HOME | TERMS | CONTACT US | A to Z | SITE MAP   The National Technical Authority for Information Assurance       ABOUT US   SERVICE CATALOGUE   PUBLICATIONS   POLICY & TECHNOLOGIES   FIND A .....   Service Catalogue Home Common Criteria & ITSEC Introduction Certified Products CLEFs Common Criteria Assurance Levels Directory of Infosec Assured Products (pdf) Formal Documentation International Links Introductory Guides ITSEC Assurance Levels Joint Interpretation Library Security Evaluation Criteria Structure of the UK Scheme UK Evaluator Training Material UK National Interpretations for Common Criteria Scheme FAQs Scheme History Common Criteria portal (www.commoncriteriaportal.org/) CC Business Questionnaire (doc) In Evaluation Web Entry Form (doc) A to Z   Security Evaluation Criteria What is computer security evaluation? Computer security evaluation is the detailed examination and testing of the security features of an IT system or product to ensure that they work correctly and effectively and do not show any logical vulnerabilities. The Security Target determines the scope of the evaluation. It includes a claimed level of Assurance that determines how rigorous the evaluation is. Criteria Criteria are the "standards" against which security evaluation is carried out. They define several degrees of rigour for the testing and the levels of assurance that each confers. They also define the formal requirements needed for a product (or system) to meet each Assurance level. TCSEC The US Department of Defense published the first criteria in 1983 as the Trusted Computer Security Evaluation Criteria (TCSEC), more popularly known as the "Orange Book". The current issue is dated 1985. The US Federal Criteria were drafted in the early 1990s as a possible replacement but were never formally adopted. ITSEC During the 1980s, the United Kingdom, Germany, France and the Netherlands produced versions of their own national criteria. These were harmonised and published as the Information Technology Security Evaluation Criteria (ITSEC). The current issue, Version 1.2, was published by the European Commission in June 1991. In September 1993, it was followed by the IT Security Evaluation Manual (ITSEM) which specifies the methodology to be followed when carrying out ITSEC evaluations. Common Criteria The Common Criteria represents the outcome of international efforts to align and develop the existing European and North American criteria. The Common Criteria project harmonises ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (FC) into the Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating products and systems and for stating security requirements in a standardised way. Increasingly it is replacing national and regional criteria with a worldwide set accepted by the International Standards Organisation (ISO15408).  © Crown Copyright, 2011. This CESG Website is maintained for your personal use and viewing. Access and use by you of this site constitutes acceptance of our terms and conditions which take effect from the date of first use. Click here for our terms and conditions CESGweb@cesg.gsi.gov.uk