Common Criteria

             
             
  Home About Gamma Tour our Web Site Events White Papers Services Visitors' Book How to contact us
        IMS Internal Control ISMS Smart Cards Common Criteria
                 

One of the most effective ways of projecting the trustworthiness of a IT product, such as a firewall or a smart card is by evaluation. The Common Criteria is now the preferred approach to achieve this.  It is now an ISO standard (ISO/IEC 15408:1999) and a Common Criteria Recognition Arrangement (CCRA) is in place.  The CCRA facilitates the acceptance of evaluation certificates awarded in one country to be accepted by another.  If Common Criteria certification is important for your business, perhaps even crucial, what do you do next?  

Your response - choose from any of the Gamma Common Criteria Services

The Gamma Common Criteria service consists of complementary modules to help you achieve a Common Criteria certification for your IT product or, as a user, establish a security standard appropriate to your market needs. We are particularly skilled in the area of smart cards, an example being our work on the Visa Open Platform Protection Profile (OP3) (2000-01).  We are also very active in ISO SC 27 WG3 helping to further develop the Common Criteria.

  • Establish the business case: We will assist you to establish the business case for CC evaluation, ensuring that all the relevant costs are factored in so that you may determine the likely return on investment for the chosen evaluation level (EAL)

  • Shortfall Analysis: We will determine any short fall in your organisation’s development and quality assurance procedures necessary to meet the Common Criteria assurance requirements for the chosen EAL. Likewise, we will determine what (if any) improvements could be made, which would reduce the costs and risks of evaluation

  • Planning: We will identify the evaluation risks and help you to establish a costed risk mitigation plan

  • Training: We will conduct a training needs analysis and develop/execute an appropriate training programme

  • Protection Profile Development: We will assist you to develop a Protection Profile.  We can write it for you, or train you how to write it.  We are particularly knowledgeable about OP3 and other smart card Protection Profiles and how application profiles might therefore be written to concord with them

The Open Platform Protection Profile (OP3) specifies the security requirements for Global Platform's  reconfigurable smart cards.  From a Common Criteria standpoint, OP provides solutions to three common problems, concerning how to :
  • specify optional security requirements
  • provide security services to applications without incurring the need to re-evaluate those services when the application is evaluated
  • integrate the TOE with its operational environment.
The profile also tackles the interesting problem of application code verification, which is a form of evaluation in its own right.  Please read the profile to find out more.

We have also worked out how to specify the security requirements for the development environment, the operational environment (pre and post issuance) and the applications.  These requirements cover policy, organisation, physical, personnel and legal matters and well as technical security issues.

You may also be interested in our work in SC27 WG3 on the ISO standardisation of the Common Criteria.  The picture will link you to final committee draft of the Protection Profile Registration Procedures.

  • Security Target Development: We will assist you to develop a Security Target that articulates how your IT product meets (or exceeds) a given Protection Profile, particularly concerning OP3.

  • Off-TOE Integration:  We will help you to specify the security requirements necessary to satisfy a Protection Profile's assumptions. 

  • Registration: We will assist you to register your Protection Profile.

  • Public Review: We will assist you to comment on newly registered Protection Profiles to help you ensure that they meet your business needs.

Simply choose the elements that best suit your organisation's needs. If you are not sure what you need, we will be happy to help.

Your next move

... simply contact David Brewer. Why not do it now!
             
             
             
 
Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2008 registered company, certified for the provision of information security consultancy.  BSI certificate numbers IS 85916 and FS  30710.  Please send comments to webmaster@gammassl.co.uk or complete our Visitors'Book. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903Copyright © Gamma Secure Systems Limited 1998-2004
 
 
Page last updated: 2 September, 2004