Using the Common Criteria for IT Security Evaluation
By Debra S. Herrmann
288 pages, $79.95
The Common Criteria is recognized around the world as a standard approach for validating security products. In fact, it's a requirement in the U.S. for solutions supporting national security.
But the Common Criteria isn't for the common man or woman, as Debra S. Herrmann proves in Using the Common Criteria for IT Security Evaluation. Herrmann addresses this parched infosecurity topic in what may be the driest book ever written, and that's not meant to detract from the value of her work.
Plowing through this text requires more than a caffeine fix. At the very least, it calls for a companion bookmark that defines the many cited acronyms. The saving grace is the summary and questions at the end of each chapter, which is more useful if read first for a heads-up on what's covered.
Despite a well-organized, extensive list of criteria, you'll need to constantly check back 20 pages to review referenced terms. More than 100 charts depicting the relationships, subcomponents of each component and examples, require readers to flip back and forth.
Unfortunately, the book focuses on the organization and the process of completing Common Criteria documentation rather than the evaluation of systems. Any solid, practical advice that Herrmann provides disappears amidst text that's primarily definitions and explanations. For example, one valuable recommendation is to simplify evaluation targets into logical groupings of self-contained components rather than trying to construct a vast, complex evaluation. This type of advice is buried in the verbose, distracting glossary language.
If you're submitting to Common Criteria testing, Using the Common Criteria for IT Security Evaluation may be an appropriate book. You'll get a sense of the book's organization in the first three pages, and a history of government security standards early on. Herrmann serves the real meat of addressing Common Criteria -- architecture and design -- a reference that's worth a second read when tackling threat assessments and reference models. She adequately covers the Evaluation Assurance Levels, and how to meet each particular requirement.
Herrmann has essentially written a reference albatross, which comprehensively defines and explains Common Criteria documentation requirements, but screams for an acronym reference card, a CD of charts and examples that can be used as templates for creating the necessary documents.