In information security, the term assurance means the level of trust or the degree of confidence in the satisfaction of security needs. There are many standards and guidelines published by the government and commercial organizations to evaluate the assurance aspects of computer systems.
Common Criteria (CC) is an assurance framework that is predominantly derived from the following three country specific standards:
- Trusted Computer Security Evaluation Criteria (TCSEC)
- Information Technology Security Evaluation Criteria (ITSEC)
- Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)
CC basically defines a Protection Profile (PP) for computing systems.
The following are some of the concepts pertaining to CC:
- Target of Evaluation (TOE) is the target product or system that is to be evaluated.
- Security Target (ST) is principally a document that identifies the security properties of the TOE. This document contains Security Functions Requirements (SFR) that may be provided by the product or system.
- Evaluation Assurance Level (EAL) is a numerical rating based on the evaluation level. EAL is based on Security Assurance Requirements (SAR). There are seven levels of EAL starting from EAL1 (Basic) to EAL7 (most stringent).
Trusted Computer Security Evaluation Criteria (TCSEC) is also called the orange book in a rainbow series published by the United States Department of Defense (DoD). The focus of TCSEC is on confidentiality while the DoD's other standard, Trusted Network Interpretation (TNI), which is also called the red book, addresses confidentiality as well as integrity.
Information Technology Security Evaluation Criteria (ITSEC) is a European standard for IT security that specifies evaluation criteria for functionality and assurance. ITSEC divides evaluation parameters as follows:
- Functionality classes
- Assurance levels
- Correctness levels
- Security functions
There are two kinds of assurances specified:
- The correctness of security functions
- The effectiveness of the Target of Evaluation (TOE)
Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) is a Canadian standard for security product evaluation published by the Communications Security Establishment.