Presentation is loading. Please wait.

Presentation is loading. Please wait.

Common Criteria V3 Overview Presented to P2600 October 25 2005 Brian Smithson.

Published byGregory Riley Modified over 9 years ago

Similar presentations

Presentation on theme: "Common Criteria V3 Overview Presented to P2600 October 25 2005 Brian Smithson."— Presentation transcript:

1 Common Criteria V3 Overview Presented to P2600 October 25 2005 Brian Smithson

2 What have they done!?  Summary  Conceptual model  Structural changes

3 Summary of changes  Part 1 More consistent terminology introduced Changes in the ASE (Security Target Evaluation) and APE (Protection Profile Evaluation) assurance classes  Part 2 Complicated terms simplified or removed Concepts simplified and clarified Underlying model developed Reduced 11 classes to 6, 67 families to 45, 354 pages to 130

4 Summary (2)  Part 3 ASE and APE reorganized and rewritten to give a higher assurance-to-work ratio ACM/ADO/AGD/ALC classes rearranged with clearer purpose into ALC and AGD ADV also gives more assurance for less work ATE updated to reflect the new ADV ABA merged Strength of Function (SOF) with Vulnerability Analysis (VLA), and merged Misuse (MSU) into AGD A new class, ACO, deals with composition

5 Summary (3)  CEM New CEM is presented according to class, not EAL, and methodology is provided for all components up to EAL5  EAL1 is now easier You can do a “low assurance level” PP and ST Just do SFRs, SARs, no Security Problem Definition

6 Conceptual model 1.Security in the operational environment 2.Security in the development environment 3.Evaluation

7 Security in the operational environment  Assets in the operational environment are defined in terms of value to the owners  Key factors: Risk Countermeasures

8 How are these countermeasures evaluated?  Countermeasures must be: Sufficient (in conjunction with countermeasures in the operational environment) to counter the threats Correct in that they don’t contain vulnerabilities which could prevent it from working

9 Sufficiency of the TOE  Starts with a Security Problem Definition: Assets and threats to those assets Relevant Organizational Security Policies Relevant Assumptions about the operational environment  Describe a partwise solution Solution provided by the TOE Solution provided by the operational environment  The parts provided by the TOE are Security Functional Requirements (SFRs)  The collection of SFRs is the TOE Security Policy (TSP)  A TOE which fulfills the TSP is sufficient, as long as the TOE has been correctly designed and implemented

10 Security in the development environment  Correctness of implementation depends on the development environment  Assets in the development environment are defined in terms of value to the developers

11 Correctness of the TOE implementation  Starts with a Security Problem Definition Assets (in the development environment) and threats to those assets Relevant Organizational Security Policies that apply to the development environment  Solutions to the problem are Security Assurance Requirements (SARs)  If all SARs are met, then there is assurance that the TOE is implemented correctly

12 Evaluation model  Key concepts: Risk Countermeasures Assurance

13 Structural changes

Download ppt "Common Criteria V3 Overview Presented to P2600 October 25 2005 Brian Smithson."

Similar presentations

© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.

© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
Security Requirements

Security Requirements
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
Practical experience of CC3.1 applied on smartcard hardware Wouter Slegers + 31 15 269 2500

Practical experience of CC3.1 applied on smartcard hardware Wouter Slegers
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan

Software Quality Assurance Plan
Enhancing Data Quality of Distributive Trade Statistics Workshop for African countries on the Implementation of International Recommendations for Distributive.

Enhancing Data Quality of Distributive Trade Statistics Workshop for African countries on the Implementation of International Recommendations for Distributive.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
Policies vs Threats by Albert Dorofeev, Sony Corporation 10 th International Common Criteria Conference, 2009.

Policies vs Threats by Albert Dorofeev, Sony Corporation 10 th International Common Criteria Conference, 2009.
The Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.

An Overview of Common Criteria Protection Profiles María M. Larrondo Petrie, PhD March 26, 2004.
The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.

The Security Analysis Process University of Sunderland CIT304 Harry R. Erwin, PhD.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
FIA Protection Against Mileage Fraud by Common Criteria UNECE 2015-05-05 Informal document GRSG-108-37 (108th GRSG, 4-8 May 2015, agenda item 3)

FIA Protection Against Mileage Fraud by Common Criteria UNECE Informal document GRSG (108th GRSG, 4-8 May 2015, agenda item 3)

Similar presentations

Ads by Google