SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)  
YOU ARE IN GAMMA’S RESEARCH ARCHIVES — THIS PAGE IS OF HISTORIC INTEREST ONLY — EXIT

 

SIMPLER SECURITY TARGETS

Mike Nash

Gamma Secure Systems Limited
Diamond House, 149 Frimley Rd
Camberley, Surrey GU15 2PS, UK
* PUBLISHED AT THE 5th INTERNATIONAL COMMON CRITERIA CONFERENCE, 28-30 SEPTEMBER 2004, BERLIN, GERMANY © 2004 GAMMA. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from Gamma.

One of the major objections to the CC has been the excessive cost of low assurance evaluations. Although this is due in part to evaluation scheme and evaluation authority overheads, a major contributing factor has been the overhead cost of evaluating the security target, where costs are pretty much independent of the target evaluation level for the associated TOE.

At low to moderate assurance levels, it is not unusual for the cost of ST evaluation to exceed that of TOE evaluation. Although it is a general accepted systems engineering principle that bad requirements specifications can only generate bad systems, sponsors still want and expect low assurance evaluation to concentrate on examination of the system, not on ancillary documentation generated purely for evaluation purposes.

Trial use revision 2.4 of the Common Criteria addresses this issue, but does not offer a complete answer, and perhaps introduces some new problems of its own. For example, the proposed Low Assurance Security Target can still claim conformance to a full-strength Protection Profile. How is this assessed and what does it mean? Does a low assurance evaluation need both a TOE summary specification and a functional specification? Why? – at least in CC V2.4 it is a requirement that they are checked for mutual consistency.

Most sponsors regard EAL2 as the entry level for credible assurance – can nothing be done to reduce the overheads of EAL2 evaluation? This presentation looks into some of these important issues, from both a methodological and practical point of view.