1. Five Easy Steps to Successful CC Evaluations Wesley H. Higaki International Common Criteria Conference September 2008

2. 2 Five Easy Steps Do some research1 Work with competent consultants and labs2 Gather internal documentation3 Allocate time4 Track business impact5

3. 3 Symantec Background Commercial Off-The-Shelf (COTS) product vendor –Provide security and availability products –Comprised of many small acquisitions Experience with CC Consultants –Experience with both good and bad ones –We’ve tried doing it without consultants Experience with CC Schemes –Used US CCTLs –As well as UK and Canadian Labs CC Certifications –12 successful certifications –EAL 2 through 4 3

4. 4 Intended Audience Vendors going through their first CC evaluation –Tips and pitfalls Consultants and labs –Opportunities to offer additional service 4

5. 5 Step 1: Do Some Research Clearly define the business case –Develop the business justification Understand the costs for evaluation –Evaluator, consultant visible costs –Development team hidden costs –Lost opportunity costs Understand what is involved in the CC evaluation process –Consultant opportunity Provide the motivation to engage the technical team –Weigh the costs vs. benefits 5

6. 6 Step 2: Hire Competent Consultants and Labs Do not go it alone! Go with experience –With CC –With product technology type –Good track record Pre-evaluation assessment –Make go/no-go decision after the assessment Seek firm, fixed-price contracts –Incentives for everyone to do things right 6

7. 7 Step 3: Gather Internal Documentation Hackers and slackers need not apply Have procedures and document them –Documentation needs to reflect reality Without documentation be prepared to answer a lot of questions about the product and processes 7

8. 8 Step 4: Allocate Time Development and QA cooperation and time allocation is critical to success –Speaking from experience, without it, the project will fail This is a reflection of commitment and business justification 8

9. 9 Step 5: Track the Business Impact Knowing how much business impact certified products have is important to justify future efforts Makes justifying the next certification easier 9

10. © 2006 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. Thank You! Wes Higaki, Director – Product Certifications whigaki@symantec.com + 1 (650) 527-4701