|
|
Common Criteria
CC (Common Criteria) is an ISO standard (ISO15408) and is widely
recognised.
For further details of the CC Scheme and associated evaluation
methodology, together with the supporting Assurance Continuity
process,
see the web-site http://www.commoncriteriaportal.org/.
UK Information Technology Security Evaluation and Certification Scheme
Under the UK Information Technology Security Evaluation and
Certification Scheme, managed by CESG, the security features
of IT systems and products are tested independently of suppliers
to identify logical vulnerabilities. This type of testing is
known as security evaluation and it is carried out by Commercial
Evaluation Facilities (CLEFs)
against standardised criteria to a formalised methodology. The
criteria lay down a number of degrees of rigour known as Assurance
Levels. Certificates are issued by the Scheme Certification
Body for products meeting the requirements for a claimed level
of assurance. United Kingdom certificates are recognised in
many countries of the world.
Key features of the certification process are:
- Primary emphasis on the technical aspects of the product
being certified
- Timely Certification Body contributions, giving clear
approvals at defined checkpoints in the evaluation cycle
- Focussed assessment of evaluation scope ahead of Security
Target review, offering the customer a better risk management
service
- Certification Report drafted by CLEF, promoting faster
confirmation of certification on completion of its evaluation
work
- Overall customer costs are expected to be no greater than
those associated with the previous certification process
- Demonstration of CC and ITSEC assurance levels (and PP
conformance)
- Mutually recognised certification
Further details of the contributions required from both the
customer and CLEF are given in relevant publications, including
UKSP01, UKSP03 and UKSP02 Part II, to be found under Formal
Documentation.
Mutual Recognition
The CCRA (Common Criteria
Recognition Arrangement (pdf)) provides for recognition
of CC Certificates up to EAL4 issued by Australia and New Zealand,
Canada, France, Germany, The Netherlands, UK and USA by each
of these countries. New countries are added to the list as the
CC community expands, and an up-to-date list can be found at
the CC Web-site at http://www.commoncriteriaportal.org/.
Within Europe, recognition of CC certificates up to EAL7 (for
IT products related to certain technical domains only) has additionally
been agreed under the SOGIS
arrangement (pdf) by Finland, France, Germany, the Netherlands,
Norway, Spain, Sweden and the UK.
Mutual recognition of ITSEC (Information Technology Security
Evaluation Criteria) certificates has also been agreed under
the SOGIS arrangement (pdf).
As the ITSEC assurance approach is obsolescent, any continued
use of ITSEC should be discussed with the Certification Body
via the CESG Enquiries.
|
