In today’s digital world, as the number of connected devices has dramatically increased, we need cybersecurity solutions to protect our personal data and smart devices more than ever. But who checks and guarantees the safety of cybersecurity systems and products? Well, the various international safety standards, for example. One of them is Common Criteria, which details and importance will be explained in this article.
What is Common Criteria?
Common Criteria for Information Technology Security Evaluation (shortly Common Criteria and CC) is an international collection of specifications and standards for assessing IT security products and systems (ISO 15408). Common Criteria was established to affirm that cybersecurity systems and products meet the predefined security criteria agreed upon by all CCRA member countries. CC certified IT products have passed the testing and Common Criteria evaluation by an accredited and independent Testing Laboratory.
What is the importance of Common Criteria in cybersecurity?
In previous decades, technology evolved faster than legislation could keep up, resulting in security concerns and vulnerabilities with few established standards to address the issues.
The situation shows a positive change: the number of IT security regulations and standards are increasing and being developed to handle these vulnerabilities. The Common Criteria was one of the first standards for IT product security certification; nonetheless, it is crucial to highlight that CC is needed by only a specific part of IT security because of its complexity.
What type of products and systems can get Common Criteria certified?
Mobile and network devices, firewalls, application software, and other specific cybersecurity products and systems are the most commonly certified items. Despite the fact that the number of certifications appears to be rising year after year, in 2021 only 411 IT products got Common Criteria certified globally.
What is included in the Common Criteria framework?
To be CC certified, an IT product must go through an assessment process and meet a number of criteria. The ‘target of evaluation’ is the product or system being evaluated for cybersecurity (TOE). The process ensures that Common Criteria certified goods fulfill the global standard’s criteria at the chosen security level.
The main elements of the Common Criteria framework:
- Protection Profile (PP): frequently created by a user or user community, outlining security criteria for a class of security devices relevant to them for a specific purpose. Suppliers and developers can execute items that meet one or more PPs and have their products or systems tested against those PPs.
- A Security Target (ST) is a document that describes the Target of Evaluation (TOE), or the product configuration and version, as well as the breadth of security capability that is being evaluated.
- Evaluation Assurance Levels (EAL): specified set of security measures that range from Functionally Tested (EAL1) to Formally Verified Design and Tested (EAL7). A Protection Profile or a Security Target can either relate to an EAL or provide a unique set of security requirements. Higher EAL does not necessarily mean better security, but rather that the TOE has been more comprehensively tested.
Cue
National and international security standards are increasingly capable of preventing cybercrime. With Common Criteria certified systems and products, we are one step closer to a more secure digital world.
Be the first to comment