ISO/IEC. Third edition. Information technology — Security techniques — Evaluation criteria for IT security —. Part 2: Security functional. ISO/IEC (E). PDF disclaimer. This PDF file may contain embedded typefaces. In accordance with Adobe’s licensing policy, this file. The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC ) for computer security certification.
|Published (Last):||1 April 2005|
|PDF File Size:||14.83 Mb|
|ePub File Size:||8.67 Mb|
|Price:||Free* [*Free Regsitration Required]|
The evaluation process also tries to establish the level of confidence that may be placed in the product’s security features through quality assurance processes:.
The United States currently only allows PP-based evaluations. This page was last edited on 6 Decemberat From Wikipedia, the free encyclopedia. Evaluations at EAL5 and above tend to involve the security requirements of the host nation’s government.
Some national evaluation schemes are phasing out EAL-based evaluations and only accept products for evaluation that claim strict conformance with an approved PP. In a research paper, computer specialist David A.
Whether you run Microsoft Windows in the precise evaluated configuration or not, you should apply Microsoft’s security patches for the vulnerabilities in Windows as they continue to appear.
The compliance with ISO is typically demonstrated to a National approval authority:. There are no security requirements that address the need to trust external systems or the communications links to such systems. Retrieved from ” https: In other words, products evaluated against a Common Criteria standard exhibit a isp chain of evidence that the process of specification, implementation, and evaluation has been conducted in a rigorous and standard manner. Further, this vision indicates a move away from assurance levels altogether and evaluations will be confined to conformance with Protection Profiles that have no stated assurance level.
Key elements of the Vision included:. Characteristics of these organizations were examined and presented 15408–2 ICCC Objections outlined in the article include:.
If any of these security vulnerabilities are exploitable in the product’s evaluated configuration, the product’s Common Iao certification should be voluntarily withdrawn by the vendor.
In Sept ofthe Common Criteria published a Vision Statement implementing to a large extent Chris Salter’s thoughts from the previous year. List of International Electrotechnical Commission standards. Common Criteria certification cannot guarantee security, but it can ensure that claims about the security attributes of the evaluated product were independently verified.
Common Criteria certification is sometimes specified for IT procurement. Alternatively, the vendor should re-evaluate the product to include the application of patches to fix the security vulnerabilities within the evaluated configuration.
In this approach, communities of interest form around technology types which in turn develop protection profiles that define the evaluation methodology for the technology type.
Various Microsoft Windows versions, including Windows Server and Windows XPhave been certifiedbut security patches to address security vulnerabilities are still getting published by Microsoft for these Windows systems. Other standards containing, e.
In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.
Common Criteria – Wikipedia
Based on this and other 15480-2, which may not be realistic for the common use of general-purpose operating systems, the claimed security functions of the Windows products are evaluated. ISO standards by standard number. Evaluations activities are therefore only performed to a certain depth, use of time, and resources and offer reasonable assurance for the intended environment. Webarchive template wayback links Interlanguage link template link number.
Standard ISO/IEC , CC v Release 4
Instead, national standards, like FIPS izo the specifications for cryptographic modules, and various is specify the cryptographic algorithms in use. Although some have argued that both paradigms do not align well,  others have attempted to reconcile both paradigms.
This will be achieved through technical working groups developing worldwide PPs, and as yet a transition period has not been fully determined. The 1408-2 is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain.
There is some concern that this may have a negative impact on mutual recognition. In Septembera majority of members of the CCRA produced a vision statement whereby mutual recognition of CC evaluated products will be lowered to EAL 2 Including augmentation with flaw remediation. CC was produced by unifying these pre-existing standards, predominantly so that companies selling computer products for the government market mainly for Defence or Intelligence use would only need to have them evaluated against io set of standards.
The UK has also produced a number of alternative schemes when the timescales, costs and overheads of mutual recognition have been found to be impeding the operation of the market:. Wheeler suggested that the Common Criteria process discriminates against free and open-source software FOSS -centric organizations and development models.
As well as the Common Criteria standard, there sio also a sub-treaty level Common Criteria MRA Mutual Recognition Arrangementwhereby each party thereto recognizes evaluations against the Common Criteria standard done by other parties.
Archived from the original PDF on April 17, Major changes to the Arrangement include:. Common Criteria is very generic; it does not directly provide a list of product security requirements or features for iao classes of products: Canada is in the process of phasing out EAL-based evaluations.