Introduction to Common Criteria
There is a standard criteria to evaluate the security of information that is called Common Criteria (CC). CC is not a criteria that is specific to a specific country but is recognized internationally as an international standard. This set of international standards guide security experts in securing their commuting system against external threats. When we talk about the issue of information security, we mean primarily three factors i.e. the specifications of the security system, the implementation of security measures and its evaluation. According to Denning (1999), the CC is a comprehensive guide for security experts and if these expert want to develop productive information security systems, they should understand and implement it. When the guidelines of CC are met in letter and spirit, there is a good possibility that an ISO/IEC 15408 certificate will be issued. CC comes in three main parts for better understanding and systematic implementation (Cheng, Goto, Morimoto & Horie, 2008). Many organizations apply CC criteria to their security system. Smart Card Security User Group (SCSUG) is an example that acts upon all the parts of the CC criteria (Profile, 2001)
- Introduction and General Model (15408-1): All security experts need to refer to the general section to get a glance on the criteria in general. This section is helpful in providing a quick start on understanding the coming section as they come.
- Security Functional Requirements (15408-2): The security policy has to be in accordance with international standards. The security functional requirements explains the specifics of the different steps that have to be taken to make an information system safe and secure.
- Security Assurance Requirement (15408-3): These are the components of the information security system that help develop the standard template of CC. Security assurance and requirement section is necessary to understand because it helps in the evaluation of the criteria as a whole.
There are two major aspects of understanding a security system for an information system. First is the way the developers of a security system function. What methods and techniques they use. The second is the way this security system is evaluated by the information security system evaluators. Both of these experts work side by side under the umbrella set by the above three sections of the CC for better results and certification of their information security system. In this paper I would be discussing the three parts of the general model of the CC in detail. A clear understanding of the general model is necessary to understand the international standard as a whole. I would first introduce the general mode. Then I discuss the assets and the countermeasure involved and towards the end I will talk about the evaluation process related to information security.
General Model Introduction
The general model serves as an introduction to the other clauses of the overall ISO/IEC 15408 standard. This serves as a concise discussion about CC. The development of a security system has two main ingredients i.e. the development itself and the evaluation, as said earlier. The general model is used by security developer and evaluators to understand how they need to go forward toward applying all the important clauses of the CC. When they have read through it, they can go deep in to the criteria and go to the specifics of the application of security system development and evaluation mechanisms. CC is a comprehensive guide to security that has incorporated standards from other standards as well (Savola, 2008). Therefore, it is important to read the general model to understand the way the criteria would develop as you go to the further sections and specifics. By stressing the general model of the CC I do not want to minimize the importance of the other two parts of it i.e.15408-1, 15408-2 and 15408-3. In fact all of the parts have to be understood and applied for better results with the information security system.
The understanding, implementation and evaluation of CC is not a simple task. This is a really technical issue. Therefore, it is necessary that organization have proper experts assigned to the implementation of a security system that aims at fulfilling the standards set in CC. There might be a need to conduct training to get to understand CC.
Identification of the Hardware and Software Assets
In this section of the general model, the security experts identify the hardware and software assets of the organization that need to be brought in the security net for information security purposes. These assets are then secured according to the standards of CC. These assets could consist of a variety of hardware and software resources. For example the data that is going to travel through the network that is to be secured is an asset called data asset. In the same way the computer connected to the network server and the network server itself are hardware assets. The security plan developer look at how a computer network works. Like which computer send data where and what are the different privileges available to different computers on the network e.g. using printing and scanning hardware.
Security experts also identify the risks that are present to the security of the data assets. These risks might include the physical risks like environmental risks to the hardware and virus, malware and other soft risks to the software applications, data and hardware.
Storage system might be storing confidential data related to the customers of an organization. There are always risks that are directed towards such data. For example hackers would be really interested in hacking such database information and get the credit card information of different people which they could sell in return for financial gains. When the international Standards carved out under ISO/IEC 15408 are met, such risks can be minimized. An ISO/IEC 15408 certificate would be a good addition to let the customers know that their confidential information is in good hands.
ST/TOE is the evaluation that is discussed in the general model of ISO/IEC 15408. This evaluation is carried out in two steps. The first step or part of the evaluation is called the ST evaluation which deals with the operational environment for the information system and then is TOE which determines the extent to which TOE is implemented correctly.
The combination of the evaluations from ST and TOE is used to identify if the security criteria is met or there is still something that needs to be done in order for the evaluation process to be completed successfully. When the results may mention if the SARs are met or not.
In my opinion the ISO/IEC 15408 or the Common Criteria is a comprehensive standard that can guide all security experts better understand their security needs and implement strategies that would ensure the safety and security of their information systems. A lot of effort is invested in the development of these standards and much research has been carried out on assessing the security of these standards. They can prove vital to secure information systems if followed thoroughly.
Ethics and Data Protection
According to Whitman & Mattord (2011) there are two main aspects related to the protection of data. There are rules and regulations set by legal authorities that enforce data protection standards. If these standards are not met, there could be legal consequences. Then there are ethical standards. These standards act as a personal compass for an organization. The organization is not legally bound to apply these standards and there is no legal penalty for non-compliance. But this may be something that the customers are expecting and failing to do so may cause a decrease in customer’s trust which does have financial consequences. Ethics are tricky set of standards as when there is a choice, there is a high probability that the standards may not be met in contrast rules are enforced by legal authorities. The role of the security systems from an ethical perspective should be to protect the intellectual property. These ethics should stress on protecting the privacy and information confidentiality. Organization should train their security experts to be aware of the ethics of protecting the data on the system from any misuse or harm. The employees of an organization should also be informed that the data of the customers on the system is the property of the customers and should never be shared with third parties. For example a customer might share his/her telephone number with a business and the next day other business get “access” to the telephone number and start calling for marketing and other purposes. I believe that the application of the ISO/IEC 15408 standards can help in protecting from breach of ethics related to data protection.
Cheng, J., Goto, Y., Morimoto, S., & Horie, D. (2008, April). A security engineering environment based on ISO/IEC standards: providing standard, formal, and consistent supports for design, development, operation, and maintenance of secure information systems. In Information Security and Assurance, 2008. ISA 2008. International Conference on (pp. 350-354). IEEE.
Denning, D. E. R. (1999). Information warfare and security (Vol. 4). Reading: Addison-Wesley.
Profile, S. C. P. (2001). Common Criteria for Information Technology Security Evaluation.
Savola, R. (2008, July). A Novel Security Metrics Taxonomy for R&D Organisations. In ISSA (Vol. 8, pp. 379-390).
Whitman, M. and Mattord, H. (2011). Principles of Information Security, 4th Edition. Independence, KY: Cengage Learning.