SECODE BOOSTS CAPACITY FOR INTERNATIONAL CC ASSIGNMENTS:
Secode Common Criteria Security Evaluation
Secode evaluates the security of IT products and IT systems, at the request of purchasers of products or systems and suppliers/developers. A security evaluation may include products such as firewalls, access control systems, PKI solutions and smart card solutions, as well as military systems. Secode also helps developers, purchasers and organizations to clearly see what is involved in a security evaluation:
How do I know if an IT product or system is secure? How secure is it? What do I have to do to "prove" that my product is secure?
See the list of internationally certifies CC vendors here>>
What is a Common Criteria IT-security evaluation?
A security evaluation is an independent review of the security functionality of an IT product or system based on a pre-defined permissible level.
When handling sensitive/classified information, a security evaluation can provide a review of the IT products and systems to determine whether the information is sufficiently protected in terms of security. An evaluation uses formal criteria and methods to evaluate the given security mechanisms. In addition, the vulnerability analysis and penetration testing determines whether it is possible to breach the security barriers in place.
Why a security evaluation?
A security evaluation proves that security functionality has been implemented according to an agreed level, based on requirements from purchasers, suppliers/developers, public requirements and laws:
Competitiveness in the marketplace
The market for security products and solutions includes many competing products, and each competitive advantage must be evaluated carefully. A successful, formal security evaluation shows that the product has undergone an independent evaluation based on an internationally recognized standard, and everything that goes into creating the product has the security functionality that it is supposed to have.
Authorities can set forth requirements that a security product or system be evaluated and approved prior to being put into use for defense or public departments and government ministries. In order for the company to sell its product, it must undergo a security evaluation.
Laws can set limits in terms of sales for specific purposes or operations. The product must therefore offer a given set of security functions and undergo a security evaluation in order to receive approval.
By running a security evaluation on an IT-product or system, the company achieves:
- Internationally recognized security targets for the product/system
- A documented level of security for their product/system
- A competitive advantage over non-evaluated products
- Reduced probability of security gaps/weaknesses in a product
- Structural implementation of security functions
- An evaluation process that ensures the quality of the development methodology and develop procedures
What are Common Criteria?
Common Criteria (CC) are established criteria and procedures to define, evaluate and assess IT products and system based on an IT security perspective. Suppliers can use CC to provide certified products and systems. CC can answer questions like "What kind of security functions does the product/solution have," and "How secure is it?" CC version 2.1 corresponds to the international standard ISO/IEC 15408:1999.
A CC evaluation can be used as a tool for determining the security level of a product or system.
Implementation is done based on 7 pre-defined assurance levels, so-called EEL (Evaluation Assurance Level. The evaluation can also be performed based on a customized level of assurance that is pre-defined by the developers. Secode performs the evaluations according to international methodology for assurance levels EAL 1-4, and based on a custom method for EAL5, and includes the following elements:
- Configuration management
- Delivery and installation
- Development process
- Operating and user documentation
- Life-long maintenance
- Vulnerability assessment
Protection Profile (PP) and Security Target (ST)
An IT product or system can be evaluated against a given protection profile (PP), or against security requirements and functions for the products in question, as defined in an ST.
A protection profile (PP) consists of security requirements for a given category of products or systems that are established by a party that is not involved in the implementation. If a PP has not been created for the product or system to be evaluated, a new PP can be defined and approved with given criteria. In other instances, when a specific product or system is involved, and which cannot be categorized, security requirements and functions can be set up in an ST.
A Security Target (ST) provides pre-set security requirements and functions and is used as the basis for evaluating an IT product or system. A ST can be generated for each IT product or system and for each evaluation. ST can include requirements from one or more PP, or expand upon those. The ST provides the requirements for security functions that are specific to an IT product or system in its intended environment.
What guarantees does a Common Criteria-certified product provide?
The results of a CC security evaluation provide proof that a security evaluation as been performed at the correct level based on potential threats to the IT product or system in question within a given environment.
Manager CC accredited unit - Jorunn Terjesen
Tlf: +47 37 05 81 35
Mob: + 47 99 28 29 35