Common Criteria (DC) is an international standard (ISO/CEI 15408) for the Information system security. The complete name of the standard is Common Criteria for Information Technology Security Evaluation . In French, one often employs the expression common Criteria .

Description

The common criteria are available:

• in English: in version 3.1 of September 2006 (like of versions 2.1,2.2, and 2.3)
• in French: in version 2.1 of August 1999

Access to documentation on the site of the DCSSI: Criteria and methology of evaluation

See summarized on the site of the DCSSI: References IF

Part 1: introduction and general model

See details on the site of DCSSI: Introdution and general model (version 2.1 on French, 76 pages)

Part 2: functional requirements of safety

See details on the site of DCSSI: Functional requirements of safety (vesion 2.1 on French, 394 pages)

There exist 11 headings:

1. Audit of safety (FAU)
2. Communication (FCO)
3. cryptographic Support (FCS)
4. Data protection of user (FDP)
5. Identification and authentification (TRUSTED)
6. Security management (FMT)
7. Protection of private life (FPR)
8. Protection of the functions of safety of the target of evaluation (FPT)
9. Utilization of resources (FRU)
10. Accès to the target of evaluation (FTA)
11. Chemins and channels of confidence (ftp)

Part 3: requirements of insurance of safety

See details on the site of the DCSSI: Requirements of insurance of safety (version 2.1 on French, 236 pages)

There exist 10 classes:

1. Evaluation of a profile of protection (class APE)

2. Evaluation of a target of safety (class ESA)
3. Management of configuration (class ACM)
4. Delivery and exploitation (class TEENAGER)
5. Development (class ADV)
6. Guides (class AGD)
7. Support with the life cycle (class ALC)
8. Tests (class ATE)
9. Estimate of the vulnerabilities (class AVA)
10. Maintenance of the insurance (class AMA)

Methodology of evaluation

See details on the site of the DCSSI: Evaluation methodology (version 3.1 in English)

Key concepts

• TOE : object to certify

(TOE = Target off Evaluation)

• SFR : functional specifications of safety

(Security functional requirements)

• PP: Profile of Protection

(PP = Protection profiles)

• ST: target of safety

(ST = Security Target)

Systems concerned

The operating systems (" Operating Systems")

Devices dedicated to the Communication S:

• Administrative of networks,
• Router S, switches network (" switchs"), Hub S,
• the virtual private networks (VPN).

Systems devoted to the Computer security

• systems of access (Access Internet,…)
• systems of Authentification, Infrastructure with public keys (PKI) /KMI
• the Fire wall X (firewalls)
• the Systems of detection of intrusion (IDS)
• software antiviruses
• the biometric Controls.

Levels of the evaluation

See also: Evaluation Insurance Level

Certification proposes 7 levels of insurance of the evaluation.

• EAL1: tested
• EAL2 functionally: tested
• EAL3 structurally: tested and checked methodically
• EAL4: conceived, tested and checked methodically,
• EAL5: conceived in a way semi-formal and tested
• EAL6: checked design in a way semi-formal and tested
• EAL7: checked design in a way formal and tested.

Implementation

In France

It is the DCSSI which applies the diagram of French certification. This organization, attached to the Prime Minister, is in load of the certification of the products evaluated by CESTI.

In Europe

In Europe, the Information Technology Security Evaluation Criteria (ITSEC) is a standard for the Sécurité of the Information systems, which are interested more particularly in the Security policy of the information systems.

The ITSEC is the product of common work several countries of the European Union, in 1991.

See: Information Technology Security Evaluation Criteria (ITSEC)

With the the United States

In the United States, the criteria of evaluation are defined by the National Security Agency (NSA), arranges Department of Defense, on the level of the Computer materials and software.

• Organization of NSA in charge of the evaluation: NIAP

• Trusted Computer System Evaluation Criteria (TCSEC)

The company Miter is supplier of the Department of Defense on these questions.

See: http://www.mitre.org/news/the_edge/february_01/highlights.html

See too

• Third of confidence

• Profile of protection
• Requirement
• Information system security
• Data security
• Security policy of the information systems
• Evaluation Insurance Level

External bonds

• Certification Common Criteria

• Guide on the common criteria
• Common criteria portal
• http://www.infosyssec.org/infosyssec/security/secpol1.htm

Random links:

Phylarque | Oryzomys | Holy-Sabine (Etchemins) | Killer vacuum | Karl Sigmund von Hohenwart