Common Criteria (CC)
Data ProtectionDefinition
International standard (ISO 15408) for evaluating security product effectiveness.
Technical Details
Common Criteria (CC) is an international standard (ISO/IEC 15408) that provides a framework for evaluating the security properties of information technology products and systems. It establishes a comprehensive methodology for specifying security requirements, conducting evaluations, and delivering assurance that a product meets these requirements. The evaluations are conducted by accredited laboratories and result in a 'Protection Profile' or 'Evaluation Assurance Level (EAL)', which indicates the level of confidence in the security capabilities of the evaluated product. CC encompasses various components including Security Targets (ST), Evaluation Assurance Levels (EAL), and Protection Profiles (PP), which outline the specific security needs for particular environments or applications.
Practical Usage
Common Criteria is used globally by governments, businesses, and organizations to ensure that IT products meet specific security standards before deployment. It is particularly important for sectors such as defense, finance, and healthcare, where security is paramount. Organizations seeking to procure secure products may require CC certification as part of their procurement process. The certification helps in reducing risk by ensuring that products have been rigorously tested and evaluated against established security criteria. Additionally, regulatory bodies often recognize CC evaluations as valid proof of a product's security capabilities.
Examples
- A government agency requiring all firewall products to have a minimum Evaluation Assurance Level (EAL) 4 certification before purchase to ensure robust security measures are in place.
- A financial institution opting for a Common Criteria certified encryption solution to protect sensitive customer data, thus ensuring compliance with industry regulations.
- A healthcare organization implementing a patient management system that is Common Criteria certified, to safeguard patient information against unauthorized access and breaches.