Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our system security evaluation models module on common criteria. The common criteria process develops protection profiles for standard devices, such as intrusion detection systems, routers, and fire walls. The developer can build their system to meet a specific protection profile. And if they don't have a specific protection profile, they can submit a stand alone security target, which can be custom designed, and describes how that device is able to meet a protection profile.
When the developer is ready to proceed with the common criteria process, they submit their product, a security target and documentation to the accredited independent testing lab. The lab will evaluate the security target to see if it is a sufficient baseline for evaluation and will also tell if the device is able to meet particular protection profiles.
Once the lab performs the evaluation testing, they will then submit a package to the evaluation authority to validate the findings and assign a evaluation assurance level or EAL rating. After the EAL is assigned, if any changes or updates are made through the product, re-certification will be necessary to verify that the newly updated product still performs to the same level.
Here we have a visual of how the common criteria process works. It starts with a protection profile which is a request for a specific security solution. The vendor submits the product, which is the target of the evaluation, and also submits a security target which explains the functionality of the device and the assurance components.
The common criteria process evaluates security functionality requirements as well as security assurance requirements. And these are different types of requirements that need to be met. The independent lab will then evaluate the product to make sure that it performs the way that the manufacturer says that it should. And once that process is complete, a package will be prepared with the findings and be sent off for verification so that an evaluation assurance level, or EAL can be assigned.
Here are the components of the common criteria process. The protection profile, abbreviated as PP, is the type of product and the description of the necessary security solution. The TOE, or target of the evaluation, is the product that will be tested to make sure that it meets the security requirements.
The security target, or ST, is the written explanation by the vendor describing the security functionality and the assurance that it will meet the necessary security solution. And packages are optional components for a product, such as security requirements bundled into packages for reuse, and a description of the functionality that must be met to achieve specific EAL ratings.
After the testing, and verification is completed, an evaluation assurance level, or EAL will be assigned. The best performing products will have an EAL of seven, where they have been formally verified, designed, and tested. The lowest rating is EAL1, where the functionality has been tested and only black box review of the software has occurred.
The testing is used to determine which products will be placed on the Department of Defense APL, or Approved Products List. For the CISSP examination, you should remember that higher EALs are better and that the products with the highest EAL are considered to be the most secure. The Evaluation Assurance Levels or EAL used the protection profiles to determine the rating, and the higher EAL number is always better.
Products are assigned an evaluation assurance level after testing and verification is complete. And they are then placed on the evaluated products list or EPL. The common criteria evaluation system provides more flexibility than previous evaluation criterion that was used. At the bottom of the screen we can see different products with the EAL rating.
Keep in mind that products with a higher EAL are considered more secure because they have gone through more stringent testing. This concludes our system security evaluation models module, thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!