The Common Criteria for Information Technology Security Evaluation

Slides:

Advertisements

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Advertisements

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Effective Design of Trusted Information Systems Luděk Novák,

IT Security Evaluation By Sandeep Joshi

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

Secure Operating Systems Lesson 0x11h: Systems Assurance.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.

8/28/2005ECEN5543 Req Elicitation1 Targets of Requirements Engineering ECEN 5543 SW Engineering of Standalone Programs University of Colorado, Boulder.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

Risk Management.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”

Fraud Prevention and Risk Management

Complying With The Federal Information Security Act (FISMA)

NVLAP Overview and Accreditation Process March 2006.

Comparison between Family of PPs and PP with Packages Brian Smithson and Ron Nevo.

Gurpreet Dhillon Virginia Commonwealth University

1 Autumn 2008 TM8104 IT Security Evaluation Guide on the production of Protection Profiles Karin Sallhammar Q2S/NTNU 29/11/2003 Reference: ISO/IEC TR

A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc

1 Security Policy Framework & CCSDS Common Criteria Use CCSDS Security WG Fall 2005 Atlanta, GA USA Howard Weiss NASA/JPL/SPARTA

The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.

Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Background. History TCSEC Issues non-standard inflexible not scalable.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Accreditation for Voting Equipment Testing Laboratories Gordon Gillerman Standard Services Division Chief

Conformity Assessment Overview Nuclear Energy Standards Coordinating Collaborative November 2009 Gordon Gillerman Chief Standards Services Division National.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

Page 1 ©1999 InfoGard Laboratories, Inc Centre for Applied Cryptographic Research workshop, Nov. 8, 1999 Third party evaluations of CA cryptographic implementations.

Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.

Common Criteria V3 Overview Presented to P2600 October Brian Smithson.

CMSC : Common Criteria for Computer/IT Systems

Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #

TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.

Proposed Privacy Taxonomy for IOT Scott Shorter, Electrosoft, These slides are based on work contributed to the IDESG Use Case AHG in January.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

1 Information Security Planning Guide CCSDS Security WG Spring 2005 Athens, GR Howard Weiss NASA/JPL/SPARTA April 2005.

Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.

HIPAA Security Final Rule Overview

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

A Comparison of Commercial and Military Computer Security Presenter: Ivy Jiang1 A Comparison of Commercial and Military Computer Security Policies Authors:

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.

HCS 451 Week 2 Individual Risk Management Assessment Summary To purchase this material click below link 451-Week-2-Individual-Risk-Management-

Dr. Ir. Yeffry Handoko Putra

The Common Criteria for Information Technology Security Evaluation

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

Partnerships for VoIP Security VoIP Protection Profiles

IS4550 Security Policies and Implementation

James Arnold/ Jean Petty 27 September 2007

IS4550 Security Policies and Implementation

Final Conference in Paris WP6 – Protection Profiles Specification

Final Conference 18 Set 2018.

IEEE- P2600 PP Guidelines Suggested Format and Content

Mapping TCSEC to Common Criteria

Presentation transcript:

The Common Criteria for Information Technology Security Evaluation Overview Glen F. Marshall, Siemens

Topics What is the Common Criteria? Key concepts Testing Targets of Evaluation Security Requirements Assurance Requirements Environmental Requirements Testing Other Information Resources

What is the Common Crtieria? An international standard ( ISO/IEC15408) for computer security evaluation A framework in which... Computer system purchasers and users can specify their security requirements Vendors can make claims about the security attributes of their products Testing laboratories can evaluate products to determine if they actually meet the claims.

Targets of Evaluation A system design which claims to satisfy security requirements A product or system for which security claims are made Note: The term “target of evaluation” is typically abbreviated as “TOE”.

Security Requirements Derived from Policies, e.g., desired states and outcomes of privacy protections, confidentiality, and assurance of security within the TOE. Risk analysis, identifying threats for which mitigation is required within the TOE Environmental analysis, identifying factors that may influence the formation of policy or mitigate risks, but which are generally outside the TOEs' scope.

Security Requirements Document artifacts Protection Profile (PP) - identifies detailed security requirements relevant to a particular purpose, e.g. a set of related use cases. Security Functional Requirements (SFRs) - the individual security functions to be provided within a TOE. Security Target (ST) - a document that identifies the security properties of the TOE.

Assurance Requirements Assurance is the level of confidence that the policies are enforced and risks are mitigated within the TOE. Assurance requirements must be supported by the TOE Assurance activities are ongoing, often periodic, and typically performed in the course of system operation

Assurance Requirements Security Assurance Requirements (SAR) describe the detailed actions during development, implementation, and operation the TOE that will assure its compliance with the claimed security functionality. Evaluation Assurance Level (EAL) is a numerical rating assigned to the TOE to reflect the SARs to be fulfilled. EALs are predefined packages (in ISO/IEC 15408-3) of SARs with a given level of strictness.

Testing NIST’s National Voluntary Laboratory Accreditation Program (NVLAP) accredits Common Criteria testing laboratories in the US. CCHIT security criteria are derived, in part, from the Common Criteria. However, the rigor of the testing laboratories was deemed too expensive. Use of the Common criteria in US Federal system procurement is mandatory.

Resources Common Criteria Project Portal http://www.commoncriteriaportal.org/ NIST’s Common Criteria site http://csrc.nist.gov/cc/ Common Criteria document download http://www.niap-ccevs.org/cc-scheme/cc_docs/ CC used to identify and classify security standards http://www.healthitsecurity.net/wiki/