Common Criteria V3 Overview Presented to P2600 October 25 2005 Brian Smithson.

Slides:



Advertisements
Similar presentations
© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
Advertisements

Security Requirements
Module 1 Evaluation Overview © Crown Copyright (2000)
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Practical experience of CC3.1 applied on smartcard hardware Wouter Slegers
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan
Enhancing Data Quality of Distributive Trade Statistics Workshop for African countries on the Implementation of International Recommendations for Distributive.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,
Policies vs Threats by Albert Dorofeev, Sony Corporation 10 th International Common Criteria Conference, 2009.
The Common Criteria for Information Technology Security Evaluation
IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
FIA Protection Against Mileage Fraud by Common Criteria UNECE Informal document GRSG (108th GRSG, 4-8 May 2015, agenda item 3)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Information Security Risk.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
1 Terrie Diaz/ James Arnold 27 September 2007 Threats, Policies, and Assumptions in the Common Criteria What is the target of evaluation anyhow?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
By: Ashwin Vignesh Madhu
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Vs Risk avoidance William Gillette.
“Consorzio RES and IT Security Certifications” 1/22.
Fraud Prevention and Risk Management
HOW TO WRITE A GOOD TERMS OF REFERENCE FOR FOR EVALUATION Programme Management Interest Group 19 October 2010 Pinky Mashigo.
Key changes and transition process
Key changes from OHSAS 18001:1999
1 Autumn 2008 TM8104 IT Security Evaluation Guide on the production of Protection Profiles Karin Sallhammar Q2S/NTNU 29/11/2003 Reference: ISO/IEC TR
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
A Security Business Case for the Common Criteria Marty Ferris Ferris & Associates, Inc
Evaluating Systems Information Assurance Fall 2010.
1 A Disciplined Security Specification for a High- Assurance Grid by Ning Zhu, Jussipekka Leiwo, and Stephen John Turner Parallel Computing Centre Distributed.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Architecture
Lecture 15 Page 1 CS 236 Online Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Background. History TCSEC Issues non-standard inflexible not scalable.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2006 ISA ISA-SP99: Security for Industrial Automation and Control.
CMSC : Common Criteria for Computer/IT Systems
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
1 Appendix B Initial Briefing Template. 2 Site X Vulnerability Assessment (VA) Presenter name Presenter organization Presenter phone Presenter phone/ .
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
1 Common Evaluation Methodology for IT Security Part 2: Evaluation Methodology chapter 5-8 Marie Elisabeth Gaup Moe 06/12/04.
Proposed Privacy Taxonomy for IOT Scott Shorter, Electrosoft, These slides are based on work contributed to the IDESG Use Case AHG in January.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Strawman operating environment proposal Presented to P2600 Meeting #16, Las Vegas NV January 16-17, 2006 Brian Smithson.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 5: Security Architecture and Models.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
The Common Criteria for Information Technology Security Evaluation
Ch.18 Evaluating Systems - Part 2 -
8ICCC Update for IEEE P2600 Brian Smithson Ricoh Americas Corporation
9th International Common Criteria Conference Report to IEEE P2600 WG
Chapter 1 Key Security Terms.
Report of Japanese Test Phase <Cyber Security>
Presentation transcript:

Common Criteria V3 Overview Presented to P2600 October Brian Smithson

What have they done!?  Summary  Conceptual model  Structural changes

Summary of changes  Part 1 More consistent terminology introduced Changes in the ASE (Security Target Evaluation) and APE (Protection Profile Evaluation) assurance classes  Part 2 Complicated terms simplified or removed Concepts simplified and clarified Underlying model developed Reduced 11 classes to 6, 67 families to 45, 354 pages to 130

Summary (2)  Part 3 ASE and APE reorganized and rewritten to give a higher assurance-to-work ratio ACM/ADO/AGD/ALC classes rearranged with clearer purpose into ALC and AGD ADV also gives more assurance for less work ATE updated to reflect the new ADV ABA merged Strength of Function (SOF) with Vulnerability Analysis (VLA), and merged Misuse (MSU) into AGD A new class, ACO, deals with composition

Summary (3)  CEM New CEM is presented according to class, not EAL, and methodology is provided for all components up to EAL5  EAL1 is now easier You can do a “low assurance level” PP and ST Just do SFRs, SARs, no Security Problem Definition

Conceptual model 1.Security in the operational environment 2.Security in the development environment 3.Evaluation

Security in the operational environment  Assets in the operational environment are defined in terms of value to the owners  Key factors: Risk Countermeasures

How are these countermeasures evaluated?  Countermeasures must be: Sufficient (in conjunction with countermeasures in the operational environment) to counter the threats Correct in that they don’t contain vulnerabilities which could prevent it from working

Sufficiency of the TOE  Starts with a Security Problem Definition: Assets and threats to those assets Relevant Organizational Security Policies Relevant Assumptions about the operational environment  Describe a partwise solution Solution provided by the TOE Solution provided by the operational environment  The parts provided by the TOE are Security Functional Requirements (SFRs)  The collection of SFRs is the TOE Security Policy (TSP)  A TOE which fulfills the TSP is sufficient, as long as the TOE has been correctly designed and implemented

Security in the development environment  Correctness of implementation depends on the development environment  Assets in the development environment are defined in terms of value to the developers

Correctness of the TOE implementation  Starts with a Security Problem Definition Assets (in the development environment) and threats to those assets Relevant Organizational Security Policies that apply to the development environment  Solutions to the problem are Security Assurance Requirements (SARs)  If all SARs are met, then there is assurance that the TOE is implemented correctly

Evaluation model  Key concepts: Risk Countermeasures Assurance

Structural changes

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.