health institutions and self-employed health workers With permission form the DPC, the database can be crossreferenced (joined) to externally held databases containing genetic and genealogical information Individuals can choose not to have data recorded about them in the IHD. An abstainers list is maintained by the Director General of Public Health, which records identities of people who have so chosen. No information is held in the IHD for any individual whose identity appears in the abstainers list Data from all sources is anonymised by the IES before being input to the IHD. The IES also effects the abstainers list. The IES is managed by the DPC The DMU is the unit that manages the IHD. Its employees are the end-users of the IHD, who query the database on customers behalf Customers of research results generated by the use of the IHD are organisations such as pharmaceutical companies, research institutions, the Ministry of Health and the Director General of Public Health. They send queries to the end-users and receive responses back. They cannot access the IHD directly The MCHSD is appointed by the Minister of Health. It monitors the creation and operation of the database, insofar as this does not fall within the ambit of the DPC, with assistance from an interdisciplinary ethics committee and other independent experts as required. It is responsible for ensuring compliance with the rules it lays down, and (in conjunction with the DPC) controls the classes of query that can be processed by the database. COMMERCIAL IN CONFIDENCE Page 7 of 46

8 3.1.9 Figure 3.1 shows, at a high level, the organisations involved in the input and output of data. The health institutions and the general OLH environment are outside the scope of this ST, but the functionality of the Transfer Layer, when used within a suitable environment, is within the scope of the ST. See Section 8.1 for Health Institutions OLH H GL GT TL TL TL ST IES TL Abstainers List DGPH DMU Encrypted Data H GT GL Query Layer End- User Customer Admin Log MCHSD & Ethics Cttee Figure 3.1 Database Organisations DPC information about the Transfer Layer. 4 Security Environment 4.1 Assumptions The IHD is a statistical database. It will not give information about particular people, only about groups of people with common biological properties The IHD is used for research into many areas of medical science, such as: a) basic research into genetics and disease b) research into the relationship between genetics, diagnostics and treatment c) analysis of the cost of disease and treatment d) epidemiological studies. COMMERCIAL IN CONFIDENCE Page 8 of 46

9 4.1.3 It also generates Icelandic expertise in medical informatics, privacy protection of medical information and medical database design, which may be used in the future for consultancy in other projects The TOE runs in the following administrative domains (or environments): a) health institutions. These have the raw H data which is formatted, encrypted by the Transfer Layer, and passed to the IES. The health institutions must provide a suitable environment for the Transfer Layer to run, but that is outside the scope of this ST. The health institutions have been handling sensitive medical data on computer for some time already, and are approved by the DPC to do so b) the OLH (outside the DMU). This generates a crossreference to the external GT and GL data. The crossreference is encrypted by the transfer layer and passed to the IES. OLH s handling of raw data is outside the scope of this ST. Its support for the Transfer layer is within the scope of this ST c) the DMU. This has a highly secure environment in which the IHD runs. The DMU provides the physical hardware for the IHD as well as physical countermeasures and the staff to run them. d) the IES. This is a highly secure environment in which identity encryption takes place. Its management and staff are independent of the OLH and the DMU The DMU and IES environments are assumed to have adequate personnel, physical and procedural controls in place to support the secure running of the IHD. 4.2 Threats Agents The threat agents, who may wish to attack the TOE, are of several different types. They are categorised below according to the access they are given to the TOE: a) information provider staff. These are responsible for preparing the data for the IHD. The following types of information provider are envisaged: i) staff at health institutions who prepare H data ii) staff at the OLH who prepare the GT and GL databases, that can be cross-referenced to health data iii)staff of the Director General of Public Health who maintain the abstainers list COMMERCIAL IN CONFIDENCE Page 9 of 46

