1.2. Regulatory documents in the field of information security

Obviously, different systems provide varying degrees of information security depending on the tasks they face or the skills of their developers. In order to formulate the basic requirements for information systems, to introduce their classification from a security point of view, standards in the field of computer security were developed by various international and national institutions. Examples of such standards include the Computer Security Evaluation Criteria of the National Computer Security Committee of the USA (“Orange Book”), harmonized criteria of European countries, international standard ISO / IEC 15408, technical specification X.800 and many others. Each of these documents introduces its own requirements for information systems in order to assign them to a specific security class. For example, the Orange Book defines a secure system as a system that “controls access to information so that only authorized persons or processes acting on their behalf receive the right to read, write and delete information”. A reliable system is defined there as "a system that uses sufficient hardware and software to allow simultaneous processing of information of different degrees of secrecy by a group of users without violating access rights." At the same time, the security policy is evaluated according to two main criteria - the security and warranty policy. A security policy is a set of laws, rules, and standards of conduct that determine how an organization processes, protects, and disseminates information. Warranty is a measure of trust that can be provided to the architecture and implementation of the system; it shows how correct the mechanisms responsible for implementing security policy are.

The Orange Book has opened the way to ranking information systems according to the degree of security confidence. It defines four levels of trust — D, C, B, and A. Level D is for systems that are considered unsatisfactory. As the transition from level C to A to systems are becoming more stringent requirements. Levels C and B are subdivided into classes (C1, C2, B1, B2, B3) with a gradual increase in the degree of confidence. There are a total of six   safety classes - C1, C2, B1, B2, B3, A1. In order for a system to be classified into a certain class as a result of the certification procedure, its security policy and level of warranty must meet the specified requirements for providing arbitrary and forced access control, user identification and authentication, auditing, system recovery and administration capabilities, and many others. For example, the Windows NT operating system is designed to provide C2 security. The basic requirements that an information system must meet in order for it to be assigned this level are as follows:

• control over access to resources should be provided at the level of both individual users and groups of users;
• the memory must be protected, that is, its content should not be readable after the process has freed the memory;
• at the time of logging in, the user must uniquely identify himself, the system must know who performs those or other actions;
• the system administrator must be able to check all security related events;
• the system must prevent itself from external influence or interference with its work.