Common Criteria Flashcards
What is Common Criteria
Is an international standard for computer security verification. The latest version (3.1) became available in January 2018 and was standardised as ISO 15408
What can it be used for ?
Common Criteria is a framework that you can use to independently verify security claims about a product.
Common Criteria developed from three previous standards
TCSEC – Trusted Computer System Evaluation
Criteria (1983-5)
ITSEC – Information Technology Security Evaluation
Criteria (1990)
CTCPEC – Canadian Trusted Computer Product
Evaluation Criteria (1993)
What does TCSEC state
‘Secure systems will control access to information such that only properly authorized individuals, or processes operating on their behalf, will have access to read, write, create, or delete information.
The six fundamental requirements for computer security are ?
- Security policy - Explicit, well-defined security policy enforced by the system.
- Marking - Access control labels must be associated with objects.
- Identification - Individual subjects must be identified.
- Accountability - Audit information must be selectively kept and protected.
- Assurance - System must contain hardware and software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces requirements 1 through 4.
- Continuous protection - Trusted mechanisms that enforce requirements must be continuously protected against tampering and/or unauthorized changes
What are the six Common Criteria have six core concepts
- Target of Evaluation (TOE) – The system or product that is subject of evaluation.
- Protection Profile (PP) – A document identifying the security requirements relevant to those users.
- Security Target (ST) – A document identifying the security properties of the TOE. Vendors produce an ST so customers may determine features in evaluation.
- Security Functional Requirements (SFRs) – The individual security functions provided by a product
- Security Assurance Requirements (SARs) - A series of descriptions of the measures taken during the development and evaluation of the product to assure compliance with the claimed security functionality.
- Evaluation Assurance Level (EAL) – A numerical rating describing the depth and rigor of an evaluation.