10 b) DMU staff. These are responsible for the day-to-day running and use of the IHD. This group includes the following - i) DMU Access Administrators (responsible for management of users, access controls and audit logs) ii) Operating System Administrators iii)database Administrators iv) Hardware Administrators v) End-users. These query the IHD via the QL in order to perform medical research. c) IES staff. These run the IES. These staff are classified into two groups: i) those who perform the normal functions of the IES (Normal IES users) ii) those responsible for management of users, access controls and audit logs (IES Access Administrators) d) members of the DPC and MCHSD. These are responsible for the following: i) monitoring queries to the IHD ii) in conjunction with the ethics committee, specifying the classes of query that each user can put to the database iii)monitoring compliance with this document e) health professionals at the DMU responsible for preprocessing H data. These clean the data with the aid of automated tools, for instance, removing duplicate records f) key custodians. These are responsible for supplying cryptographic keys to the crypto modules to allow the TOE to function. They are DPC employees g) persons without legitimate access to the TOE, such as Internet hackers. These may wish to damage the IHD or access sensitive data on it These classes must be kept separate. For instance, it must not be possible for a MCHSD member to be an end-user Assets The TOE must preserve the following assets: a) A_DHD any medical data within the TOE which can be related to the identity of the person the data applies to b) A_IESDATA operational data used inside the IES to restrict the set of individuals on which information is held in the IHD. COMMERCIAL IN CONFIDENCE Page 10 of 46

11 The TOE is concerned with the confidentiality of A_DHD, and the capacity to cross-reference it to external databases. The integrity and availability of this data is outside the scope of this ST By its nature, medical data remains sensitive for a long time after its creation. When choosing a key length for cryptographic operations, the OLH must consider not just the cryptanalytic technology that is currently available, but what may be developed in the forseeable future The TOE must make proper use of the A_IESDATA provided by the Director General of Public Health Attacks As well as the well-understood attacks of impersonation and gaining access to data without authorisation, this TOE is subject to some attacks which are unique to statistical databases These are referred to generically as statistical inference, which means processing statistical data, using techniques such as those described in Chapter 6 of [Denning], to violate privacy The computer security literature describes the following attacks, among others. This is not a complete list, and some of the attacks may not be applicable to the IHD, because of its static nature, and because of administrative controls: a) the tracker attack (Section of [Denning]). This involves padding queries so that they pass the query set size restriction, then subtracting out the effect of the padding b) the linear system attack (Section of [Denning]). This is a generalisation of the tracker attack and involves taking linear combinations of query results to reveal individual records c) the median attack (Section of [Denning]). The median statistic always returns information about a single record. The attack relies upon finding two query sets with one common record and the same median d) insertion and deletion attacks (Section of [Denning]). These involve inserting and deleting records to bypass query set size restrictions. These attacks are an issue when attackers can insert or delete individual records at will, which is not the case for this TOE e) diophantine attacks [Rowe]. This attack can be used when query sizes are small and the queryable statistics are based on some value which takes one of a small set of known values (such as integers). By solving a set of simultaneous diophantine equations it COMMERCIAL IN CONFIDENCE Page 11 of 46

12 is sometimes possible to disclose individual record values, given a single statistic f) averaging. This is an attack against data perturbation. It attempts to remove noise by averaging over many queries Threats The following are the threats against which the TOE must protect itself T_IMPERSONATE: an attacker may attempt to impersonate a legitimate TOE user and gain his privileges within the TOE without authorisation Anyone may attempt to perform this attack. Hackers may perform it out of curiosity; legitimate users may wish to gain additional privileges or to avoid being held accountable for their actions The effect of a successful attack would be a loss of accountability with TOE users T_DIRECT: an attacker may attempt to directly link data to the person it applies to and thereby effect an unauthorised disclosure To perform this attack in practice, it is necessary to have unencrypted access to personal data. This restricts attackers to the following categories: a) end-users, who access the database via statistical queries b) information provider staff, who have access to the records they are preparing. This is not considered an issue for this ST because these staff already have access to this data, and procedural measures ensure that they do not have access to both the data and the corresponding identifiers (i.e. names and addresses) c) preprocessor users, who have access to unencrypted data for preprocessing d) anyone who can impersonate the above The effect of a successful attack would be that embarrassing or damaging information about individuals would be made public, and confidence in the TOE would be lost T_STATISTIC: an attacker may attempt to statistically infer sensitive data about an identified individual To perform this attack in practice, it is necessary to have access to statistical queries over the database. This is only available to: a) end-users b) anyone who can impersonate the above. COMMERCIAL IN CONFIDENCE Page 12 of 46

