SF - 2.09.0 - Common Criteria
The Common Criteria for Information Technology Security Evaluation is International Standard ISO 15408, and is generally known and referred to simply as the Common Criteria. However, it should be noted that it is not a security framework. It is not even an evaluation standard. It is a framework for the specification of evaluation, particularly for security products.
To explain this oddity, one need only look to ISO 9000 which is the international standard for quality. Except that it *isn't* the international standard for quality. It is a framework for discussion about quality and specification of what your company does in terms of quality. I have discussed this with people who are ISO 9000 certified, and put it to them that it is perfectly possible, according to ISO 9000, to create a specification which states, essentially, that we make shoddy products, and we don't care. All of them agree that this is perfectly possible, as long as you describe it in the proper format and jargon.
The same thing is possible with regard to the Common Criteria. In fact, this has basically been proven. Microsoft certified Windows NT Server, Version 3.5, and, if you actually go through all the details of that specification you will find that it says, essentially, we make a not very secure workstation, and we can verify that as long as you believe everything that we tell you.
Nevertheless, the Common Criteria has created some very valuable materials and even concepts. One of the concepts is the division between functional security requirements and assurance security requirements. This is made evident in the fact that the Common Criteria is essentially divided into three parts. Part one is a general introduction, contains a number of interesting discussions, and is something that I advise everyone to obtain and read. Part two establishes the idea of the protection profile, which is the description of the secure device or entity which you wish to create or evaluate. This allows you to specify the functional requirements of the device. The third part of the Common Criteria is that which is that allows you to establish the assurance requirements for the device under consideration. It establishes seven evaluation assurance levels, with increasingly rigorous requirements for the assessment and determination of adherence to the protection profile.
Security frameworks (SF) series:
Introduction and ToC: https://fibrecookery.blogspot.com/2026/06/security-frameworks-sf-0000-intro-and.html
No comments:
Post a Comment