Using the Common Criteria for IT Security Evaluation: 1st Edition (Paperback) book cover

Using the Common Criteria for IT Security Evaluation

1st Edition

By Debra S. Herrmann

Auerbach Publications

304 pages | 23 B/W Illus.

Purchasing Options:$ = USD
Paperback: 9780849314049
pub: 2002-12-27
SAVE ~$29.00
$145.00
$116.00
x
eBook (VitalSource) : 9780429134098
pub: 2002-12-27
from $70.00


FREE Standard Shipping!

Description

Many organizations and government agencies require the use of Common Criteria certified products and systems and use the Common Criteria methodology in their acquisition process. In fact, in July 2002 the U.S. National Information Assurance Acquisition Policy (NSTISSP #11) mandated the use of CC evaluated IT security products in critical infrastructure systems. This standard provides a comprehensive methodology for specifying, implementing, and evaluating the security of IT products, systems, and networks. Because the Common Criteria (CC) for IT Security Evaluation is a relatively new international standard, little written material exists which explains this how-to knowledge, and it's not exactly easy to interpret.

Designed to be used by acquiring organizations, system integrators, manufacturers, and Common Criteria testing/certification labs, Using the Common Criteria for IT Security Evaluation explains how and why to use the Common Criteria during the acquisition, implementation or evaluation of an IT product, system, network, or services contract. The text describes the Common Criteria methodology; the major processes, steps, activities, concepts, terminology, and how the CC methodology is used throughout the life of a system. It illustrates how each category of user should employ the methodology as well as their different roles and responsibilities.

This text is an essential resource for all those involved in critical infrastructure systems, like those operated by the FAA, the Federal Reserve Bank, DoD, NATO, NASA, and the intelligence agencies. Organized to follow the Common Criteria lifecycle, Using the Common Criteria for IT Security Evaluation provides examples in each chapter to illustrate how the methodology can be applied in three different scenarios: a COTS product, a system or network, and a services contract. The discussion problems at the end of each chapter ensure the text's effectiveness in an educational setting and ensure that those government officials required to comply with Presidential Decision Directive 63 (PDD-63) will be able to do so with confidence.

Reviews

"Herrmann knows her stuff. The book lacks nothing in rigor and erudition. Multiple tables and flowcharts, which abound throughout the text, yield insights into the technical aspects of the Common Criteria. … [The book's] richness of detail offers a good reference for security system evaluation."

- Security Management, Nov. 2004

Table of Contents

Introduction

Background

Purpose

Scope

Intended Audience

Organization

What Are the Common Criteria?

History

Purpose and Intended Use

Major Components of the Methodology and How They Work

Relationship to Other Standards

CC User Community and Stakeholders

Future of the CC

Summary

Discussion Problems

Specifying Security Requirements: The Protection Profile

Purpose

Structure

Introduction

TOE Description

TOE Security Environment

Security Objectives

Security Requirements

PP Application Notes

Rationale

Summary

Discussion Problems

Designing a Security Architecture: The Security Target

Purpose

Structure

Introduction

TOE Description

Security Environment

Security Objectives

Security Requirements

TOE Summary Specification

PP Claims

Rationale

Summary

Discussion Problems

Verifying a Security Solution: Security Assurance Activities

Purpose

ISO/IEC 15408-3

Common Evaluation Methodology (CEM)

National Evaluation Schemes

Interpretation of Results

Relation to Security Certification and Accreditation (C&A) Activities

Summary

Discussion Problems

Postscript

ASE-Security Target Evaluation

AVA - Vulnerability Analysis and Penetration Testing

Services Contracts

Schedules for New CC Standards (ISO/IEC and CCIMB)

Annex A : Glossary of Acronyms and Terms

Annex B: Additional Resources

Standards, Regulations, and Policy (Historical and Current)

Publications

Online Resources

Annex C: Common Criteria Recognition Agreement (CCRA) Participants

Australia and New Zealand

Defence Signals Directorate

Canada

Finland

France

Germany

Greece

Israel

Italy

The Netherlands

Norway

Spain

Sweden

United Kingdom

United States

Annex D: Accredited Common Criteria Evaluation Labs

Australia and New Zealand

Canada

France

Germany

United Kingdom

United StatesAnnex E: Accredited Cryptographic Module Testing Laboratories

Canada

United States

Annex F: Glossary of Classes and Families

Subject Categories

BISAC Subject Codes/Headings:
COM051230
COMPUTERS / Software Development & Engineering / General
COM053000
COMPUTERS / Security / General