Re: Common Criteria Evaluations

[Richard Thomas <austindad () gmail com>]

Now that is a big question.  One thing to consider is how much the
vendor wants to pay for a CC validation.  The higher the EAL, the more
it will cost.  As you examine products at the various EALs, you will
notice that as the level increases, the product becomes less complex.
Looking at the security target of a product will tell you what is in
scope of the evaluation.  The higher the EAL, the more assurance the
product has.  When a particular product acquires a validation
certificate, the code of the product is locked.  Any changes, e.g.
service packs, must be evaluated in terms of the impact to any of the
assurance claims made within the security target.  Also be aware that
products are evaluated in a specific configuration.  If you are trying
to achieve a given assurance level for your system, then first you
would need to purchase the appropriate product at that level and then
configure it and operate it in the same configuration as it was
evaluated for the EAL to be in effect.  If you are looking for the
types of security controls in place at the various EALs, I would start
at commoncriteriaportal.org.  I hope this helps.

Richard Thomas

On Tue, Sep 8, 2009 at 4:43 AM, M.D.Mufambisi<mufambisi () gmail com> wrote:
> Hi people. Im hoping someone here will be able to assist me. I have
> just been going through the common criteria evaluations. Of particular
> interest is the fact that Microsoft 2008 Server has an eavluation EAL1
> yet XP SP2 has evaluation of EAL3. What does this mean with regards to
> security and functionality? Does a product get re-evaluated say when a
> service pack has been released? Are there particular instances where
> one specifically looks for software of a particular assurance level?
>
> Regards
>
> Munyaradzi Mufambisi
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------