Common Criteria for Information Technology Security Evaluation

Why Trust Techopedia

What Does Common Criteria for Information Technology Security Evaluation Mean?

The Common Criteria for Information Technology Security Evaluation (CC) is an international standard based on computer security product and system evaluations. CC provides guidance on required functionality and assurance for security-related products and other items in a specific environment. CC evaluations are conducted for product consumers, users, technology developers and evaluators.

Advertisements

CC is also known as ISO/IEC 15408.

Techopedia Explains Common Criteria for Information Technology Security Evaluation

A CC evaluation is performed on a Target of Evaluation (TOE), including separate or combined hardware, firmware and software. Not always a full IT product, a TOE may be a newly developed item or consolidated package and configured as follows:

  • Software application only
  • OS only
  • Software application and OS
  • Software application, OS and workstation
  • OS and workstation
  • Smart card integrated circuit only
  • Cryptographic coprocessor only (a smart card integrated circuit component)
  • Local area network (LAN), including terminals, network equipment, software and servers
  • Database application only (without remote client software)

A TOE may take the form of a configuration management system file list, master copy, packaged CD-ROM/customer user manual or previously installed and operational state.

A CC has three components:

  • General CC/TOE model and introduction: Provides a basic TOE evaluation outline
  • Security function component section: Relates common IT product and technology security requirements
  • Security assurance component section: Relates common IT product and technology assurance requirements
Advertisements

Related Terms

Margaret Rouse
Technology expert
Margaret Rouse
Technology expert

Margaret is an award-winning writer and educator known for her ability to explain complex technical topics to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles in the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret’s idea of ​​a fun day is to help IT and business professionals to learn to speak each other’s highly specialized languages.