The most relevant are evaluation methods, certification, and accreditation that establish whether the information technology products or systems meet set standards of security. Most of these are based on a recognized framework known as the Common Criteria. The CC is an extensive set of specifications and directives that define how security-related evaluations of IT products should be conducted.
This article will explore the issue of the Common Criteria, its importance, and how it works through examples and various scenarios which make it more understandable.
Understanding Common Criteria
The Common Criteria for Information Technology Security Evaluation, more commonly referred to as Common Criteria (CC), is an international standard, ISO/IEC 15408, that describes the framework through which the security properties of IT products are evaluated. Adopted in 1994 by the governments of the U.S., Canada, Germany, France, the UK, and the Netherlands, the Common Criteria is intended to unify the various national security evaluation standards that had been adopted, such as the Trusted Computer Security Evaluation Criteria (TCSEC) standard, known as the “Orange Book,” used in the U.S. and the Information Technology Security Evaluation Criteria (ITSEC) standard used in Europe. This harmonization thus allows mutual recognition of security evaluations amongst member countries and facilitates international trade as well as helps improve security assurance worldwide.
Basic Concepts of Common Criteria
To have a better insight into how Common Criteria works, one needs to understand a few key concepts:
- Target of Evaluation: This is the product or system that is being subjected to evaluation for security compliances. For instance, a firewall or an operating system can be a TOE.
- Protection Profile, PP: It is a document that specifies a baseline set of security requirements related to a family of products. A PP on firewalls, for instance, would spell out filtering capabilities, logging features, among others.
- Security Target, ST: It is a document that points out precise security needs on the TOE. That is, it lays out its security functionalities-that is, what it can do-and its possible risks.
- Security Functional Requirements (SFRs): Clearly defined security functions that the product should offer, such as user authentication or data encryption.
- Evaluation Assurance Levels (EAL): A grading scale from 1 to 7, where the depth and rigor of the evaluation are performed. EAL1 is the lowest assurance level, and EAL7 is the highest.
The Evaluation Process
The process leading to Common Criteria certification includes the following:
- Preparation: The vendor shall produce a Security Target, which describes the security attributes of the product along with associated risks. This document forms the basis of the evaluation.
- Selecting a Testing Laboratory: The vendor selects an accredited laboratory for the performance of evaluation. These laboratories are independent and self-standing, specifically accredited for the purpose of evaluating products against the Common Criteria standards.
- Evaluation: The laboratory makes an adequate assessment of the TOE, exposing its security features to controlled conditions. The various reviews of documentation, conducting tests, and verification of compliance with the SFRs specified will fall under the ambit of this evaluation.
- Reporting: Based on the result of the evaluation, the laboratory prepares an Evaluation Technical Report, explaining in detail the findings. A certification report is issued by the laboratory, provided the product passes the required standards.
- Certification: This is done by a certification body, which verifies the ETR and confirms that the product meets all the requirements of Common Criteria.
Real-World Application: A Financial Institution
Imagine a financial institution that wants to develop its cybersecurity posture through the implementation of a new online banking platform in a secure manner. To assure its customers of the security of this platform, the bank decides to seek certification using the Common Criteria.
- Preparation: The bank’s IT prepares a Security Target, describing the security features of the platform involved, such as protocols for encryption and user authentication mechanisms.
- Selection of a Testing Laboratory: A bank hires an accredited laboratory that is a professional in the field of financial software evaluation.
- Evaluation: The lab performs an in-depth study of the security features of the platform against defined SFRs. They test different attack scenarios to ensure that this platform could resist various types of attacks.
- Reporting: The lab creates an ETR based on the results of the evaluation, outlining the strengths of the platform, as well as its weaknesses.
- Certification: The certification body will grant the online banking platform Common Criteria certification for successful evaluation. This would also mean that the bank can market its platform as a secure solution.
This brings not only a prestige factor to the bank but also gives the customers confidence that their financial data will be sent and received using a system whose security has been seriously evaluated.
Benefits of Common Criteria Certification
- Increased Trust: Businesses can finally assure both customers and stakeholders that the products offered have gone through third-party independent security testing.
- Market Access: Common Criteria certification opens several doors for international market opportunities. This is because most government agencies, as well as enterprises, include a CC certification criterion for procurement.
- Risk Mitigation: Conforming to the set standards reduces the chances of data breaches and enhances the general security posture.
- Regulatory Compliance: Due to the fact that many industries have certain regulatory requirements about security, Common Criteria certification assists such an organization in demonstrating compliance with those regulations.
Challenges and Considerations
While there are many advantages of Common Criteria certification, it does come with its challenges as well:
- Cost: The cost of evaluation can be pretty high, often ranging well over hundreds of thousands of dollars. The return will have to be balanced against the investment.
- Time-Consuming: Preparation and evaluation may take many months, in which case the product becomes outdated.
- Complexity: The certification process requires a good deal of expertise and heavy documentation, which is often intimidating for smaller organizations.
Conclusion
The Common Criteria framework forms a critical part of the cybersecurity landscape because it provides a structured approach toward the evaluation and certification of IT products and systems. It thus helps organizations understand the principles and processes underlying Common Criteria certification. The understanding will go a long way in helping an organization improve its security posture, increase customer trust, and reach out to markets abroad. As the threats to cybersecurity continue to morph, adherence to established methods of evaluations such as Common Criteria will be paramount in ensuring the integrity and security of IT systems.
