devxlogo

Common Criteria for Information Technology Security Evaluation

Definition of Common Criteria for Information Technology Security Evaluation

Common Criteria for Information Technology Security Evaluation, also known as Common Criteria or CC, is an international standard (ISO/IEC 15408) that provides a framework for evaluating the security features and assurance levels of IT products and systems. This set of guidelines enables vendors to develop and test their products to ensure they meet specified security requirements. The evaluation process ultimately results in the product being assigned a certification level, indicating its compliance and overall security quality.

Phonetic

“Common Criteria for Information Technology Security Evaluation” in phonetics can be represented as:/’kɒmən krɪ’tɪərɪə fɔr ɪnfər’meɪʃən tɛk’nɒlədʒi sɪ’kjurɪti ɪ’væljʊ’eɪʃən/

Key Takeaways

  1. Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408) that provides a framework for evaluating the security properties of IT products and systems to ensure they meet specific security requirements.
  2. It assures a consistent and well-defined evaluation process across different countries and industries, promoting confidence in the security of evaluated products and facilitating mutual recognition of evaluation results between participating countries.
  3. The evaluation process follows a set of predefined Evaluation Assurance Levels (EALs) ranging from EAL1 to EAL7, where higher levels indicate a more comprehensive and rigorous security evaluation, giving customers the ability to choose products based on their specific security needs.

Importance of Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation, commonly referred to as Common Criteria, is a vital international standard (ISO/IEC 15408) for evaluating and certifying the security of information technology products and systems.

This framework enables an objective and thorough analysis of IT security components to ensure they meet strict security requirements and function securely in their intended environment.

By enforcing Common Criteria, organizations can have greater confidence in the security measures of their IT infrastructure, while suppliers are able to demonstrate that their products adhere to trusted security standards.

Furthermore, it promotes global recognition and market acceptance of approved IT products, streamlining international trade and enhancing cybersecurity collaboration between countries.

Explanation

The Common Criteria for Information Technology Security Evaluation, often referred to as Common Criteria, plays a crucial role in ensuring the security and reliability of information technology (IT) products and systems. Its purpose is to provide a standardized framework for evaluating, validating, and certifying the security features and capabilities of these IT products, which include software, hardware, and firmware components.

By doing so, it aims to build trust and confidence in both the users that rely on the technology and within the international marketplace. Common Criteria serves as a foundation for various government and industry organizations across the globe, enabling them to assess the security capabilities of IT products before procuring or implementing them within their infrastructures.

This rigorous evaluation process takes into account multiple criteria such as functionality, usability, and assurance, which are specified through protection profiles and security target documents. As a result, Common Criteria fosters a standardized and consistent approach to security evaluation, promoting a higher level of security and trust across industries, while also simplifying the process of acquiring and deploying new IT products and services.

Examples of Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation (CC) is an international framework for assessing and certifying the security of IT products and systems. Here are three real-world examples of its application:

Guard on the Net (GON) Firewall: Guard on the Net, developed by NEC Corporation, is a high-performance, scalable, and secure firewall system. GON Firewall underwent the Common Criteria evaluation process and obtained the EAL4+ (Evaluation Assurance Level 4+) certification. This designation affirms GON Firewall has implemented critical security measures and can provide customers with a robust and secure solution to protect their networks and important assets.

Samsung KNOX: Samsung KNOX is a mobile security platform designed to protect smartphones, tablets, and other devices from malware and unauthorized intrusions. Samsung KNOX has successfully undergone the CC evaluation process and has achieved the EAL5+ certification, one of the highest levels for consumer devices. This certification demonstrates the platform’s strong security measures and its ability to effectively protect personal and business data on Samsung devices.

Microsoft Windows Operating Systems: Microsoft Windows operating systems have undergone the Common Criteria evaluation process on several occasions. For example, Windows 10 has obtained the EAL4+ certification, verifying that the operating system has implemented robust security measures. Undergoing this evaluation process also assures government agencies, organizations, and customers that Windows 10 is a secure option that meets their security and privacy requirements.

FAQ: Common Criteria for Information Technology Security Evaluation

1. What is Common Criteria for Information Technology Security Evaluation?

The Common Criteria for Information Technology Security Evaluation, also known as Common Criteria, is an international standard for evaluating the security of information technology products and services. It is designed to provide a framework for determining the assurance levels of security products, by establishing a set of standard requirements and rigorous evaluation processes.

2. Why is Common Criteria important?

Common Criteria helps to establish a common set of evaluation requirements for IT security products, which enables consumers and organizations to make informed decisions when selecting security solutions. It ensures that products meet a specific set of security requirements and is trusted by governments and industries worldwide. Additionally, Common Criteria certification can help vendors demonstrate the effectiveness of their security offerings and open up market opportunities.

3. How does the Common Criteria evaluation process work?

The Common Criteria evaluation process is carried out by third-party laboratories called Conformity Assessment Bodies (CABs) accredited by the certification authority. The process consists of defining the security requirements, evaluating the product against these requirements and determining the level of assurance. The evaluation results in an Evaluation Assurance Level (EAL) ranging from EAL1 (functionally tested) to EAL7 (formally verified design and tested).

4. What is an Evaluation Assurance Level (EAL)?

The Evaluation Assurance Level (EAL) is a numerical rating assigned to an IT product or system after the Common Criteria evaluation, ranging from EAL1 to EAL7. A higher EAL indicates a higher level of confidence that the security features of the product are correctly implemented and that the product meets its stated security claims. The EAL should be considered alongside the specific security requirements defined for a product to make an informed purchasing decision.

5. How do organizations obtain Common Criteria certification for their products?

To obtain Common Criteria certification, organizations must submit their product or system to an accredited Conformity Assessment Body (CAB) for evaluation against the Common Criteria standards. The evaluation process includes thorough testing, documentation review, and vulnerability analysis. Once the product passes the evaluation and meets the required assurance level, a certificate is issued by the certification authority, indicating that the product complies with the specified security requirements.

Related Technology Terms

  • Evaluation Assurance Level (EAL)
  • Protection Profile (PP)
  • Security Target (ST)
  • Common Criteria Recognition Arrangement (CCRA)
  • Common Methodology for Information Technology Security Evaluation (CEM)

Sources for More Information

Table of Contents