Presentation is loading. Please wait.

Presentation is loading. Please wait.

TM8104 IT Security EvaluationAutumn 20091 CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.

Published byAntony Bishop Modified over 8 years ago

Similar presentations

Presentation on theme: "TM8104 IT Security EvaluationAutumn 20091 CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent."— Presentation transcript:

1 TM8104 IT Security EvaluationAutumn 20091 CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent security evaluations. The CC does so by providing a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. These IT products may be implemented in hardware, firmware or software.

2 TM8104 IT Security EvaluationAutumn 20092 CC Scope Common Criteria (CC), is a multipart standard meant to be used as the basis for evaluation of security properties of IT products. By establishing such a common criteria base, the results of an IT security evaluation may be meaningful to a wider audience.

3 TM8104 IT Security EvaluationAutumn 20093 CC Target Audience Consumers –to help decide whether a TOE fulfils their security needs Developers –to help identifying security requirements to be addressed by the TOE Evaluators –to help forming judgment about the conformance of the TOE to their security requirements

4 TM8104 IT Security EvaluationAutumn 20094 CC Has Limited Coverage The CC does not cover: –administrative measures such as organisational, personnel, physical, and procedural controls –physical aspects of IT security such as electromagnetic emanation –evaluation methodology –the administrative and legal framework under which the criteria may be applied –the accreditation process –inherent qualities of cryptographic algorithms

5 TM8104 IT Security EvaluationAutumn 20095 WG 1WG 2WG 3 Security Evaluation Criteria JTC 1 ISO/IEC Joint Technical Committee no. 1 Information Technology SC 27 Security Techniques Security Techniques and Mechanisms Requirements, Security Services and Guidelines ISO/IEC standardisation of IT Security Evaluation Criteria

6 TM8104 IT Security EvaluationAutumn 20096 WG 3 Terms of Reference 1. Standards for IT Security evaluation and certification of IT systems, components, and products. This will include consideration of computer networks, distributed systems, associated application services, etc. 2. Three aspects may be distinguished: a) evaluation criteria b) methodology for application of the criteria c) administrative procedures for evaluation, certification and accreditation schemes. 3. This work will reflect the needs of relevant market sectors in society, as represented in ISO, expressed in standards for security functionality and assurance. 4. Account will be taken of related ISO standards for quality management and testing so as not to duplicate these efforts.

7 TM8104 IT Security EvaluationAutumn 20097 History of IT Security Evaluation Criteria 198519901995 Canadian Initiatives CTCPEC 3 European national and Regional initiatives ISO Standard NIST MSFR ITSEC 1.2 Federal Criteria 1997 ISO Initiatives 1998 Common Criteria Project CC V.1.0 CC V.2.0 US Orange Book 1999 CD/DIS

8 TM8104 IT Security EvaluationAutumn 20098 The CC Development Project Legal Notice: The governmental organisations listed below contributed to the development of this version of the Common Criteria for Information Technology Security Evaluation. As the joint holders of the copyright in the Common Criteria for Information Technology Security Evaluation, version 3.1 Parts 1 through 3 (called “CC 3.1”), they hereby grant non-exclusive license to ISO/IEC to use CC 3.1 in the continued development/maintenance of the ISO/IEC 15408 international standard. However, these governmental organisations retain the right to use, copy, distribute, translate or modify CC 3.1 as they see fit.

9 TM8104 IT Security EvaluationAutumn 20099 CC Part One Scope: * IT - Security; reduction of risks associated with threats to the information arising directly or indirectly from human error or deliberate subversion * Threat analysis;to discover conceivable threats * Risk analysis;to determine countermeasures

10 TM8104 IT Security EvaluationAutumn 200910 The CC Development Club Australia/New Zealand: The Defence Signals Directorate and the Government Communications Security Bureau respectively; Canada: Communications Security Establishment; France: Direction Centrale de la Sécurité des Systèmes d'Information; Germany: Bundesamt für Sicherheit in der Informationstechnik; Japan: Information Technology Promotion Agency Netherlands: Netherlands National Communications Security Agency; Spain: Ministerio de Administraciones Públicas and Centro Criptológico Nacional; United Kingdom: Communications-Electronics Security Group; United States: The National Security Agency and the National Institute of Standards and Technology.

