This page is currently queued for revision.
Information technology - Security techniques - Evaluation criteria for IT security
ISO/IEC 15408:2009 is better known as the Common Criteria.
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|EAL||Evaluation Assurance Level|
|IEC||International Electrotechnical Commission|
|IDS||Intrusion Detection System|
|IPS||Intrusion Prevention System|
|ISO||International Organization for Standardization|
|TCSEC||Trusted Computer System Evaluation Criteria|
|UTM||Unified Threat Management|
ISO/IEC 15408:2009 is an international set of guidelines and specifications developed for evaluating information security products, with the view to ensuring they meet an agreed-upon security standard for government entities and agencies.
The guidelines look at certifying a product only and does not include administrative or business processes.
The certification of the product only certifies its capabilities. If misconfigured or mismanaged, it is no more secure than anything else the customer might use.
Protection profiles define a standard set of security requirements for a specific type of product, such as a firewall, IPS/IDS, or UTM.
Evaluation Assurance Levels (EALs)
EALs define how thoroughly the product is tested. EALs are rated using a sliding scale from 1-7, with 1 being the lowest-level evaluation and 7 being the highest.
The higher the level of evaluation, the more QA tests the product would have undergone; however, undergoing more tests does not necessarily mean the product is more secure.
|EAL3||Methodically tested and checked|
|EAL4||Methodically designed, tested, and reviewed|
|EAL5||Semiformally designed and tested|
|EAL6||Semiformally verified design and tested|
|EAL7||Formally verified design and tested|
There are three steps to successfully submit a product for evaluation according to the Common Criteria:
- The vendor must detail the security features of a product using what is called a Security Target (ST).
- The product, along with the ST, goes to a certified laboratory for testing according to evaluate how well it meets the specifications defined in the protection profile.
- A successful evaluation leads to an official certification of the product.