Best Practice & Common Criteria

Common Criteria (CC) represents the outcome of international efforts to align and develop the obsolescent European (ITSEC) and North American (U.S. TCSEC and Canadian CTCPEC) criteria towards a common standard for carrying out security evaluations.

By establishing a common base, the results of an IT security evaluation are more meaningful to a wider audience. CC has a catalogue of standard Security Functional Requirements which represent the current state-of-the-art for trusted products and systems. These can be used to develop a Protection Profile and as a means for developing a Security Target. They can also be supplemented or tailored to suit more specialist requirements.

CC evaluation is carried out against a set of pre-defined assurance levels, termed Evaluation Assurance Levels (EAL0 to EAL7). This scale represents ascending levels of confidence that can be placed in the TOE Security Functions and determines the rigour of the evaluation.

Most other schemes are based on black box testing concentrating on finding security errors through penetration testing. Common Criteria operates on the basis of white box testing where the evaluation is subject to a more structured and formal approach. The evaluator acquires an in-depth knowledge of the construction of the product by examining the required security functions and tracing the security functionality to lower levels of design or implementation.

In addition, depending on the assurance level, the evaluators will examine how guidance is given to administrators and users, how the product is developed, and how vulnerable the product is to attack. White box testing may take longer than black box testing but more confidence can be placed in the final result.

Mutual Recognition is a formal arrangement whereby other participating nations agree to recognise a security certification from a qualifying Certification Body. This helps vendors to cut their costs by having a single product or system evaluation which is recognisable by all participating nations.

Common Criteria Certifications up to and including EAL4 are mutually recognised by Australia, Austria, Canada, The Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, The Republic of Korea, The Netherlands, Norway, Singapore, Spain, Sweden, Turkey, The USA and the UK.

A CC certificate provides assurance that a product or system has met a Security Target based on security objectives, threats, functionality and the environment in which it is intended to operate. Also, the scheme's hierarchical levels of assurance allow you to match your requirements for confidence precisely against the vendor's claims.

Therefore, the first step is to decide on what level of assurance is required (e.g. EAL3) and then to read the Security Target and Certification Report to determine if a particular product or system matches your security requirements. If these are unavailable, you may require a security evaluation.

A Protection Profile (PP) is a document used within security evaluations under Common Criteria. A PP is an implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs for IT security. Many PPs are currently being designed to cover most aspects of application security. Existing examples of PPs include the Canadian Firewall PP, Oracle’s Database Management System PP, and the UK Controlled Access PP and UK Labelled Security PP. Each PP contains a description of the intended environment, security objectives, security functions, and assurance requirements.

A PP itself is subjected to a Common Criteria evaluation and only those which pass the evaluation are eligible for inclusion in a central registry. The registry is currently under construction and will be supported by a web site on the Internet. There are several advantages to using a PP: provides guidance to developers on the state-of-the-art security requirements for a product type; enables purchasers to select products and systems which are conformant to a particular requirement set; and, helps sponsors to construct Security Targets more easily.

Several Protection Profiles have been developed and many more are currently in production by participating nations. A centralised registry with a supporting web site has been constructed to hold details of all evaluated and approved Protection Profiles.