Problem solve Get help with specific problems with your technologies, process and projects.

Security -- The Common Criteria

Learn about two documents that can serve as guidelines when developing a security policy.

Security has become THE hot topic. You'll probably see more discussion and emphasis on security in 2002 than you have in the last ten years. Why? Because the world is moving toward complete electronic communication where everything from the conversations on your mobile phone to your medical records to your credit card statements are now only digital bits floating around cyberspace.

Many organizations are rushing to assemble a security policy that defines, prescribes and enforces the security measures they deem appropriate and necessary for their industry. However, without a solid guideline, a custom security policy can often act more like a screen door with a rip, instead of a sealed submarine hatch.

There are several means by which an organization can create a security policy which contains fewer holes than otherwise. These include starting off with another organization's policy and customizing it as needed and hiring a security consultant to create a policy from scratch. Both of these options have benefits and drawbacks, most of which are obvious.

If your organization is determined to create an internal document with as little external help as possible, then there are other alternatives for you: the ISO17799 Standard or the Common Criteria. Both of these documents will provide you with a wealth of information related to security policies and the security features of computers and software products.

The ISO17799 Standard is a set of security standards that were originally defined by the British Standards Institution as BS 7799. The original standards were adopted and approved by the ISO, IEC and JTC1 (International Electrotechnical Commission, International Organization for Standardization and Joint Technical Committee). In 1998 these standards were re-formulated to allow for evaluation of compliance with the standards. The ISO17799 defines a framework for security policy. You can learn more about ISO17799 from However, to see the contents of the standard, you'll have to purchase them.

Another alternative, especially for those within the United States, is the Common Criteria. The Common Criteria (also known as International Standard 15408) was created by a joint effort between security organizations from the U.S., Canada, France, Germany, the Netherlands and the U.K. The Common Criteria replace the previous standard of C2 or orange book certification. Unlike the ISO17799 Standard, the Common Criteria defines the features of computer systems and products which offer support and control security. For more information on the Common Criteria, visit or You can download a free copy of the Common Criteria from either site.

About the author

James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was last published in January 2002

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.