David Brewer

William List

Gamma Secure Systems Limited

Diamond House, 149 Frimley Rd

Camberley, Surrey GU15 2PS, UK

William List & Co.

46 Snakes Lane
Woodford Green, Essex 1G8 0DF, UK

In the wake of recent scandals, the US passed the Sarbanes-Oxley Act and the European Commission issued a proposal for a new EC Directive on the statutory audit of annual accounts. Corporate governance guidelines and regulations specify the imperative for an organisation to achieve its business objectives whilst looking after its stakeholders. Part of the requirement is the need for organisations to have an internal control system, which is the means by which an organisation achieves its business objectives and manages its business risks. What then is the relevance of the Common Criteria to corporate governance?

The vast majority of internal controls concern information in one form or another, and in this modern age, much of that involves IT. Common Criteria evaluation inspires confidence that the functionality of IT products will do what it is supposed to do and not do what it is not supposed to do. This is a unique proposition and provides a solid platform with which to build a robust system of internal control.

Click here for our paper in pdf format. 
Click here for our presentation.

Unfortunately, it is axiomatic that this will go wrong (Murphy's Law) and therefore there is a need for an appropriate mixture of preventive, detective and reactive controls. Their effectiveness can be judged on the ability to detect an event in sufficient time for management to take appropriate action before the onset of some adverse impact.

In developing an internal control system, the Board will first consider the business processes that are key to the success of the business mission and ultimately those that concern the business infrastructure, such as IT and other supporting services. The principles of time to detect and react, and the need to determine an appropriate mix of controls must also be taken into account.

One of the strengths of the Common Criteria is the richness of the Part 2 vocabulary in expressing internal control functionality. It does this particularly well for individual IT components, but how well does it do it:

• In terms of the overall preventive, detective and reactive mix at the IT infrastructure level (e.g. firewall, antivirus, intrusion detection, backup and recovery)?

• In terms of business process applications (e.g. financial reporting and process control)?

This paper addresses these questions and shows the relationship between the Common Criteria, the various corporate governance laws and regulations and other standards, drawn from the fields of accounting, quality assurance and information security management.