Product Evaluation/Validation

Common Criteria Consulting Services

Common Criteria is world well known standard for IT security products evaluation. The security asurance of IT security products is through "Evaluation Assurance Levels (EALs)". The EAL provide an increasing scale that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance. The evaluation assurance level can be classified in to 7 levels (EAL 1 ~ EAL 7).

  1. EAL1: EAL1 requires only a limited security target. It is sufficient to simply state the SFRs (Security Founction Requirements) that the TOE (Target of Evaluation) must meet. EAL1 provides a basic level of assurane by a limited security target and an analysis of the SFRs in that ST (Security Target) using a functional and interface specification and guidance document, to underatand the security behaviour.
  2. EAL2: EAL2 provides assurance by a full security target and an analysis of the SFRs in that ST, using a functional and interface specification, guidance document and a basic description of the architecture of the TOE, to understand the security behaviour. EAL2 also provides assurance through use of a configuration management system and evidence of secure delivery procedures.
  3. EAL3: EAL3 provides assurance by a full security target and an analysis of the SFRs in that ST, using a functional and interface specification, guidance documentation, and an architecture description of the design of the TOE, to understand the security behaviour. EAL3 also provides assurance through the use of development environment controls, TOE configuration management and evidence of secure delivery procedures.
  4. EAL4:EAL4 provides assurance by a full security target and an analysis of the SFRs in that ST, using a functional and complete interface specification, guidance documentation, a description of the basic modular design of the TOE, and a subset of the implementation, to understand the security behaviour. EAL4 also provides assurance through the use of development environment controls and additional TOE configuration management including automation, and evidence of secure delivery procedures.
  5. EAL5: EAL5 provides assurance by a full security target and an analysis of the SFRs in the ST, using a functional and complete interface specification, guidance documentation, a description of the design of the TOE, and the implementation, to understand the security behaviour. A modular TSF design is also required. EAL5 also provides assurance through the use of a development environment controls, and comprehensive TOE configuration management including automation, and evidence of secure delivery procedures.
  6. EAL6: EAL6 provides assurance by a full security target and an analysis of the SFRs in that ST, using a functional and complete interface specification, guidance documentation, the design of the TOE, and the implementation to understand the security behaviour. Assurance is additionally gained through a formal model of select TOE security policies and a semiformal presentation of the functional specification and TOE design.
  7. EAL7: EAL7 provides assurance by a full security target and an analysis of the SFRs in that ST, using a functional and complete interface specification, guidance documentation, the design of the TOE, and a structured presentation of the implementation to underatsnd the security behaviour. EAL7 also provides assurance through the use of a structured development process, development environment controls, and comprehensive TOE configuration management including complete automation, and evidence of secure delivery procedures.

Crypto Module Consulting Services

The Federal Information processing standard (FIPS) publication 140-2, (FIPS PUB 140-2) is a U.S. government computer security standard used to accredit cryptographic modules. The National Institute of Standard Technology (NIST) issued the FIPS 140 publication series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protection by the module. This standard specifies the security requirements in 11 security domains that will be satisfied by a cryptographic module.The 11 security domains are listed as following:

  1. Cryptographic Module Specification
  2. Cryptographic Module Ports and Interfaces
  3. Roles, Services, and Authentication
  4. Finite State Modle
  5. Physical Security
  6. Operational Environment
  7. Cryptographic Key Management
  8. EMI/EMC requirements
  9. Self Tests
  10. Design Assurance
  11. Mitigation of Other Attacks

 

Base on your needs and the states of the the product, USIS Inc. helps you to prepare all required documents and get ready for lab tetsing and get certified by certification body.

If you need more info, please contact USIS Inc. (This email address is being protected from spambots. You need JavaScript enabled to view it.)

    

Go to top