Using the Common Criteria for IT Security Evaluation
Many organizations and government agencies require the use of Common Criteria certified products and systems and use the Common Criteria methodology in their acquisition process. In fact, in July 2002 the U.S. National Information Assurance Acquisition Policy (NSTISSP #11) mandated the use of CC evaluated IT security products in critical infrastructure systems. This standard provides a comprehensive methodology for specifying, implementing, and evaluating the security of IT products, systems, and networks. Because the Common Criteria (CC) for IT Security Evaluation is a relatively new international standard, little written material exists which explains this how-to knowledge, and it's not exactly easy to interpret.
Designed to be used by acquiring organizations, system integrators, manufacturers, and Common Criteria testing/certification labs, Using the Common Criteria for IT Security Evaluation explains how and why to use the Common Criteria during the acquisition, implementation or evaluation of an IT product, system, network, or services contract. The text describes the Common Criteria methodology; the major processes, steps, activities, concepts, terminology, and how the CC methodology is used throughout the life of a system. It illustrates how each category of user should employ the methodology as well as their different roles and responsibilities.
This text is an essential resource for all those involved in critical infrastructure systems, like those operated by the FAA, the Federal Reserve Bank, DoD, NATO, NASA, and the intelligence agencies. Organized to follow the Common Criteria lifecycle, Using the Common Criteria for IT Security Evaluation provides examples in each chapter to illustrate how the methodology can be applied in three different scenarios: a COTS product, a system or network, and a services contract. The discussion problems at the end of each chapter ensure the text's effectiveness in an educational setting and ensure that those government officials required to comply with Presidential Decision Directive 63 (PDD-63) will be able to do so with confidence.
What people are saying - Write a review
We haven't found any reviews in the usual places.
The Protection Profile
The Security Target
Security Assurance Activities
Chapter 6 Postscript
Glossary of Acronyms and Terms
Other editions - View all
access control accreditation ADV_FSP.1 assets assumptions assurance class assurance components Assurance Package authorized user CC Certificate CC/CEM CCEVS CCIMB Final CCRA CCTL Common Criteria component TOE composite TOE Computer Security configuration content and presentation Covert Channel defines developer documentation ensure evaluation assurance level Exhibit explicit requirements FDP_IFC.1 FIA_UID.1 firmware FMT_MSA.3 FMT_SMR.1 Functional Class identified implementation Information Assurance Information Technology ISO/IEC ITSEC maintenance of assurance marginal to catastrophic marginal to critical Methodology National Evaluation Authority NIAP non-IT environment operational environment organizational security policies performed phase procedures product or system Protection Profile provides responsible SARs Section security assurance activities security assurance measures Security Assurance Requirements security attributes Security audit security engineering Security Evaluation Security Functional Requirements security management security objectives Security Target sponsor standard subsection system lifecycle TCSEC threats TOE Description TOE evaluation TOE security functions TSF data unauthorized user data Validation
Page 1 - ... Validated License A group of countries which seeks to control the proliferation of missiles through the implementation and enforcement of controls on a common list of items. Participating countries include: Austria, Australia, Belgium, Canada, Denmark, Finland, France, Germany, Italy, Japan, Luxembourg, the Netherlands, New Zealand, Norway, Spain, Sweden, the United Kingdom and the United States. Sensitive nuclear end-use: The design, development, fabrication or testing of nuclear weapons or...