11 TM8104 IT Security EvaluationAutumn 200911 General Evaluation Model

12 TM8104 IT Security EvaluationAutumn 200912 Evaluation Concepts and Relationships

13 TM8104 IT Security EvaluationAutumn 200913 Influence of evaluation Potential for influence Security Requirements (PP and ST) Evaluation Requirements (CC) TOE and Evaluation Evidence Evaluation Report Operation Report Develop TOE Evaluate TOE Operate TOE

14 TM8104 IT Security EvaluationAutumn 200914 Use of evaluation results Register of protection profiles Evaluated products catalogue Security requirements Evaluation results Develop and evaluate TOE Catalogue product Accredit system Evaluated product Accredited system System accreditation criteria

15 TM8104 IT Security EvaluationAutumn 200915 The Protection Profile (PP)

16 TM8104 IT Security EvaluationAutumn 200916 TOE in its environment TOE Security Objectives ENVIRONMENT Security Policy Threats LawsCustoms KnowledgeExpertise

17 TM8104 IT Security EvaluationAutumn 200917 Specification hierarchy OBJECTIVES REQUIREMENTS TOE SPECIFICATION TOE IMPLEMENTATION Abstraction Level Desired behaviour; may be tested (100%) Absence of undesired behaviour;cannot be exhaustively tested

18 TM8104 IT Security EvaluationAutumn 200918

19 TM8104 IT Security EvaluationAutumn 200919 Basic relationship of the Protection Profile and the Security Target ObjectivesRequirementsSpecificationsMechanisms Protection Profile Security Target TOE

20 TM8104 IT Security EvaluationAutumn 200920 Evaluation Results

21 TM8104 IT Security EvaluationAutumn 200921 The Double Hierarchy Functions Assurance Class Family Component Element Functional Package Functional Package Assurance Level Assurance Level Protection Profile PP refinements

22 TM8104 IT Security EvaluationAutumn 200922 The Evaluation Process ST/TOE Evaluation –an ST evaluation is carried out by applying the Security Target evaluation criteria to the Security Target. –a TOE evaluation is more complex ST TOE Development environment –Design documents –Developer test results applying SARs on the evaluation evidence

23 TM8104 IT Security EvaluationAutumn 200923 CC Part 2 - The Functional Class Set FAU - Security Audit FCO - Communication FCS - Cryptographic Support FDP - User Data Protection FIA - Identification and Authentication FMT – Security Management FPR - Privacy FPT - Protection of the Trusted Security Functions FRU - Resource Utilization FTA - TOE Access FTP - Trusted Paths/Channels

24 TM8104 IT Security EvaluationAutumn 200924 CC Part 3 - Assurance Levels EAL0 - Unassured EAL1 - Functionally tested EAL2 - Structurally tested EAL3 - Methodically tested and checked EAL4 - Methodically designed, tested, and reviewed EAL5 - Semiformally designed and tested EAL6 - Semiformally verified design and tested EAL7 - Formally verified design and tested

Download ppt "TM8104 IT Security EvaluationAutumn 20091 CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent."

Similar presentations

Security Requirements

Security Requirements
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
International Standards for Software & Systems Documentation Ralph E. Robinson R 2 Innovations.

International Standards for Software & Systems Documentation Ralph E. Robinson R 2 Innovations.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.
Information Security of Embedded Systems 6.1.2010: Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.

Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
The Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.

Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.
21.05.2015, Name, Folie 1 IT Audit Methodologies.

, Name, Folie 1 IT Audit Methodologies.
ISO/IEC JTC1 SC37 Overview

ISO/IEC JTC1 SC37 Overview
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

Similar presentations

Ads by Google