Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Common Criteria for Information Technology Security Evaluation

Published byAlan Caldwell Modified over 9 years ago

Similar presentations

Presentation on theme: "The Common Criteria for Information Technology Security Evaluation"— Presentation transcript:

1 The Common Criteria for Information Technology Security Evaluation
Overview Glen F. Marshall, Siemens

2 Topics What is the Common Criteria? Key concepts Testing
Targets of Evaluation Security Requirements Assurance Requirements Environmental Requirements Testing Other Information Resources

3 What is the Common Crtieria?
An international standard ( ISO/IEC15408) for computer security evaluation A framework in which... Computer system purchasers and users can specify their security requirements Vendors can make claims about the security attributes of their products Testing laboratories can evaluate products to determine if they actually meet the claims.

4 Targets of Evaluation A system design which claims to satisfy security requirements A product or system for which security claims are made Note: The term “target of evaluation” is typically abbreviated as “TOE”.

5 Security Requirements
Derived from Policies, e.g., desired states and outcomes of privacy protections, confidentiality, and assurance of security within the TOE. Risk analysis, identifying threats for which mitigation is required within the TOE Environmental analysis, identifying factors that may influence the formation of policy or mitigate risks, but which are generally outside the TOEs' scope.

6 Security Requirements
Document artifacts Protection Profile (PP) - identifies detailed security requirements relevant to a particular purpose, e.g. a set of related use cases. Security Functional Requirements (SFRs) - the individual security functions to be provided within a TOE. Security Target (ST) - a document that identifies the security properties of the TOE.

7 Assurance Requirements
Assurance is the level of confidence that the policies are enforced and risks are mitigated within the TOE. Assurance requirements must be supported by the TOE Assurance activities are ongoing, often periodic, and typically performed in the course of system operation

8 Assurance Requirements
Security Assurance Requirements (SAR) describe the detailed actions during development, implementation, and operation the TOE that will assure its compliance with the claimed security functionality. Evaluation Assurance Level (EAL) is a numerical rating assigned to the TOE to reflect the SARs to be fulfilled. EALs are predefined packages (in ISO/IEC ) of SARs with a given level of strictness.

9 Testing NIST’s National Voluntary Laboratory Accreditation Program (NVLAP) accredits Common Criteria testing laboratories in the US. CCHIT security criteria are derived, in part, from the Common Criteria. However, the rigor of the testing laboratories was deemed too expensive. Use of the Common criteria in US Federal system procurement is mandatory.

10 Resources Common Criteria Project Portal NIST’s Common Criteria site Common Criteria document download CC used to identify and classify security standards

Download ppt "The Common Criteria for Information Technology Security Evaluation"

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.
Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.

Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.

1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.

CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.
8/28/2005ECEN5543 Req Elicitation1 Targets of Requirements Engineering ECEN 5543 SW Engineering of Standalone Programs University of Colorado, Boulder.

8/28/2005ECEN5543 Req Elicitation1 Targets of Requirements Engineering ECEN 5543 SW Engineering of Standalone Programs University of Colorado, Boulder.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Similar presentations

Ads by Google