13 Note that information provider staff do not have the capability to submit direct queries to the IHD The effect of a successful attack would be the same as for T_DIRECT T_FILTER: MCHSD staff may negligently or deliberately fail to properly define and control access to query classes. Clearly, this threat only applies to MCHSD staff The effect of a successful attack would be that it may become easier to perform T_STATISTICS attacks T_COMMS: an attacker may attempt to compromise the TOE s security by monitoring or tampering with communications over insecure lines This threat applies to anyone with access to the communications media used by the TOE. This applies particularly to telcos and their employees, but could potentially include anyone with Internet access The effect of a successful attack would be that sensitive data could be accessed before being input to the TOE, with a similar result to T_DIRECT T_AUDIT: following an attack, it may be impossible to detect the attack, or to trace it to its source. This threat is not related to a particular threat agent The effect of an audit failure would be to lessen the accountability provided by the TOE, and to reduce the deterrent against attacking the TOE T_ABSTAIN: the TOE may contain data about a person against his wishes. This threat is not related to a particular threat agent The result of this event would be to lessen confidence in the TOE. 4.3 Organisational Security Policies There are no organisational security policies. 5 Security Objectives 5.1 Security Objectives for the TOE The TOE has one principle security objective: a) OBT_PROT to protect personally identifiable data from disclosure The TOE also has some subsidiary security objectives: a) OBT_AUTH to verify the claimed identities of TOE users b) OBT_ABSTAIN to allow persons to choose not to have data recorded about them in the IHD c) OBT_COMMS to protect sensitive data in transit COMMERCIAL IN CONFIDENCE Page 13 of 46

14 d) OBT_AUDIT to keep records of TOE events and activities so that security abuses can be detected and traced to their origins. 5.2 Security Objectives for the Environment The security objectives of the TOE's environment are: a) OBE_ACCOUNT to provide a binding between IT entities (e.g. usernames, key certificates) and the real world entities (natural or corporate persons) corresponding to them b) OBE_ROLE to separate the roles of the TOE, so that, for instance, no one can simultaneously be (or have the privileges of) a MCHSD member and an end-user c) OBE_PHYSICAL to provide a physically secure environment for the DMU and IES d) OBE_SEPARATE to ensure that information providers during the information preparation process are not given access to identification data (e.g. name, address) and personal data for the same records e) OBE_PROCEDURE to provide users with guidelines on the secure use of the TOE so that they do not inadvertently compromise the TOE s security f) OBE_QUERY to ensure that permitted query classes of the TOE - i) are useful ii) conform to ethical criteria iii)do not allow statistical inference g) OBE_TRUST to ensure that privileged users (DMU, IES and MCHSD staff) can be trusted not to abuse their capabilities within the TOE. COMMERCIAL IN CONFIDENCE Page 14 of 46

15 6 TOE Security Functional Requirements 6.1 Introduction This chapter specifies the functional requirement components of this ST. Most of these components are taken from the CC Part 2 (e.g. FAU_ARP.1 Security Alarms), in which case their elements are quoted in full, subject to the following conventions: a) the results of permitted operations (on the text) are given in square brackets [] b) in some cases the wording has been slightly changed (without changing the meaning) in order to preserve correct English syntax Requirement components that augment or replace those from the CC Part 2 have identifiers beginning with "ST_". For example, ST_ABST (see below). 6.2 Security Audit FAU_ARP.1 Security Alarms The TSF shall [inform an access administrator] upon detection of a potential security violation FAU_GEN.1 Audit Data Generation The TSF shall be able to generate an audit record of the following auditable events: a) start-up and shut-down of the audit functions b) all auditable events for the [detailed] level of audit The TSF shall record within each audit record at least the following information: a) data and time of the event, subject identity, and the outcome (success or failure) of the event b) for each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [the information given below Note: for this TOE, the detailed level of audit includes the following: a) actions due to imminent security violations [FAU_ARP.1] b) enabling and disabling of any audit analysis mechanisms, and any automated responses performed by the tool [FAU_GEN] c) failed or successful attempts to read audit records, with search parameters used [FAU_SAR] COMMERCIAL IN CONFIDENCE Page 15 of 46

