I. Introduce students to the Common Criteria for Information Technology Security Evaluation, often called the Common Criteria or just CC.
II. Mention that it is an international standard for computer security certification. It is classified as ISO/IEC 15408.
III. Discuss the following CC terminology:
• Target of Evaluation (ToE): the system being evaluated
• Protection Profile (PP): user-generated specification for security requirements
• Security Target (ST): document describing the ToE’s security properties
• Security Functional Requirements (SFRs): catalog of a product’s security functions
• Evaluation Assurance Levels (EALs): the rating/grading of a ToE after evaluation; has a range of EAL1 to EAL7
IV. Examine the EAL scale and systems that would classify for the following ratings in the scale:
• EAL1: Functionally Tested: Confidence in operation against non serious threats
• EAL2: Structurally Tested: More confidence required but comparable with good business practices
• EAL3: Methodically Tested and Checked: Moderate level of security assurance
• EAL4: Methodically Designed, Tested, and Reviewed: Rigorous level of security assurance but still economically feasible without specialized development
• EAL5: Semi formally Designed and Tested: Certification requires specialized development above standard commercial products
• EAL6: Semi formally Verified Design and Tested: Specifically designed security ToE
• EAL7: Formally Verified Design and Tested: Developed for extremely high-risk situations or high-value systems