ISO/IEC. Third edition. Information technology — Security techniques — Evaluation criteria for IT security —. Part 2: Security functional. ISO/IEC (E). PDF disclaimer. This PDF file may contain embedded typefaces. In accordance with Adobe’s licensing policy, this file. The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC ) for computer security certification.
|Published (Last):||17 May 2013|
|PDF File Size:||15.31 Mb|
|ePub File Size:||7.77 Mb|
|Price:||Free* [*Free Regsitration Required]|
Based on this and other assumptions, which may not be realistic for the common use of general-purpose kso systems, the claimed security functions of the Windows products are evaluated.
Although some have argued that both paradigms do not align well,  others have attempted to reconcile both paradigms. This page was last edited on 6 Decemberat In Sept ofthe Common Criteria published a Vision Statement implementing to a large extent 154082 Salter’s thoughts from the previous year.
The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain.
Some national evaluation schemes are phasing out EAL-based evaluations and only accept products for evaluation that claim strict conformance 1540-2 an approved PP. Further, this vision indicates a move away from assurance levels altogether and evaluations will be confined to conformance with Protection Profiles that have no stated assurance level. In other words, products evaluated against a Common Criteria standard exhibit a clear chain of evidence that the process of specification, implementation, and evaluation has been conducted in a 1540-82 and standard manner.
Standard ISO/IEC 15408, CC v3.1. Release 4
Evaluations activities are therefore only performed to a certain depth, use of time, and resources and offer reasonable assurance for the intended environment. Common Criteria certification cannot guarantee security, but it can ensure that claims about the security attributes of the evaluated product were independently verified.
In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and isi manner at a level that is commensurate with the target environment for use.
Computer security standards Evaluation of computers ISO standards. Views Read Edit View history.
Common Criteria – Wikipedia
Archived from the original on August 1, Canada is in the process of phasing out EAL-based evaluations. It is currently in version 3. Failure by the vendor to take either of these steps would result in involuntary withdrawal of the product’s certification by the certification body of the country in which the product was evaluated.
Vendors can then implement or make claims about the security attributes of their products, and testing laboratories isoo evaluate the products to determine if they actually meet the claims. 51408-2
Wheeler suggested that the Common Criteria process discriminates against free and open-source software FOSS -centric organizations and development models. List of International Electrotechnical Commission standards. As well as the Common Criteria standard, there is also a sub-treaty level Common Criteria MRA Mutual Recognition Arrangementwhereby each party iwo recognizes evaluations against the Common Criteria standard done by other parties.
The United States currently only allows PP-based evaluations. Major changes to the Arrangement include:.
Other standards containing, e. Thus they should only be considered secure in the assumed, specified circumstances, also known as the evaluated configuration. The UK has also produced a number of alternative schemes when the timescales, costs and overheads of mutual recognition have been found to be impeding the operation of the market:.
Objections outlined in the article include:.
Ixo from ” https: ISO standards by standard number. Additionally, the CC recognizes a need to limit the scope of evaluation in order to provide cost-effective and useful security certifications, such that evaluated products are examined to a level of detail specified by the assurance level or PP.
Instead, national standards, like FIPS give the specifications for cryptographic modules, and various standards specify the cryptographic algorithms in use.