16 d) modifications to the audit configuration that occur while the audit collection functions are operating [FAU_SEL.1] e) actions taken due to audit storage failure [FAU_STG.4] f) success and failure of cryptographic operations (excluding any sensitive cryptographic material) [FCS] g) all attempts to perform an operation on an object covered by the access control SFP, with the specific security attributes used to perform the check [FDP_ACF.1] h) all attempts to transfer data between physically separated parts of the TOE, including any errors that occurred and actions taken upon detection of an error [FDP_ITT] i) all queries received by the MCHSD, with the complete query, the customer s identity, the query class and: i) for accepted queries, the statistical inference control parameters used ii) for rejected queries, the error message returned to the user [ST_PERT], [ST_QUERY_SIZE], [ST_SUBSET] j) changes to the default or minimum/maximum allowed values for statistical inference control parameters [ST_PERT], [ST_QUERY_SIZE], [ST_SUBSET] k) addition, update and deletion of database records by the Transfer Layer l) reading, addition, update and deletion of database records by the pre-processor users m) rejection or deletion of records because of the abstainers list [ST_ABSTAIN] n) creation, deletion and modification of query classes [ST_QCLASS] o) changes to access permissions for a query class, including the original and final permissions [ST_QCLASS] p) blacklisting and resetting of accounts [FIA_AFL.1] q) acceptance or rejection by the TSF of any tested secrets (no sensitive data to be audited) [FIA_SOS] r) any changes to the defined quality metrics [FIA_SOS] s) all use of authentication mechanisms, with detailed reasons for any failures [FIA_UAU] t) all use of the user identification mechanism, including the user identity provided [FIA_UID] u) all modifications to the values of security attributes [FMT_MSA.1] COMMERCIAL IN CONFIDENCE Page 16 of 46

17 v) modifications to the rules or parameters for setting initial values [FMT_MSA.3] w) all modifications to the values of TSF data, including rejections [FMT_MTD] x) specification of expiration times [FMT_SAE] y) modification of the group of users in a role [FMT_SMR] z) use of the rights of a role [FMT_SMR] aa) execution of tests of the underlying machine and results of those tests [FPT_AMT] bb) if possible, the impossibility to return to a secure state after failure of a security function [FPT_RCV.4] cc) changes to the time [FPT_STM] dd) execution of TSF self tests and results of the tests [FPT_TST.1] ee) rejection of a new session based on the limitation of multiple concurrent sessions [FTA_MCS] ff) locking of an interactive session by the session locking mechanism [FTA_SSL] gg) any attempts at unlocking an interactive session [FTA_SSL]] FAU_GEN.2 User Identity Association The TSF shall be able to associate each auditable event with the identity of the user that caused the event FAU_SAA.1 Potential Violation Analysis The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP The TSF shall enforce the following rules for monitoring audited events: a) accumulation or combination of [queries to the IHD, particularly repeated queries to a fixed subset] known to indicate a potential security violation b) [creation, deletion or modification of database records by the database administrator c) creation, modification, deletion, re-ordering and replay of data in transit between physically separate parts of the TOE d) repeated authentication failures] FAU_SAR.1 Security Audit Review The TSF shall provide [MCHSD and DPC users] with the capability to read [all information] from the audit records. COMMERCIAL IN CONFIDENCE Page 17 of 46

