1 / 14

The Grand Goal: One Evaluation Per Planet

Explore the evolution and challenges of IT security evaluations, the concept of mutual recognition, and the path towards a unified approach with the Common Criteria. Delve into the necessary components of the grand goal, existing shortfalls, and prospects for improvement in this comprehensive guide.

chyna
Download Presentation

The Grand Goal: One Evaluation Per Planet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Grand Goal:One Evaluation Per Planet Roger Allan French Compaq Computer Corporation 10 MAY 2001

  2. Agenda • Definition of the Grand Goal • Brief History of IT Security Evaluations • Needed Parts for the Goal • Shortfalls and Prospects • To Sign or Not To Sign the MRA? • Questions, and maybe Some Answers

  3. The Grand Goal Defined • Evaluations are Expensive • Too Much Money • Too Many Resources • Too Much Time • 200 Countries = 200 Evaluations = 200 Versions • 1 Evaluation / Planet • Evaluate Once, Use Everywhere • Less Money, Resources, and Time • More Understanding and Assurance

  4. A Very Brief History of IT Security Evaluations • National Books • The Orange Book • The Green Book • The Blue and White Book • The CTCPEC • First International Criteria • ITSEC (and ITSEM) • The Federal Criteria • US and Canada (but no more) • The Common Criteria

  5. The Common Criteria • CCEB (Editorial Board) • Parts • Overview, Functions, and Assurance • Scheme • CC  PP  Evaluation  ST  Product • User Developed Protection Profiles • ISO/IEC/JTC1/SC27/WG3 Competition • CCIB and then CCIMB • ISO 15408

  6. A Protection Profile • User Requirement • e-Commerce, e-government, industry, user • For example: Czech Army Protection Profile • Statement of Combined Needs • Agreement • Procurement • Conformance • Standard/Spec Conformance

  7. Parts of the Grand Goal • A Common Lexicon • A Common Criteria • A Common Evaluation Methodology • A Common Repository • Mutual Recognition

  8. Existing Parts of the Grand Goal • A Common Lexicon • The CC uses dictionaries, ISO glossary, other security references, and its own • A Common Criteria • ISO 15408 • A Common Evaluation Methodology • CCIMB/CEM (in process) • A Common Repository • AFNOR/PPR and ISO/PPRP • Mutual Recognition • MRA (13 countries so far)

  9. Shortfalls and Prospects • Complex Criteria / 900 page document • No Method to Update/Fix • No Common Evaluation Methodology • Extensive Assurance • National Differences • Military Prospective • Accreditation vs. Evaluation • and more ...

  10. To Sign or Not To Sign MRA? • The Mutual Recognitions Arrangement • 13 Countries, expect more • Customer Countries • If a Country Signs, • Recognize/Recognized • If You Don’t Sign, ….. • Recognize Anyway • Before You Sign, ….. • History of Evaluation

  11. My Conclusions • The Common Criteria is the only ‘common’ criteria you will see in the next 10 years. • It’s not ‘common’ enough. • The Shortfalls Need to be Fixed. • Fixing the Shortfalls is Worth the Effort. • The Grand Goal is almost possible.

  12. The International Common Criteria Conference • ICCC – MAY 2000 • 600 Participants out of 1,000 + • 7-page Summary Report Available • In English • In Polish • 2nd ICCC - 18-19 JULY 2001 • Brighton, U.K.

  13. Questions • Answers • I don’t know. • I think so. • I’ll get back to you. • Yes, definitely • Probably not. • No! • I don’t understand the question. • That’s a good question, next question.

  14. Roger Allan French • roger.french@compaq.com • (phone) 01 603 884-4348 • (fax) 01 603 884-0120 • Compaq Computer • ZKO3-2/T55 • 110 Spit Brook Road • Nashua, NH 03062-2698 • U.S.A.

More Related