Origin of Common Criteria
The goal for developing Common Criteria (
Common Criteria Certification
The CC certification program provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use. Vendors implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they meet the claims.
Common Criteria has 3 parts:
“Introduction and General Model” – containing definitions of terminologies used in the evaluation process
“Security Functional Components” – elaborates the security requirements
“Security Assurance Component” – used to rate the effectiveness of security controls
CC Empowers a target assessment to approve that a specific product fulfills a characterized set of security requirements.
Key concepts of CC are:
Evaluation Assurance Level 2+ (EAL 2+)
WipeDrive Enterprise obtained EAL 2+ certification on a data erasure security target and received evaluation by a Common Criteria certified lab OCSI http://www.ocsi.isticom.it. The evaluation process constitutes assessing the evaluation documentation, in-depth testing of the software and results of the examination. The evaluation serves to validate claims made about the target.
To be of practical use, the evaluation must verify the target’s security features. This is done through the following:
The ST document that identifies the security properties of the target of evaluation. The ST may claim conformance with one or more PPs. The TOE is evaluated against the Security Functional Requirements (SFRs) stablished in its ST, no more and not less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a database management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation.
The WipeDrive EAL2+ rating can be checked from the CC website which lists all the certified data erasure products http://www.
References and further reading