Chat with us, powered by LiveChat 430WK6DQ1.docx - STUDENT SOLUTION USA

430 WK6 DQ1 100-150 WORDS

How can an organization apply the Common Criteria for Information Technology Security Evaluation (CC)? Is there value in applying CC within public companies?

REPLIES 75-100 WORDS

A Yamil Santana

Good Afternoon Class,

The Common Criteria for Information Technology Security Evaluation (CC) is a standard for evaluating the security of information technology (IT) products. It is used to certify that an IT product has been thoroughly evaluated and meets certain security standards.

To apply the CC, an organization can follow these steps:

1. Identify the security requirements of the IT product that needs to be evaluated.

2. Determine the level of assurance needed for the IT product. This will depend on the sensitivity of the data that the IT product will be handling and the potential impact of a security breach.

3. Select a CC evaluation facility that is accredited to perform evaluations to the desired level of assurance.

4. Submit the IT product for evaluation to the selected facility. This will involve providing documentation about the product and its security features, as well as making the product available for testing.

5. The evaluation facility will conduct a thorough review of the IT product and its security features. If the product meets the CC requirements, it will be granted a certificate of evaluation.

There is value in applying the CC within public companies, as it can help to ensure that their IT products are secure and meet high standards for protecting sensitive data. This can help to build trust with customers and stakeholders, and can also reduce the risk of security breaches, which can have serious consequences for a company.

B Idrisu Rabiu

Common Criteria (CC) is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria is more formally called "Common Criteria for Information Technology Security Evaluation." 

Common Criteria has two key components: Protection Profiles and Evaluation Assurance Levels. A Protection Profile (PPro) defines a standard set of security requirements for a specific type of product, such as a firewall. The Evaluation Assurance Level (EAL) defines how thoroughly the product is tested. Evaluation Assurance Levels are scaled from 1-7, with one being the lowest-level evaluation and seven being the highest-level of evaluation. A higher-level evaluation does not mean the product has a higher level of security, only that the product went through more tests. 

To submit a product for evaluation, the vendor must first complete a Security Target (ST) description, which includes an overview of the product and product's security features, an evaluation of potential security threats and the vendor's self-assessment detailing how the product conforms to the relevant Protection Profile at the Evaluation Assurance Level the vendor chooses to test against. The laboratory then tests the product to verify the product's security features and evaluates how well it meets the specifications defined in the Protection Profile. The results of a successful evaluation form the basis for an official certification of the product. The goal of CC certification is to assure customers that the products they are buying have been evaluated and that the vendor's claims have been verified by a vendor-neutral third party. 

C Autumn Keen

The common criteria is a international set of guidelines used to evaluate a computer security product and system evaluations. CC is also known as ISO/IEC 15408. It maintains certified products such as operating systems, access control system, databases and so on. Created by a multi country combined effort (United States, Canada, France, Germany, The Netherlands and the UK). A framework that computer system users can "Security Target" (functional and assurance requirements). It provides assurance that the process of implementation and evaluation of a security product has been performed in a rigorous standard at a level that is commensurate with the target audience / customer needs.

Seeing as CC is a checks and balance for products and services, I believe it is valuable to have CC within public companies to add one more layer of security due to all companies have devices, data and such that need to be protected.

error: Content is protected !!