The IT Law Wiki
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Evidence ==
+
== Definitions ==
   
 
=== Computing ===
'''Trustworthiness''' of documentary evidence or testimony is based primarily on subjective factors, but can include objective measurements such as established [[reliability]].
 
   
  +
'''Trustworthiness''' is a multidimensional measure of the extent to which a [[system]] is likely to satisfy each of multiple aspects of each stated requirement for some desired combination of [[system integrity]], [[system availability]] and [[survivability]], [[data confidentiality]], guaranteed [[real-time]] performance, [[accountability]], [[attribution]], [[usability]], and other critical needs.
== Computing ==
 
   
 
Trustworthiness expresses the degree to which [[information system]]s (including the [[information technology]] products from which the [[system]]s are built) can be expected to: (i) perform in a specified or predictable manner; and (ii) preserve the [[confidentiality]], [[integrity]], and [[availability]] of the [[information]] being [[data processing|processed]], [[store]]d, or [[transmit]]ted by the [[information system|systems]].
'''Trustworthiness''' is a characteristic or property of an [[information system]] that expresses the degree
 
to which the [[system]] can be expected to preserve the [[confidentiality]], [[integrity]], and [[availability]] of the [[information]] being [[data processing|processed]], [[store]]d, or [[transmit]]ted by the [[system]].
 
   
Trustworthy [[information system]]s are [[system]]s that are worthy of being [[trusted]] to operate within defined levels of [[risk]] despite the environmental disruptions, human errors, and purposeful [[attack]]s that are expected to occur in the specified environments of operation. Two factors affecting the trustworthiness of an
+
Trustworthy [[information system]]s are [[system]]s that are worthy of being [[trusted]] to operate within defined levels of [[risk]] despite the environmental disruptions, human errors, and purposeful [[attack]]s that are expected to occur in the specified environments of operation. Two factors affecting the trustworthiness of an [[information system]] include:
[[information system]] include:
 
 
 
 
* [[Security functionality]] (i.e., the [[security]]-related features or functions employed within an [[information system]] or the [[infrastructure]] supporting the [[system]]); and
 
* [[Security functionality]] (i.e., the [[security]]-related features or functions employed within an [[information system]] or the [[infrastructure]] supporting the [[system]]); and
 
* [[Security assurance]] (i.e., the grounds for confidence that the [[security functionality]], when employed within an [[information system]] or its supporting [[infrastructure]], is effective in its application).
 
* [[Security assurance]] (i.e., the grounds for confidence that the [[security functionality]], when employed within an [[information system]] or its supporting [[infrastructure]], is effective in its application).
  +
  +
[[Critical system]]s and their [[operating environment]]s must be trustworthy despite a very wide range of adversities and [[adversaries]]. Historically, many [[system]] uses assumed the existence of a [[trustworthy computing]] base that would provide a suitable foundation for such [[computing]]. However, this assumption has not been justified.
  +
  +
[[Scalable]] trustworthiness will be essential for many national- and world-scale [[system]]s, including those supporting [[critical infrastructure]]s. Current methodologies for creating [[high-assurance system]]s do not scale to the size of today’s — let alone tomorrow’s — [[critical system]]s.
   
 
[[Spoof]]ed [[website]]s, stolen [[password]]s, and [[compromise]]d [[login]] accounts are all symptoms of an untrustworthy [[computing]] environment. One key step in reducing [[online fraud]] and [[identity theft]] is to increase the level of trust associated with identities in [[cyberspace]].
 
[[Spoof]]ed [[website]]s, stolen [[password]]s, and [[compromise]]d [[login]] accounts are all symptoms of an untrustworthy [[computing]] environment. One key step in reducing [[online fraud]] and [[identity theft]] is to increase the level of trust associated with identities in [[cyberspace]].
  +
  +
=== Evidence ===
  +
 
