Common Criteria
Abstract
Common Criteria (CC) for Information Technology Security Assessment is an international set of specifications and guidance that is used to evaluate if products and systems of information met pre-defined security standards. Common Criteria certification is awarded after products and systems if successful testing and Assessment have been achieved. Common Criteria involves different parts including the Security criteria and the Assurance criteria. This paper discusses the layout and scope of security criteria and assurance criteria. The paper also provides the differences between what security criteria area and what are assurance criteria.
Security Criteria
Security criteria involve protection profiles that set the security required standards for specific types of product security management. To ensure the security of the cyberinfrastructure, a five-step risk assessment function framework is used. The functions involved in the security framework include the identity function, which is used to develop an organizational understanding that helps in managing cybersecurity risk against technological systems, people and assets. The identity function activities enable the organization to focus and prioritize its security efforts by providing an understanding of resources that support critical functions and related cybersecurity risks. The activities in the identity function include asset management, risk assessments, business environment, risk management strategies, and governance (Common Criteria, 2017). Protect function in risk assessment steps, which involve developing and implementing appropriate safeguards to ensure critical services are delivered. The objective of the protect function is to limit or control the potential impact of cybersecurity events. The protect function activities include controlling identity management, authentication and access to physical and logical assets, conducting training and awareness concerning cybersecurity-related responsibilities and duties to ensure each organizational personnel is acting inconsistently with provided cybersecurity policies, agreements, and procedures. Another activity in the protect function is controlling data security by ensuring that information and records are managed according to the organization’s risk strategy to ensure confidentiality, integrity, and availability of information is maintained. The security information protection procedures and processes activities are also part of the protect function, which ensures the organization maintains security policies, procedures, and processes to protect the assets and the information systems (Common Criteria, 2017). Lastly, protect function involves maintenance and protective technology activities. The maintenance activities are concerned with maintenance and repair of information components and industrial control is performed based on the policies and procedures, while protective technology activities ensure that technical security solutions available in the organizations are managed inconsistently with related procedures, policies, and agreements to ensure assets and systems security and resilience.
Detect is another risk assessment function, which involves developing and implementing appropriate activities to identify the occurrence of an event related to cybersecurity. The objective of the detect function is to enable the timely discovery of cybersecurity events. The activities involved in the detect unction include detecting anomalies and events and understanding the potential impact related to the events. Another activity is continuous monitoring of systems and assets security in the effort to identify potential cybersecurity events and to verify the effectiveness of protective measures to be applied (Common Criteria, 2017). The last activity in the detect function is maintaining and testing detection processes and procedures to ensure awareness of anomalous events. The respond function of security risk assessment involves the development and implementation of appropriate activities that can help in taking actions concerning detected cybersecurity events. The objective of the response function is to support the ability of the organization to contain the cybersecurity events’ potential impacts. The activities related to the respond function include response planning, whereby response procedures and processes are maintained and executed; the communication activities in the respond function are coordinated with both internal and external stakeholders; analysis activities are conducted to ensure response is effective and capable of supporting recovery processes and procedures; mitigation activities are performed in effort of preventing expansion of security incidents; and improvement of response activities is conducted by incorporating lesson learned from previous detection and response activities.
The last step of the risk assessment framework involves the recovery function, which involves developing and implementing appropriate activities capable of maintaining plans for resilience and restoration of any capabilities or services that are affected by cybersecurity events. The objective of recovery function is to support the timely recovery to normal organization operation reducing the impact acquired from cybersecurity incidents (Common Criteria, 2017). The activities conducted in the recovery function include execution and maintaining of recovery procedures and processes to ensure quick systems and asset restoration, improving recovery procedures and processes by conducting integrating lessons leaned into futures activities and communicating restoration activities with both internal and external stockholders for easy coordination.
Assurance Criteria
The assurance security requirements are provided in seven levels, whereby the higher-level offers more confidence in security functional requirements. The levels in the assurance security include functional tested as level 1, which applies when an organization requires confidence in operations of its products without considering the seriousness of security threat. The second assurance level is the structurally tested, which requires the co-operation of developers in terms of delivery of design information and test results without demanding more effort on the developer part than good commercial practice consistent availed. Therefore, the developers at this level require low to moderate independently assured security without the availability of a ready complete development record (National Institute of Standards and Technology, 2018). The third level is the methodically tested and checked, which applies when users or developers require moderate level independently assured security, and a thorough investigation of the target of valuation and its development without reengineering that is substantial. The objective of methodically tested and checked level is to enable developers to gain maximum assurance from positive security engineering without alteration of substantial alteration of development practices at a design stage.
The methodically designed, tested, and reviewed is the fourth level of Assessment assurance security, which enables the developer to assurance to the maximum through a positive security engineering that is based on commercial development practices that are good but do not require substantial specialist resources, knowledge, and skills. The application of the fourth level occurs in the processes that the users or developers require moderate to high independently assured security with preparation to incur costs related to additional security-specific costs. The fifth level of assurance security Assessment is the semi-formally designed and tested. The objective of the level is to permit developers to gain maximum assurance from security engineering that involves practices of rigorous commercial development and specialist security engineering techniques. The level applies when users or developers require high and independently assured security with a rigorous development approach plan that does not involve security engineering techniques costs (National Institute of Standards and Technology, 2018). The semi-formally verified the design and tested is the sixth level, which allows developers to access high assurance from the application of security engineering techniques related to the rigorous development environment to enable them to produce a premium target of Assessment capable of protecting high-value assets against significant risks. The seventh level of security Assessment assurance is the formally verified design and tested, which applies to the development of security targets of Assessment for the extremely high-risk situation and also applied when the high value of the assets justifies the higher costs.
Difference between Security Criteria and Assurance Criteria
The security criteria differ from the assurance criteria in several ways including the application, whereby the security criteria are mandates required to be put in place to ensure the organization is able to understand, manage, and express cybersecurity risk, while the assurance criteria are applied to specific products to ensure they are protected against cybersecurity attacks. Another difference is that assurance criteria provide the confidence in the security functional requirements of information assets while the security criteria provide the techniques in which the security functional requirements can be maintained and managed inconsistently with related policies, agreements, standards, procedures, and processes.
References
Common Criteria. (2017, April). Common Criteria for Information Technology Security Assessment: CC v3.1. Release 5. Retrieved from https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5_marked_changes.pdf
National Institute of Standards and Technology. (2018, April 16). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf