Λύση: Common Criteria | ISO/IEC 15408
Solution: Common Criteria | ISO/IEC 15408
Product safety: Common Criteria (ISO/IEC 15408)
Certification procedure
- 1.
- 2.
Document review
- 3.
On-site visit
- 4.
- 5.
- 6.
Conclusion & certificate
Common Criteria (ISO/IEC 15408)
Common Criteria (ISO/IEC 15408) is one of the most comprehensive and complex standards dealing with product safety. Common Criteria certification is a globally recognized proof of a product’s safety properties.
- Show your customers and business partners that your product meets the required security level.
- Comprehensive evaluation reports that identify areas for improvement.
- Globally recognized certification.
- Lower costs and higher efficiency compared to European evaluation facilities.
Introduction of Common Criteria
The Common Criteria for Information Technology Security Evaluation (CC) and the associated Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:
- Products can be evaluated by competent and independent licensed laboratories to determine compliance with certain security characteristics to some degree or certainty.
- Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied in the certification of specific technologies.
- Certification of the security properties of an evaluated product can be issued by a number of certification bodies, and this certification is based on the outcome of their evaluation.
These certificates are recognized by all signatories of the CCRA.
1. Common Criteria approach
- Workshop for the training of the Common Criteria
- General Model
- Components for security functions and assurance
- Protection Profiles
- Scoping of the Target of Evaluation (TOE)
- Analysis of the components of the target product
- Optimization of the scope of the product for evaluation
- Gap Analysis
- Analysis of the current situation of the product
- Analysis of the current situation of the site and process
- Report on gap analysis
- Consulting for the preparation of safety requirements (ST)o Interpretation of the requirement of ST
o Demo of each part of the ST
o Lead and review the ST of the customer
2. Prepare evaluation certificates
- Common Criteria Documentation Workshop
- CC required documentation in each class
- How to write documents in CC
- Advice on how to meet security requirements and improve security features
- Analysis of the functional security requirements of the TOE.
- Review and improvement of security features
- Advice on establishing a secure development process and product life-cycle management
- Analysis of process and life cycle management
- Improvement of security controls
- Consultation to increase on-site security
- On-site audit of development sites
- Findings and suggestions for site security
3. Evaluation object
- Documentation review and feedback
- Rapid review of documents and immediate feedback
- Detailed review of documents and formal comments
- Vulnerability analysis and penetration testing
- Vulnerability analysis based on different levels of attack potentials
- Actual penetration testing of attack potentials
- Evaluation of observation reports
- CB approved observation reports for each class
- Explanation of the observation reports
4. Certification
- Evaluation Technical Report to Certification Body
- Prepare final technical evaluation report (ETR).
- Have ETR approved by CB
- Assist with certification body’s certification process
- Multiple meetings with CB during various phases of the evaluation process.
- Procedures of the certification process