The Common Criteria (CC) is meant to be used as the basis for evaluation of security properties of IT products and systems. By establishing such a common criteria base, the results of an IT security evaluation will be meaningful to a wider audience.
The CC will permit comparability between the results of independent security evaluations. It does so by providing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation. The evaluation process establishes a level of confidence that the security functions of such products and systems and the assurance measures applied to them meet these requirements. The evaluation results may help consumers to determine whether the IT product or system is secure enough for their intended application and whether the security risks implicit in its use are tolerable.
The CC is useful as a guide for the development of products or systems with IT security functions and for the procurement of commercial products and systems with such functions. During evaluation, such an IT product or system is known as a Target of Evaluation (TOE). Such TOEs include, for example, operating systems, computer networks, distributed systems, and applications.
The CC addresses protection of information from unauthorized disclosure, modification, or loss of use. The categories of protection relating to these three types of failure of security are commonly called confidentiality, integrity, and availability, respectively. The CC may also be applicable to aspects of IT security outside of these three. The CC concentrates on threats to that information arising from human activities, whether malicious or otherwise, but may be applicable to some non-human threats as well. In addition, the CC may be applied in other areas of IT, but makes no claim of competence outside the strict domain of IT security.
The CC is applicable to IT security measures implemented in hardware, firmware or software. Where particular aspects of evaluation are intended only to apply to certain methods of implementation, this will be indicated within the relevant criteria statements.
Answer the following questions.
What is the reason for creating this standard?
What is the sphere of application of CC?
What is meant by TOE?
Which parties use the standard? How?
What are the main types of security failure?
What are the categories of protection related to them?
Mark the following statements true or false. Correct the false statements.
1. Common Criteria is created as a common set of requirements for developing IT products and systems.
2. Consumers of IT products and system can use this standard while assessing the security of their purchase.
3. During evaluation, an IT product or system is known as a Security Target of Evaluation.
4. Integrity is the category of information protection relating to the failure of security called unauthorized disclosure.
5. The CC is used to IT security measures implemented in software.
6. The CC concentrates on malicious human threats.
7. This standard is possible to use in any IT sphere.
Form the word combinations and give their definitions.
Security, protection, evaluation.
Complete the sentences using the words given below.
Require, judgments, inspection, certification, a set.
1. The certification process is the independent ________ of the results of the evaluation leading to the production of the final certificate or approval.
2. The CC is presented as __________ of distinct but related parts.
3. The evaluation scheme, methodology and __________ processes are the responsibility of evaluation authorities that run evaluation scheme.
4. Many of the evaluation criteria _________ the application of expert judgments and background knowledge for which consistency is more difficult to achieve.
5. The CC contains criteria to be used by evaluators when forming __________ about the conformance of TOEs to the security requirements.