Category: (Book)
9 new, starting at $90.37
11 used, starting at $27.95
Many organizations and government agencies require the use of Common Criteria certified products and systems and use the Common Criteria methodology in their acquisition process. In fact, in July 2002 the U.S. National Information Assurance Acquisition Policy (NSTISSP #11) mandated the use of CC evaluated IT security products in critical infrastructure systems. This standard provides a comprehensive methodology for specifying, implementing, and evaluating the security of IT products, systems, and networks. Because the Common Criteria (CC) for IT Security Evaluation is a relatively new international standard, little written material exists which explains this how-to knowledge, and it's not exactly easy to interpret. Designed to be used by acquiring organizations, system integrators, manufacturers, and Common Criteria testing/certification labs, Using the Common Criteria for IT Security Evaluation explains how and why to use the Common Criteria during the acquisition, implementation or evaluation of an IT product, system, network, or services contract. The text describes the Common Criteria methodology; the major processes, steps, activities, concepts, terminology, and how the CC methodology is used throughout the life of a system. It illustrates how each category of user should employ the methodology as well as their different roles and responsibilities. This text is an essential resource for all those involved in critical infrastructure systems, like those operated by the FAA, the Federal Reserve Bank, DoD, NATO, NASA, and the intelligence agencies. Organized to follow the Common Criteria lifecycle, Using the Common Criteria for IT Security Evaluation provides examples in each chapter to illustrate how the methodology can be applied in three different scenarios: a COTS product, a system or network, and a services contract. The discussion problems at the end of each chapter ensure the text's effectiveness in an educational setting and ensure that those government officials required to comply with Presidential Decision Directive 63 (PDD-63) will be able to do so with confidence.
just a rehash of the official CC documentationReviewed by Alex F Stop, 2008-11-19
If you are looking for a book that will help you get started on the tortuous painful path to a CC certificate, save your money. This is just a rehash, in Potomac bureaucratese, of the extremely unenlightening and totally unhelpful documentation that's available for free on the CC website. And of course it's WAY out of date.
Augments official docs & adds realistic approachReviewed by Mike Tarrani, 2004-03-27
Although you can obtain the full and most up-to-date documentation for Common Criteria from NIST's Computer Security Resource Center (see ASIN B0001O48Y4), wading through it and transforming the information into an approach is a daunting task. This book distills the Common Criteria key elements and shows how to employ it to implement a security layer that is based on protection profiles aligned to targets of evaluation.
First, a burning question - do you need this book? Or, more specifically, should you use Common Criteria as an approach? If your organization is required to conform to ISO/IEC 15408, or you are a large enterprise with a mature security program, or are planning to employ the Common Criteria as an evaluation approach then this book will prove to be helpful.
What separates this book from the publicly available documentation is the way the authors use practical and realistic examples to step you through the intricacies and complexities of the techniques. They also present the material is a logical sequence that is focused on what is essential, and do so without missing steps or key information.
The book provides a background of Common Criteria, and an overview that includes the what's and why's, and how it relates to other standards. They then systematically lead you through how to develop protection profiles, identifying targets of evaluation, developing a security architecture, and performing verification. In addition, this book covers security certification and accreditation, security target evaluation (ASE), vulnerability analysis and penetration testing (AVA), service contracts and other topics germane to Common Criteria that are scattered throughout the official documentation.
Bottom line - this book will not replace or supplant the official documentation, but nicely augments it by providing a succinct description of relevant information and key activities, and how to use them in the real world.
