ISO/IEC 15408- Common Criteria
Table of Contents
Common criterial for information technology security evaluation, which is called Common Criteria (CC) is an international standard for computer information security which explicitly specify the security needs of computer users. These standards govern different factors related to computer security like the process of information security specification, implementation and evaluation. These criterion act as a guide for all information security experts therefore they should turn to it when they have to make a decision about setting up an IT security system (Denning, 1999), it could be the hardware or the software parts. The following of the guide lines is not only necessary for the information security itself but also for the eligibility to get the ISO/IEC 15408 certificate (Horie, Yajima, Azimah, Goto, & Cheng, 2009). The Common Criterial is divided in to three main parts (“ISO/IEC Standard 15408 — ENISA”).
Part 1: Introduction and general model (15408-1): This is a general overview of the standards. The user can use this part as a start to understand and implement the overall criteria for information security.
Part 2: Security functional requirements (15408-2): This part explains specific functional components that form the overall template of the overall security policy that is in compliance with the international standards.
Part 3: Security assurance requirements (15408-3): This parts suggests assurance components that contribute to the standard template. This part is also used as a guide towards an evaluation criteria.
The three parts are used alike by the developers and evaluators of the information security systems to help guide them to achieve international standards in their respective fields of information security.
The scope of this assignment is limited to a discussion about the first part of the standards. I will be pointing out the main ingredients of the general model and explain their importance in the information security world. Towards the end of this paper, I will briefly discuss the role of ethics in data protection. At the end of this paper I will be concluding my discussion in a paragraph.
In the introduction part of ISO/IEC 15408 the further clauses of the ISO standard are introduce in brief. It defines the general concepts and principles of IT security evaluation and presents a general model of evaluation. This part helps security experts to understand the overall context of the different standards that constitute the Common Criteria. Without reading this part in details it will not be possible to understand the efficient application of the different clauses of the common criteria. Having said that, it is important to mention that consulting only this part is not enough to form a security policy and then expect to get the ISO certificate. It is important to mention that all the three parts of the Common Criteria i.e. 15408-1, 15408-2 and 15408-3 work in connection with each other and the application of all these parts is necessary to form a comprehensive information security policy for an IT infrastructure. Different organization that use this criteria to fulfill their security standards apply all the three parts simultaneously. Smart Card Security User Group (SCSUG) is an example that apply the standards to the letter and spirit (Profile, 2001). To utilize this part, it is important that the concerned personnel have at least basic knowledge if IT. Otherwise there is no surety that the remaining parts of the criterion will make a great deal of sense. Therefore, organization when deciding to implement the common criteria, must allocate the human resource that has IT knowledge/experience.
This is an important part of the general model. This part is concerned with the identification of the hardware and software assets the security of which is intended to be made compliant with the Common Criteria. These assets may include the actual data on the computer servers, the authentication process of a credit card or a voter, and the privilege to use different hardware like printer and scanners. In short the application of this section will make sure that all the assets are secured under the international standard from external and internal threats and attacks. The risks that are encountered by different organizational assets could be a physical or soft one. Many risk models that assess the security status of the organizational assets adopt to the Common Criteria to pass the ISO/IEC 15408 evaluation (Peciña, Bilbao & Bilbao, 2011). In fact this criteria has become the bible of information security in the modern cloud based data management services where information security is one of the most challenging issue (Xu, Wang, Zhang, Goto & Cheng, 2013).
Information is in the form of digital assets that could reside in a storage device or could be travelling through a LAN or a WAN. The owners of this information are conscious about the threats those are posed to it. Especially, as I have discussed earlier that in cloud computing where an internet connection always involved in the retrieval of information from the cloud sources there is always a high information security risk involved. I think that any systems that are in compliance to ISO/IEC 15408 and are fully adopting the Common Criteria can minimize the risk of their data being misused by hackers and attackers as this criteria is a comprehensive scheme for the protection of information on any system or network.
There are two types of evaluation adopted by ISO/IEC 15408. The first type of evaluation i.e. an ST/TOE evaluation is included in Part 1: Introduction and general model (15408-1). The second type of evaluation i.e. PPs is included in Part 3: Security assurance requirements (15408-3) which is beyond the scope of this paper. In the following discussion I will shed some light on the ST/TOE evaluation type.
The ST/TOE evaluation takes place in two steps. First is the ST evaluation that deals with the determination of the operational environment and secondly the TOE evaluation determines the correctness of TOE. The TOE evaluation is not used to make any assessment of the operational environment.
ST evaluation is incorporated by different organizations to comply with security target evaluation criteria. Different methodologies are used to get in compliance with the security target with the help of ST evaluation.
The TOE uses the evaluation evidence from the ST and the application of the TOE itself to make a TOE evaluation. This could either result in statement that could state that all SARs are not met of a statement that all of the SARs are met.
In the field of information security there are different standards that need to be followed in order to be compliant with the international standards like ISO/IEC 15408. There are two broader criteria of these standards (Whitman & Mattord, 2011). First are the Laws that are the rules that are mandated by the legal authorities of a country. The second part is the Ethics which are not mandated by are self-imposed to be able to reach the high standards of information security.
In my opinion Ethics are more challenging than the Laws. I say so because the laws are mandated by force and not complying with them could lead to legal penalties. On the other hand the ethics have to be self-regulated. There is no legal penalty. They are more of a choice than a compulsion. But when it comes to complying with the ISO/IEC 15408, the application of ethical guidelines could prove vital.
The most successful organizations have designed their own codes of ethics that govern the behavior of their human resource and information assets. For example the Association of Computing Machinery (ACM) has adopted to codes of ethics that state the importance of information confidentiality, causing no harm and protecting others privacy and intellectual property (Whitman & Mattord, 2011). These ethics could have both positive and negative impacts. I think that different organizations should have internal training to inform the employees about the importance of adopting to these ethics and who they can help them in their professional life. This could help in diverting the negative behavior of the employees regarding the ethics related to information security towards positive.
I would like to conclude my discussion by stressing on following the Common Criteria to be in line with the ISO/IEC 15408 standards. Getting in compliance with these standards can not only get the desired certification but also improve the organizational security status. Ethics should always be kept in mind whenever a policy is devised for information security. There should be no part of the information policy that could lead to compromising on ethics. This way high standards can be achieved while keeping the privacy and security of others intact.