Information Technology Security Evaluation, Research Paper Example

Assurance in CC model ensures that any information technology product satisfies its security aims. In the CC model, assurance is provided via active investigation. The elevated assurance level (EAL) is important because it provides an increasing and balanced degree of assurance that is obtained combined with the cost of feasibility of getting the level of assurance. In the CC model assurance is achieved separately in each component of TOE at the Conclusion of assessment and during the maintenance of the assurance in the course of TOE process (Ernst & Martin, 2010). The rating applies to the concept of the orange book in which computer systems are required to have hardware and software devices that can be assessed separately in order to achieve adequate guarantee that meets the following requirements: security guidelines, marking, recognition and accountability.

The (evaluation assurance level 4) EAL4 is a breakpoint in that it allows the developer of information technology products to have maximum assurance derived from positive engineering that is grounded on high-quality commercial development practices. This is the point in the EAL hierarchy that is possible to gain economic benefits on existing products. The assurance provided by EAL4 is complete in that the assurance is given by a full security target and analysis of SFRs in the concerned security target by utilizing practical and entire interface requirement, guidance certification, explanation of the primary modular plan combined with part of the implementation to comprehend the security performance, and the intend of showing resistance against intrusion by attackers (Champlain, 2003).

The assurance criteria in part 3 of the common criteria are based on active investigation, an analysis of the information technology product to establish its safety characteristics. This is similar to the assurance criteria of phase one of the Orange Book because both assurances are derived through evaluation. In the CC model, evaluation methods include the following, but are not limited to them: evaluation of processes and methods, ensuring that the processes and methods are followed, evaluation of the interaction between TOE design components, analysis of TOE representation against requirements and confirmation of evidence (Latham, 1985). It also includes the analysis of documents; results of tests developed and tested independent functionality testing, evaluation of weaknesses and intrusion testing.

Similarly, the assurance in the orange book include functional assurance (system structure and system reliability), durability assurance (security analysis and design condition, and authentication), and certification (security details client manual, reliance facility guidebook, test certification, and structure certification).

The divisions in the Orange Book and the evaluation assurance level ratings in the common criteria are related in that they are arranged in a hierarchical order from the lowest division to the highest division (Latham, 1985). Each division or rating represents an improvement in the confidence that can be placed on a system. In the orange book the divisions are: D, C, B and A, with A representing the systems that give highest level of security. In the EAL ratings, it ranges from EAL1 to EAL7. EAL7 is reserved for development of TOEs for high risk environments (Merkow & Breithaupt, 2004).

References

Champlain, J. (2003). Auditing Information Systems. Boston: John Wiley & Sons

Ernst, D. & Martin, S. (2010). The Common Criteria for Information Technology Security Evaluation: Implications for China’s Policy on Information Security Standards. Washington. D.C: East-West Center

Latham. D. (1985). Department of Defense trusted computer evaluation criteria. Fort Meade: National Computer Security Center

Merkow, M. & Breithaupt, J. (2004). Computer Security Assurance Using the Common Criteria. New York: Cengage Learning