Choose language:
» Personal Loan No Credit Check, Online Economics » Quality management » Topics begins with C » Common criteria for information Technology Security evaluation
The Common criteria for information Technology Security evaluation (briefly also Common criteria; German about: Common criteria for the evaluation of the security of information technology) is an international standard over the criteria of the evaluation and certifying the security of computer systems in view to data security and data security. The Common criteria standard is to offer, as the name already says, a common basis for such evaluations and to replace in particular the European ITSEC and and the American TCSEC standard. He is to avoid that components or systems in different countries must be certified several times.
The evaluation is, as already with ITSEC and the older BSI standard ITS, into the evaluation of the functionality (function range) of the regarded system and the trustworthiness (quality) arranged. The latter must be regarded after that criteria of the effectiveness of the used methods and the correctness of the implementation.
Ideal way is accomplished first a safety consideration independent of finished products, which leads to the production of a general Protection profiles. From this safety catalog then a Security target can be compiled for certain products aimed, against which the evaluation is then accomplished in accordance with CC. The demanded trustworthiness, the test depth, generally in accordance with EAL (evaluation Assurance level, is specified see below). An indication of the test depth without at the basis lying Protection of profiles is senseless. Unfortunately above all the denomination of the EAL became generally accepted stages without further data, which leads often to irritations and heated debates.
In the year 1999 the Common criteria, which are present in the meantime in the version 2.3, was explained to standard 15408 as the ISO internationally. The CC cover three parts:
A strongly revised version of the CC stands with the version 3.0 to the discussion. In the middle of 2006 is to be turned with the version 3.1 to the new version. Certifying after the 2.x pattern should be accomplished until maximally 18 months after this date.
At present the international mutual acknowledgment up to the EAL4 (see below) is co-ordinated, higher EALs must internationally be recognized, not had however in the private economy due to their enormous complexity anyway hardly practical meaning. The evaluation after CC is generally quite complex and takes some time up. The evaluation takes place thereby from accredited inspection stations, certifying can only from the BSI (and/or the partner organizations of the other countries) take place. The accreditation of the inspection stations is likewise accomplished in a firmly given procedure and must be renewed regularly.
Contrary to the past standards the functionality classes are not hierarchically arranged. Instead each class describes a certain basic function of the safety architecture, which must be evaluated separately. Important functionality classes are:
Functionality classes are combined into Protection of profile, those the typical function range of certain products describe (e.g. Firewalls, Smartcards, etc.).
The Common criteria defines seven stages of the trustworthiness (evaluation Assurance level, EAL1-7), which the correctness of the implementation of the regarded system, and/or the test depth describes:
| CC EAL | ITSEC E | ITSK Q | Meaning | TCSEC |
|---|---|---|---|---|
| EAL1 | E0-E1 | Q0-Q1 | functionally tested | DC1 |
| EAL2 | E1 | Q1 | structurally tested | C1 |
| EAL3 | E2 | Q2 | methodically tested and examines | C2 |
| EAL4 | E3 | Q3 | methodically develops, tested and examined | B1 |
| EAL5 | E4 | Q4 | semiformal sketched and tested | B2 |
| EAL6 | E5 | Q5 | semiformal verified draft and tested | B3 |
| EAL7 | E6 | Q6 | formally verified draft and tested | A |
In addition ones to the Common criteria by the committees and mechanisms involved a certification methodology was developed, which was to make the results of certifying comprehensible and comparable. Up-to-date they are implemented and similarly to the EAL 1-4 constructed for the parts of 1 and 2.
Trusted Third party, Public key Infrastructure
We found here 11 articles.
We found here 6 related websites.
Index | Privacy | Terms Of Use | Sitemap | Feedback
Printer Friendly Format
Bookmark this page
Back to "Quality management"
Back to top