18 The TSF shall provide the audit records in a manner suitable for the [MCHSD and DPC user] to interpret the information ST_AUDIT The TSF shall not record any information in the audit records that could lead to disclosure of personally identifiable data FAU_SAR.2 Restricted Audit Review The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access FAU_SAR.3 Selectable Audit Review The TSF shall provide the ability to perform [searches] of audit data based on [any combination of the following: a) user responsible b) event type c) date and time interval, time of day, day of the week d) attributes and numbers of records retrieved by queries e) query and response text] FAU_SEL.1 Selective Audit The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes: a) [event type] FAU_STG.1 Protected Audit Trail Storage The TSF shall protect the stored audit records from unauthorised deletion The TSF shall be able to prevent modifications of the audit records FAU_STG.4 Prevention of Audit Data Loss The TSF shall [prevent auditable events, except those requested by an authorised Access Administrator] if the audit trail is full. 6.3 Cryptographic Support FCS_CKM.1 Cryptographic Key Generation The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm and specified cryptographic key sizes that meet the following: a) [when a random number generator is used in the key generation process, all values shall be generated randomly or pseudo-randomly such that all possible COMMERCIAL IN CONFIDENCE Page 18 of 46

19 combinations of bits and all possible values are equally likely to be generated b) A seed key, if used, shall be entered in the same way as cryptographic keys c) intermediate key generation states and values shall not be accessible outside of the module in plain text or otherwise unprotected form] FCS_CKM.2 Cryptographic Key Distribution The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method that meets the following: a) [a secure cryptographic key negotiation protocol shall be used] FCS_CKM.3 Cryptographic Key Access The TSF shall perform [input, output and storage] in accordance with a specified cryptographic key access method that meets the following: a) [keys shall be stored either encrypted or in a hardware cryptographic module b) access to update or enter in the keys shall be restricted to the authorised key custodian c) manually distributed secret and private keys shall not be entered into or output from a cryptographic module in plain text form. Rather, they shall be entered either: i) encrypted ii) via a smartcard iii)using split knowledge procedures (i.e. as two or more plain text key components). In this case, the module shall have the capability to separately authenticate the two users involved. The key components shall be entered directly into the module or output directly from it, without travelling through any enclosed or intervening systems where components could be stored, combined or otherwise processed d) electronically distributed secret and private keys shall be entered and output in encrypted form] FCS_CKM.4 Cryptographic Key Destruction The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method that meets the following: a) [all unprotected cryptographic modules used shall provide the capability to zeroise all plain text cryptographic keys and other sensitive material within the module] COMMERCIAL IN CONFIDENCE Page 19 of 46

20 6.3.5 FCS_COP.1 Cryptographic Operation The TSF shall perform [encryption] in accordance with a specified cryptographic algorithm [conforming to current best cryptographic practice] and cryptographic key sizes that meet the following: a) [the strength of function requirement for the TOE]. 6.4 User Data Protection Introduction This section outlines the access control policy to be adopted for user data (in this case, medical records and cross-references to other databases) in the TOE. First, the different classes of user and data are identified. Then, the access allowed between these is defined The user classes distinguished for this policy are those of Paragraph The classes of data distinguished for this policy are as follows: a) D_PN: personal identification data b) D_PM: personal medical data (less any personal identification data) c) D_CR: cross-references to the GT and GL databases d) D_AB: the abstainers list The identifiers above refer to unencrypted data only. Encrypted data is countered in this ST as system data and is covered under the FPT_* security function requirements The following are the types of access that can be provided to data: a) R: general read access b) RP: read access during preparation c) W: write access via batch files d) Q: access via authorised classes of statistical queries The following table defines the access allowed between users and data. COMMERCIAL IN CONFIDENCE Page 20 of 46

21 Table 6.1 Access Control SFP User Class D_PN D_PM D_CR D_AB Information Providers at OLH RP W Information Providers at RP W health institutions Information providers at the RP DGPH Key Custodians DMU access administrators System administrators Database administrators Hardware administrators IES normal users IES access administrators Pre-processor users RW MCHSD/DPC members End-users Q Q W FDP_ACC.2 Complete Access Control The TSF shall enforce the [access control SFP] on [the data items identified in the SFP] and all operations among subjects and objects covered by the SFP The TSF shall ensure that all operations between any subject in the TSC and any object within the TSC are covered by the access control SFP FDP_ACF.1 Security Attribute Based Access Control The TSF shall enforce the [access control SFP] to objects based on [the role of the user requesting the access and the type of the data being accessed] The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a) [see Table 6.1] The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: a) [none] The TSF shall explicitly deny access of subjects to objects based on the [following additional rules: a) none] FDP_ITT.1 Basic Internal Transfer Protection The TSF shall enforce the [access control SFP] to prevent the [disclosure] of user data when it is transmitted between physically-separated parts of the TOE. COMMERCIAL IN CONFIDENCE Page 21 of 46

