Please enable JavaScript.
Coggle requires JavaScript to display documents.
4 - Select Controls based on Systems Security Requirements - Coggle…
4 - Select Controls based on
Systems Security Requirements
Common Criteria (CC)
Define various levels of testing and confirmation of systems security capabilities
ISO/IEC 15408:2022 "Information security, cybersecurity and privacy protection: Evaluation criteria for IT security"
Objectives
Add to buyers' confidence in the security of evaluated, rated IT products
Eliminate duplicate evaluations
Keep making security evaluations more cost-effective and efficient
Make sure evaluations of IT products adhere to high and consistent standards
Promote evaluation and increase the availability of evaluated, rated IT products
Evaluate the functionality of the target of evaluation (TOE)
Based on two key elements
Protection profiles (PP) == "I want"
Specify the security requirements and protections for a product
Security targets (ST) == "I will provide"
Specify the claims of security from the vendor that are built into a TOE
Evaluation Assurance Levels (EAL)
EAL1 == functionally tested
when some confidence in correct operation is required but where threats to security are not serious
EAL2 == structurally tested
when delivery of design information and test results are in keeping with good commercial practices
EAL3 == methodically tested and checked
when security engineering begins at the design stage and is carried through without substantial subsequent alteration
EAL4 == Methodically designed, tested and reviewed
when rigorous, positive security engineering and good commercial development practices are used
EAL5 == semi-formally designed and tested
rigorous security engineering and commercial development practices, including specialist security engineering techniques
EAL6 == semi-formally verified design and tested
application of high assurance security engineering techniques to a rigorous development environment in order to produce a premium TOE for protecting high-value assets against significant risks
EAL7 == formally verified design and tested
only for highest-risk situations or where high-value assets are involved
Authorization to Operate (ATO)
An Authorizing Official (AO) is an authorized entity who can evaluate an IT/IS system, its operations, and its risk, and potentially issue an ATO
A typical ATO is issued for 3 years
ATO must be renewed when...
the ATO time frame has expired
the system experiences a significant security breach
the system experiences a significant security change
An AO can issue four types of authorization decisions
Authorization to Operate (ATO)
issued when risk is managed to an acceptable level
Common Control Authorization
when a security control set or package is inherited from another provider and when the risk associated with the common control is at an acceptable level and already has a ATO from the same AO
Authorization to Use
when a third-party provider provides IT/IS servers that are deemed to have risk at an acceptable level
Denial of Authorization