Biomedical Engineering Reference
In-Depth Information
CC objectives [
2
-
4
] are described as follows:
•
To ensure that evaluations of Information Technology (IT) products and protec-
tion profiles are performed to high and consistent standards and are seen to con-
tribute significantly to confidence in the security of those products and profiles.
•
To improve the availability of evaluated, security-enhanced IT products and pro-
tection profiles.
•
To eliminate the burden of duplicating evaluations of IT products and protection
profiles.
•
To continuously improve the efficiency and cost-effectiveness of the evaluation
and certification/validation process for IT products and protection profiles.
A.5.1 CC Evaluation Assurance Level (EAL)
The Common Criteria (CC) certification provided insurance coverage by measuring
the level of security based the likelihood of threats and their impact. The Common
Criteria defines two classes of security requirements: functional and assurance. The
objectives of these two classes vary depending upon the security classification level.
There are seven levels of assurance that is known as Evaluation Assurance Levels
(EALs). The numerical rating of the EAL [
4
] describes development and presenta-
tion of the product's evaluation. Each EAL corresponds to the Security Assurance
Requirements (SARs), which cover the product development within the level of
strictness. The assurance level from EAL1 to EAL7 represents an increasing or-
der of evaluation assurance level. In the EALs, the first level being when the threat
and impact are very low and the seventh is when the threat and impact are very
strong, means the higher level provides more confidence and assurance safety. The
last level of EAL involves verification of the developed software based on logical
reasoning and theorem proving techniques. Higher level of EALs do not necessar-
ily imply “better security”, they only mean that the security claimed is extensively
verified. All the Evaluation Assurance Levels (EALs) [
21
] of safety are described
as follows:
EAL1: Functionally Tested.
It applies when you require confidence in a product's
correct operation, but do not view threats to security as serious. An evaluation
at this level should provide evidence that the target of evaluation functions in a
manner consistent with its documentation, and that it provides useful protection
against identified threats.
EAL2: Structurally Tested.
It applies when developers or users require low to
moderate independently assured security, but the complete development record
is not readily available. This situation may arise when there is limited developer
access or when there is an effort to secure legacy systems.
EAL3: Methodically Tested and Checked.
It applies when developers or users
require a moderate level of independently assured security and require a thorough
investigation of the target of evaluation and its development, without substantial
re-engineering.
Search WWH ::
Custom Search