22 6.4.5 FDP_ITT.3 Integrity Monitoring The TSF shall enforce the [access control SFP] to monitor user data transmitted between physically-separated parts of the TOE for the following errors: a) [modification b) deletion c) reordering d) replay.] Upon detection of a data integrity error, the TSF shall: a) [terminate the connection] FDP.RIP.2 Full Residual Information Protection The TSF shall ensure that any previous information content of a resource is made unavailable upon the [deallocation of the resource from] all objects ST_ABST Abstaining The TSF shall contain an abstainers list specifying persons who have chosen to abstain from participation in the IHD No data shall be stored in the IHD relating to any identity that occurs in the abstainers list The abstainers list shall be stored in encrypted form so that it is impossible to determine who is on the list. 6.5 Statistical Database Security Introduction This section specifies the countermeasures to be taken to protect the data in the IHD from statistical inference attacks. These countermeasures will be under constant development and evaluation in collaboration with the DPC and MCHSD, to ensure protection of privacy and, as far as possible, the usability of the TOE For more information on the rationale for these countermeasures, see the literature on computational disclosure control and statistical inference control, e.g. the following sections in [Denning]: a) for ST_PERT, see b) for ST_QUERY_SIZE, see c) for ST_SUBSET, see ST_QCLASS Query Classes A query class is a subset of the queries that can be posed to the TOE, specified in terms of: a) the characteristics of the records selected by the query COMMERCIAL IN CONFIDENCE Page 22 of 46

23 b) the statistical operations performed on the selected records c) the allowed values of the statistical inference control parameters for the query The DPC shall have the sole capability to approve the creation, deletion and amending of query classes The MCHSD shall have the sole capability to specify which end-users may run which query classes Each query submitted by an end-user shall be permitted only if it matches one of the query classes permitted to that end-user. If the query is not permitted it shall not be run ST_PERT Data Perturbation The TSF shall temporarily perturb data attribute values before calculating statistics from them Each query class shall specify allowed values for the following statistical inference control parameters: a) the form of perturbation used b) the size of the perturbation c) other relevant parameters depending upon the form of perturbation used, e.g. the variance of added noise ST_QUERY_SIZE Query Set Size Restriction For each statistical result returned by the TSF, the number of records on which the result is based shall be calculated, along with the complement (i.e. the number of records not used in calculating the result). If either number is less than the minimum query set size for the query class, then the query shall terminate and no statistical information shall be returned The minimum query set size shall be a statistical inference control parameter for each query class ST_STATS Statistical Data Only The TSF query facility shall not allow end-users direct access to values of attributes The TSF query facility shall return only the following classes of information to end-users: a) counts and relative frequencies of records satisfying end-user-specified criteria b) means and variances (of numerical or date attributes of records satisfying end-user-specified criteria) The types of statistics calculated shall be a statistical inference control parameter for each query class. COMMERCIAL IN CONFIDENCE Page 23 of 46

