The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

Slides:



Advertisements
Similar presentations
Module 1 Evaluation Overview © Crown Copyright (2000)
Advertisements

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Chapter 16: Standardization and Security Criteria: Security Evaluation of Computer Products Guide to Computer Network Security.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,
The Common Criteria for Information Technology Security Evaluation
IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
Computer Security: Principles and Practice Chapter 10 – Trusted Computing and Multilevel Security.
Standards In The Evaluation Of IT Security Steve Randall & Scott Cadzow TC-MTS# October 2004 Sophia Antipolis 39TD025.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 10 – Trusted Computing.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.
October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
1 Lecture 8 Security Evaluation. 2 Contents u Introduction u The Orange Book u TNI-The Trusted Network Interpretation u Information Technology Security.
8 November Common Criteria Protection Profiles and the NSA Strategy for Their Use Within the U.S. Department of Defense Louis.
Stephen S. Yau CSE , Fall Evaluating Systems for Functionality and Assurance.
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
1 Copyright © 2014 M. E. Kabay. All rights reserved. Standards for Security Products CSH5 Chapter 51 “Security Standards for Products” Paul J. Brusil and.
Fraud Prevention and Risk Management
Comparison between Family of PPs and PP with Packages Brian Smithson and Ron Nevo.
Gurpreet Dhillon Virginia Commonwealth University
Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007.
1 Anthony Apted/ James Arnold 26 September 2007 Has the Common Criteria Delivered?
A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc
Evaluating Systems Information Assurance Fall 2010.
1 Security Policy Framework & CCSDS Common Criteria Use CCSDS Security WG Fall 2005 Atlanta, GA USA Howard Weiss NASA/JPL/SPARTA
Instructore: Tasneem Darwish1 University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department Requirement engineering.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Background. History TCSEC Issues non-standard inflexible not scalable.
OpenSG Conformity IPRM Overview July 20, ITCA goals under the IPRM at a high level and in outline form these include: Organize the Test and Certification.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
U.S. Common Criteria Evaluation & Validation Scheme (CCEVS) Update 25 September 2007 Audrey M. Dale Director, NIAP CCEVS.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Chapter 7 Software Engineering Introduction to CS 1 st Semester, 2015 Sanghyun Park.
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
Common Criteria V3 Overview Presented to P2600 October Brian Smithson.
CMSC : Common Criteria for Computer/IT Systems
TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.
Proposed Privacy Taxonomy for IOT Scott Shorter, Electrosoft, These slides are based on work contributed to the IDESG Use Case AHG in January.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
1 Information Security Planning Guide CCSDS Security WG Spring 2005 Athens, GR Howard Weiss NASA/JPL/SPARTA April 2005.
Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
© Copyright 2007 Corsec Security, Inc. Corsec Security, Inc. FIPS and Common Criteria Validation Consultants.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
CSCE 727 Awareness and Training Secure System Development and Monitoring.
Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.
9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
2002 ANSI Annual Conference The Value of Accreditation Robert H. King Jr. President and CEO, RAB.
The Common Criteria for Information Technology Security Evaluation
Partnerships for VoIP Security VoIP Protection Profiles
IEEE 2600 Protection Profile Group
8ICCC Update for IEEE P2600 Brian Smithson Ricoh Americas Corporation
James Arnold/ Jean Petty 27 September 2007
9th International Common Criteria Conference Report to IEEE P2600 WG
Yesterday’s entertainment
IT SECURITY EVALUATION ACCORDING TO HARMONIZED AND APPROVED CRITERIA
Mapping TCSEC to Common Criteria
Presentation transcript:

The Common Criteria Cs5493(7493)

CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series

CC: Background The CC was conceived following the TCSEC, Rainbow series. The Rainbow series was used as a guide and model for the CC NIAP is formed (National Information Assurance Partnership) Published in 1998

CC: Background 1999 Adopted by the ISO (International Standards Organization, ISO-15408) 2000 Evaluations performed by accredited labs with government oversight and validation NSA Assumes responsibility for CCEVS (CC Evaluation and Validation Scheme)

CC Purpose To provide consistent evaluation standards to IT products and systems To improve the availability of evaluated security-enhanced IT products and systems. To eliminate duplicating evaluations of IT products and systems. To improve the efficiency and cost- effectiveness of the evaluation process.

CC The CC does not define the features of an IT product The CC does not require the product itself be secure The CC is a common framework for an evaluation process.

CC By placing focus on security evaluation process, and not on the actual product design, vendors can keep their technology proprietary.

The CC Process IT products are organized into categories:

The CC Process The CC process is centered around an IT product referred to as the Target Of Evaluation: TOE. The CC Process is determined for the TOE by three documents: 1.The Protection Profile (PP) 2.The Security Target (ST) 3.The Certification/Validation Report

CC General Requirements Functional security requirements – define desired security behavior. Assurance requirements – indicating claimed security measures are effective and implemented correctly.

The CC Process: Protection Profile Each IT category has at least one document describing the functional and assurance security requirements. These documents are known as Protection Profiles

CC: Protection Profile Created by a user, user community, laboratory, etc. NIAP is currently working on a standard protection profile for each technology category.

CC : Protection Profile Contains a description of threats Security objectives Security functional requirements Security assurance requirements etc

CC : Security Target The Security Target (ST) document is usually written by the developer/vendor of the IT product.

CC : Security Target The document contains information on how the TOE fulfills the security objectives outlined in the PP.

CC : Evaluation The evaluation process is used to determine if the security target (ST) is satisfied for the target of interest (TOE). The TOE developer requests the evaluation. Evaluation only occurs when the product is complete Cost of the evaluation is negotiated between the developer and the evaluator.

CC : Evaluations A validation/certification report documents the evaluation findings.

CC : Validation Validation for the TOE comes in the form of a Validation/Certification Report. The Validation report assigns an EAL to the TOE.

CC : EAL Evaluation Assurance Levels Levels 1 through 7 The EALs reflect the degree of confidence a user can have in the performance of the TOE EAL – 1 are no longer done by accredited labs EAL – 2 through 4 are assigned by one of the accredited labs EAL 4+ are assigned by the NSA

CC : EAL EAL 1-4 do not require evaluation of the software, only the development process EAL 4+ require more rigorous design evaluation.

CC Sustainability Cycle – Revisions are required as vulnerabilities are discovered – Each revision may require re-evaluation

Accredited Evaluators NIST accredits the evaluators There are 15 countries that have accredited evaluators. There are 11 other countries that support the CC standards.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.