Tip

Security -- The Common Criteria



Security has become THE hot topic. You'll probably see more discussion and emphasis on security in 2002 than you have in the last ten years. Why? Because the world is moving toward complete electronic communication where everything from the conversations on your mobile phone to your medical records to your credit card statements are now only digital bits floating around cyberspace.

Many organizations are rushing to assemble a security policy that defines, prescribes and enforces the security measures they deem appropriate and necessary for their industry. However, without a solid guideline, a custom security policy can often act more like a screen door with a rip, instead of a sealed submarine hatch.

There are several means by which an organization can create a security policy which contains fewer holes than otherwise. These include starting off with another organization's policy and customizing it as needed and hiring a security consultant to create a policy from scratch. Both of these options have benefits and drawbacks, most of which are obvious.

If your organization is determined to create an internal document with as little external help as possible, then there are other alternatives for you: the ISO17799 Standard or the Common Criteria. Both of these documents will provide you with a wealth of information related to security policies and the security features of computers and software products.

The ISO17799 Standard

    Requires Free Membership to View

is a set of security standards that were originally defined by the British Standards Institution as BS 7799. The original standards were adopted and approved by the ISO, IEC and JTC1 (International Electrotechnical Commission, International Organization for Standardization and Joint Technical Committee). In 1998 these standards were re-formulated to allow for evaluation of compliance with the standards. The ISO17799 defines a framework for security policy. You can learn more about ISO17799 from www.iso17799-web.com. However, to see the contents of the standard, you'll have to purchase them.

Another alternative, especially for those within the United States, is the Common Criteria. The Common Criteria (also known as International Standard 15408) was created by a joint effort between security organizations from the U.S., Canada, France, Germany, the Netherlands and the U.K. The Common Criteria replace the previous standard of C2 or orange book certification. Unlike the ISO17799 Standard, the Common Criteria defines the features of computer systems and products which offer support and control security. For more information on the Common Criteria, visit http://csrc.nist.gov/cc/ or http://www.commoncriteria.org/. You can download a free copy of the Common Criteria from either site.


About the author

James Michael Stewart is a researcher and writer for Lanwrights, Inc.


This was first published in January 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.