24 6.5.7 ST_SUBSET Operating on a Subset of the Database The TSF shall perform queries upon a sample of the complete IHD. The sample shall be chosen unpredictably, either randomly or pseudorandomly The proportion of records included shall be a statistical inference control parameter for each query class. 6.6 Identification and Authentication FIA_AFL.1 Authentication Failure Handling The TSF shall detect when [3] unsuccessful authentication attempts occur related to [logon] When the defined number of authentication attempts has been met or surpassed, the TSF shall [blacklist the user so that no further logins by him are possible, until an authorised Access Administrator has reset his account] FIA_ATD.1 User Attribute Definition The TSF shall maintain the following set of security attributes belonging to individual users: a) [name b) contact details c) contract details for access to the IHD d) authentication information e) permitted login times and locations f) time of last successful login g) number of unsuccessful login attempts since last successful login h) blacklist status] FIA_SOS.1 Verification of Secrets The TSF shall provide a mechanism to verify that [passwords] meet [the following requirements: a) passwords must have a length of at least 16 characters b) passwords must contain at least one lower case alphabetic, at least one upper case alphabetic, and at least one numeric] ST_FIRST_PW Confidentiality of Secrets Authentication secrets shall be protected against discovery by all TOE users A user s initial password shall be generated randomly by the TOE The initial password shall not be shown to the creating user, but shall be printed on a tamper-evident envelope such that the password cannot be seen without visibly opening the envelope. COMMERCIAL IN CONFIDENCE Page 24 of 46

25 6.6.5 FIA_UAU.2 User Authentication before any Action The TSF shall require each user to be successfully authenticated before allowing any TSF-mediated actions on behalf of that user FIA_UAU.4 Single-use Authentication Mechanisms The TSF shall prevent reuse of authentication data related to [the user s token] FIA_UAU.5 Multiple Authentication Mechanisms The TSF shall provide [passwords and tokens] to support user authentication The TSF shall authenticate any user s claimed identity according to: a) [his knowledge of his password b) his possession of his token c) a biometric aspect of the user allowing reliable authentication] FIA_UAU.7 Protected Authentication Feedback The TSF shall provide only [echoing a fixed character while entering a password] to the user while the authentication is in progress FIA_UID.2 User Identification before any Action The TSF shall require each user to identify himself before allowing any TSF-mediated actions on behalf of that user FIA_USB.1 User Subject Binding The TSF shall associate the appropriate user security attributes with subjects acting on behalf of that user. 6.7 Management of Functions in TSF FMT_MOF.1 Management of Security Functions Behaviour The TSF shall restrict the ability to [modify the behaviour of] the functions [of the TSF as follows: a) maintenance of the rules for detecting a potential security violation - access administrator [FAU_SAA] b) maintenance of the criteria for audit selection - access administrator [FAU_SEL] c) selecting the methods used to protect data during transmission - access administrator [FDP_ITT.1] d) resetting blacklisted users - access administrator [FIA_AFL] e) creation and deletion of users - access administrator [FIA_ATD] f) management of user tokens - access administrator [FIA_SOS] COMMERCIAL IN CONFIDENCE Page 25 of 46

26 g) management of user identities - access administrator [FIA_UID] h) managing the expiration times for tokens and passwords - access administrator [FMT_SAE] i) managing the TSF self-test functions - system and database administrators [FPT_TST] j) hardware and network infrastructure management - hardware administrator k) general operating system management, backup and restore - system administrator l) general database management - database administrator m) management of cryptographic keys - key custodian] FMT_MSA.1 Management of Security Attributes The TSF shall enforce the [access control SFP] to restrict the ability to [modify] the security attributes to: a) [the roles to which users are assigned, and the rules they must satisfy - access administrator [FDP_*] b) the current time - access or system administrators [FPT_STM] c) the maximum allowed number of concurrent user sessions by a user - access administrator [FTA_MCS] d) the duration of user inactivity after which lock-out occurs (both for an individual user, and the default) - access administrator [FTA_SSL] e) the access banner - access administrator [FTA_TAB]] FMT_MSA.3 Static Attribute Initialisation The TSF shall enforce the [access control SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP The TSF shall allow the [Access Administrators] to specify alternative initial values to override the default values when an object or information is created FMT_MTD.1 Management of TSF Data The TSF shall restrict the ability to modify the [configuration data of the TSF] to [authorised users as follows: a) TOE-wide restrictions on the values of statistical inference control parameters - MCHSD members [ST_PERT] [ST_QUERY_SIZE] [ST_STATS] [ST_SUBSET] b) authentication retry limit - access administrator [FIA_AFL] COMMERCIAL IN CONFIDENCE Page 26 of 46

