Title :
Developer-focused assurance requirements [Evaluation Assurance Level and Common Criteria for IT system evaluation]
Author :
Stoneburner, Gary
Author_Institution :
Appl. Phys. Lab., Johns Hopkins Univ., MD, USA
fDate :
7/1/2005 12:00:00 AM
Abstract :
In 1999, the International Organization for Standardization and the International Electrotechnical Commission jointly published the Common Criteria for Information Technology Security revaluation to provide IT security evaluation guidelines that extend to an international community. The assurance requirements, including prepackaged sets of Evaluation Assurance Levels (EALs) in the Common Criteria (CC), represent the paradigm that assurance equals evaluation, and more evaluation leads to more assurance. This paradigm is at odds with the commercial off-the-shelf (COTS) marketplace, neither reflecting how confidence is typically achieved nor providing a cost-effective means for supplying grounds for confidence in the security capabilities of the information technology being evaluated.
Keywords :
formal specification; information technology; quality assurance; security of data; Common Criteria; Evaluation Assurance Level; IT security evaluation guidelines; commercial off-the-shelf marketplace; developer-focused assurance requirements; Computer security; Costs; IEC standards; ISO standards; Information security; Information technology; Laboratories; Performance evaluation; Physics computing; Standards development; IT security; common criteria; evaluation assurance levels; standards;
DOI :
10.1109/MC.2005.227
