Evaluation / Validation Primer
What is Product Evaluation and Validation? IT security is defined as the protection of information from unauthorized disclosure, modification, or loss of use by countering threats to that information arising from human or systems-generated activities, malicious or otherwise. Countering threats to an IT product and mitigating risk helps to protect the confidentiality and integrity of information and also ensure its availability. Consumers of IT products need to have confidence in the security features of those products. Consumers want to be able to compare various products to understand their capabilities and limitations. Confidence in a particular IT product can be based on the trusted reputation of the developer, past experience in dealing with the developer, or the demonstrated competence of the developer in building products through recognized assessments. The consumer could also test the product directly and obtain the necessary results. The first approach lacks measurable results and the second approach requires substantial, costly duplication of effort. The Common Criteria Scheme will overcome these limitations and enable consumers to obtain an impartial assessment of an IT product by an independent entity. This impartial assessment, or security evaluation, includes an analysis of the IT product and the testing of the product for conformance to a set of security requirements. The specific IT product being evaluated is referred to as the Target of Evaluation (TOE). The security requirements for that product are described in its security target. IT security evaluations are composed of analysis and testing, distinguishing these activities from the more traditional forms of conformance testing in other areas. It is important that security evaluations of IT products be carried out in accordance with recognized standards and procedures. The use of standard IT security evaluation criteria and IT security evaluation methodology contributes to the repeatability and objectivity of the results but is not by itself sufficient. Many of the evaluation criteria require the application of expert judgement and background knowledge for which consistency is more difficult to achieve. To increase the consumer's level of confidence in IT security evaluations, the final evaluation results can be reviewed by an independent party. This review provides independent confirmation that an IT security evaluation has been conducted in accordance with the provisions of the scheme and that the conclusions of the testing laboratory are consistent with the facts presented in the evaluation. This review, known as validation, is intended to promote consistency of IT security evaluations and comparability of results for all evaluations conducted within the scheme. The impartial evaluation, the independent validation of evaluation results, and the documentation resulting from these processes provide valuable information for consumers about the security capability of IT products. However, consumers will still need to review this information carefully and assess its applicability to local needs, (e.g., the situation and operating environment in which the product will actually be used). |
![[X]](/assets/images/button_close.gif){kind=small}