27 c) user attributes (name, contact details, contract details, permitted login times) - access administrator [FIA_ATD] d) the quality metric used for user secrets - access administrator [FIA_SOS] e) audit logs - MCHSD members] FMT_MTD.3 Secure TSF Data The TSF shall ensure that only secure values are accepted for TSF Data FMT_SAE.1 Time-limited Authorisation The TSF shall restrict the capability to specify an expiration time for [passwords and tokens] to [the authorised Access Administrator] For each of these security attributes, the TSF shall be able to [forbid the owner from logging on] after the expiration time for the indicated security attribute has passed FMT_SMR.2 Restrictions on Security Roles The TSF shall maintain the roles: a) [IES access administrator b) DMU access administrator c) system administrator d) database administrator e) hardware administrator f) key custodian] The TSF shall be able to associate users with roles The TSF shall ensure that the following conditions are satisfied: a) [that the database administrator must be authorised to logon each time by the access administrator b) that the database administrator cannot access the operating system or security configuration data c) that the system administrator cannot access the database or security configuration data d) that the access administrator cannot access nonsecurity-related database or operating system data]. 6.8 Protection of the TOE Security Functions FPT_AMT.1 Abstract Machine Testing The TSF shall run a suite of self tests [during initial start-up] to demonstrate the correct operation of the security assumptions provided by the abstract machine that underlies the TSF. COMMERCIAL IN CONFIDENCE Page 27 of 46

28 6.8.2 FPT_RCV.4 Function Recovery The TSF shall ensure that [hardware or operating systems failures, network failures and applications failures] have the property that the SF either completes successfully, or for the indicated failure scenarios, recovers to a consistent and secure state FPT_RVM.1 Non-bypassability of the TSP The TSF shall ensure that the TSP enforcement functions are invoked and succeed before each function within the TOE is allowed to proceed FPT_SEP.3 TSF Domain Separation The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects The TSF shall enforce separation between the security domains of subjects in the TSC FPT_STM.1 Reliable Time Stamps The TSF shall be able to provide reliable time stamps for its own use FPT_TST.1 TSF Testing The TSF shall exercise a suite of self tests at the request of the authorised administrators to demonstrate the correct operation of the TSF The TSF shall provide the authorised administrators with the capability to verify the integrity of TSF data The TSF shall provide the authorised administrators with the capability to verify the integrity of stored TSF executable code. 6.9 TOE Access FTA_MCS.1 Basic Limitation on Multiple Concurrent Sessions The TSF shall restrict the maximum number of concurrent sessions that belong to the same user The TSF shall enforce, by default, a limit of [1] sessions per user FTA_SSL.1 TSF-initiated Session Locking The TSF shall lock an interactive session after [20 minutes of inactivity] by: a) clearing or overwriting display devices, making the current contents unreadable b) disabling any activity of the user s data access/display devices other than unlocking the session. COMMERCIAL IN CONFIDENCE Page 28 of 46

29 The TSF shall require the following events to occur prior to unlocking the session: [re-authentication] FTA_SSL.2 User-initiated Locking The TSF shall allow user-initiated locking of the user s own interactive session, by: a) clearing or overwriting display devices, making the current contents unreadable b) disabling any activity of the user s data access/display devices other than unlocking the session The TSF shall require the following events to occur prior to unlocking the session: [re-authentication] FTA_TAB.1 Default TOE Access Banners Before establishing a user session, the TSF shall display an advisory warning message regarding unauthorised use of the TOE FTA_TAH.1 TOE Access History Upon successful session establishment, the TSF shall display the [date, time and location] of the last successful session establishment to the user Upon successful session establishment, the TSF shall display the [date, time and location] of the last unsuccessful session establishment and the number of unsuccessful attempts since the last successful session establishment The TSF shall not erase the access history information from the user interface without giving the user an opportunity to review the information. COMMERCIAL IN CONFIDENCE Page 29 of 46