When we buy a home, or looking for rented apartment, we provide our specifications to the real estate manager or house brokers or look into apartment specifications carefully in the advertisement. Our specifications would certainly include physical security, availability water and power. Sometimes we may also inquire about the place with other negative events and its impact such as flood and prone to earthquake etc.. In the similar way, when we procure an Information Technology related products such as Software, OS, Databases, Network devices, we need perform an assessment to validate its ability to meet our security requirements. We do not need to perform a real assessment on IT related products on our own instead, we have Common Criteria for Information Technology Security Evaluation - Certificate Authorizing Members and third party Certification Assurance agencies across the globe to provide these details to IT product consumers. This article describes high level processes involved to provide assurance level to an IT related products.
International Certification Bodies
In the year 1998, based on common agreement the common criteria was created by few countries such as Canada, UK, USA, France and Germany. Over the years many countries have joined this group and India became part of the group since 2005. The common criteria was developed based on ISO 15408 evaluation criteria for IT security. These countries have well established infrastructure and licensed labs to perform security assessment on IT related products.
Why do we need Certification ?
The IT related product vendor gather security requirements and implement those requirements in their products before deliver to the market and provides assurance to prospective consumer of the products. The product vendor takes assistance from approved third party certificate assurance providers and assess their products based on the obtained security requirements and publish the report claiming that security requirements have been incorporated into the product, tested, verified and submit the report received from third party Certification Assurance agencies to Common Criteria for Information Technology Security Evaluation - Certificate Authorizing Members for common criteria product evaluation.
When an individual or an organization procure an OS. Database, Network and Network related devices, Data protection devices, Access control devices and systems, Digital signatures, Key management systems etc.. it would be worth to look into these security assessment report produced by the vendor as well as Common Criteria for Information Technology Security Evaluation - Certificate Authorizing Members before using these products or procuring the products.
The security assurance parameter such as product secure software development processes, Configuration management, operational activities, password management, penetration testing, vulnerability assessment, log protection, testing process, access controls, logs, authentication, authorization and reports are being assessed by the evaluators and define EAL (Evaluation Assurance Level) to the product. The EAL starts from EAL1 to EAL7. EAL1 is to meet very basic requirements and EAL7 requires very stringent security requirements.
Common criteria for Information Technology Security Evaluation Labs
The certification against the IT related products are performed at licensed labs by Common Criteria for Information Technology Security Evaluation - Certificate Authorizing Members in their countries. However, each counties has taken some deviations from actual assurance process against the product to define EAL values. On the other hand, the certificate assurance level on an IT related products provided by one country is acceptable by other countries. Some countries can perform the evaluation assurance level from EAL1 to EAL4. EAL values beyond 4 (EAL5, 6 and 7) is being tested in USA, Canada and Europe.
Risk Assessment Benefits
The EAL value on the product and final Certificate Assurance report play a major factor during the product risk assessment. This report will provides list of controls are in place to handle specific information security requirements. As an assessor, we shall understand security requirements that have been already addressed by the product. The assessor can perform gap analysis on other missing security requirements and define additional controls to mitigate the risks.
Image source: Pixabay.com
Authored by Ananda Narayanan G
TCS Enterprise Security and Risk Management