'''Trustworthiness''' of [[documentary evidence]] or [[testimony]] is based primarily on subjective factors, but can include objective measurements such as established [[reliability]].
  +
  +
=== General ===
  +
  +
'''Trustworthiness''' is
  +
  +
{{Quote|an [[attribute]] of a person or organization that provides [[confidence]] to others of the qualifications, [[capabilities]], and [[reliability]] of that entity to perform specific tasks and fulfill assigned responsibilities.<ref>[[NIST Special Publication 800-160]], at B-15.</ref>}}
  +
  +
{{Quote|[w]orthy of being [[trusted]] to fulfill whatever critical requirements may be needed for a particular [[component]], [[subsystem]], [[system]], [[network]], [[application]], [[mission]], [[enterprise]], or other entity.<ref>[[NISTIR 8062]], Glossary, at 29.</ref>}}
  +
  +
=== Security ===
  +
  +
'''Trustworthiness''' is
  +
  +
{{Quote|[[Security|[s]ecurity]] decisions with respect to extended investigations to determine and confirm qualifications, and [[suitability]] to perform specific tasks and responsibilities.<ref>[[FIPS 201]].</ref>}}
  +
  +
== Overview ==
  +
  +
=== Control system ===
  +
  +
"The level of trustworthiness for organizational [[control system]]s is defined in terms of degree of [[correctness]] for intended [[functionality]] and of degree of [[resilience]] to [[attack]] by [[explicit]]ly identified levels of [[adversary]] [[capability]]. In addition, but not as a replacement for this expression of degree of [[correctness]] and [[resilience]], the level of trustworthiness may also be described in terms of levels of [[developmental assurance]], that is, actions taken in the [[specification]], design, development, [[implementation]], and operation/[[maintenance]] of the [[control system]] that impact the degree of [[correctness]] and [[resilience]] achieved. Trustworthiness may be defined as different levels on the basis of [[component]]-by-[[component]], [[subsystem]]-by-[[subsystem]], [[function]]-by-[[function]], or a combination of the above. However, typically [[function]]s, [[subsystem]]s, and [[component]]s are highly interrelated, making separation by trustworthiness perhaps problematic and, at a minimum, something that likely requires careful attention in order to achieve practically useful results."<ref>[[Catalog of Control Systems Security: Recommendations for Standards Developers]], at 32.</ref>
  +
  +
== References ==
  +
<references />
  +
  +
== See also ==
  +
  +
* [[Untrustworthiness]]
 
[[Category:Security]]
 
[[Category:Security]]
 
[[Category:Evidence]]
 
[[Category:Evidence]]

Latest revision as of 22:42, 23 September 2018

Definitions[]

Computing[]

Trustworthiness is a multidimensional measure of the extent to which a system is likely to satisfy each of multiple aspects of each stated requirement for some desired combination of system integrity, system availability and survivability, data confidentiality, guaranteed real-time performance, accountability, attribution, usability, and other critical needs.

Trustworthiness expresses the degree to which information systems (including the information technology products from which the systems are built) can be expected to: (i) perform in a specified or predictable manner; and (ii) preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems.

Trustworthy information systems are systems that are worthy of being trusted to operate within defined levels of risk despite the environmental disruptions, human errors, and purposeful attacks that are expected to occur in the specified environments of operation. Two factors affecting the trustworthiness of an information system include:

Critical systems and their operating environments must be trustworthy despite a very wide range of adversities and adversaries. Historically, many system uses assumed the existence of a trustworthy computing base that would provide a suitable foundation for such computing. However, this assumption has not been justified.

Scalable trustworthiness will be essential for many national- and world-scale systems, including those supporting critical infrastructures. Current methodologies for creating high-assurance systems do not scale to the size of today’s — let alone tomorrow’s — critical systems.

Spoofed websites, stolen passwords, and compromised login accounts are all symptoms of an untrustworthy computing environment. One key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace.

Evidence[]

Trustworthiness of documentary evidence or testimony is based primarily on subjective factors, but can include objective measurements such as established reliability.

General[]

Trustworthiness is

an attribute of a person or organization that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.[1]
[w]orthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise, or other entity.[2]

Security[]

Trustworthiness is

[s]ecurity decisions with respect to extended investigations to determine and confirm qualifications, and suitability to perform specific tasks and responsibilities.[3]

Overview[]

Control system[]

"The level of trustworthiness for organizational control systems is defined in terms of degree of correctness for intended functionality and of degree of resilience to attack by explicitly identified levels of adversary capability. In addition, but not as a replacement for this expression of degree of correctness and resilience, the level of trustworthiness may also be described in terms of levels of developmental assurance, that is, actions taken in the specification, design, development, implementation, and operation/maintenance of the control system that impact the degree of correctness and resilience achieved. Trustworthiness may be defined as different levels on the basis of component-by-component, subsystem-by-subsystem, function-by-function, or a combination of the above. However, typically functions, subsystems, and components are highly interrelated, making separation by trustworthiness perhaps problematic and, at a minimum, something that likely requires careful attention in order to achieve practically useful results."[4]

References[]

See also[]