An Introduction to ISO 15408

Introduction

ISO standard 15408 outlines the common criteria for information technology security evaluation, in short, how you compare the IT security against industry standards. How many parts are there to ISO 15408? What does ISO 15408 say?

ISO Standard 15048

ISO 15408-1 sets the general model used for evaluating IT security. What are the objectives of an IT security system? What are the requirements of an IT security system? What specifications should be used?

ISO 15408-2 outlines the security functional requirements for individual components of the information technology system. ISO 15408-2 gives suggestions on how to create security requirements when there are not an existing set of functional requirements.

ISO 15408-3 sets the standard for security assurance requirements. How do you evaluate Protection Profiles, called PPs for short? How do you evaluate Security Targets or STs? ISO 15408-3 describes how to do this. ISO 15408-3 also created Evaluation Assurance Levels or EALs. Evaluation Assurance Levels are a common criteria scale for targets of evaluation.

Terminology Used in ISO 15408

A protection profile is a generic type of security device. Examples of protection profiles include authentication tokens and firewalls. A security target is specific type of security device. A security target would be an RSA brand authentication token or a firewall wired router. The TOE is a specified model of the product or configuration that must be security tested. Product developers must prove that a specific device they created, the Target of Evaluation, meets the security requirements for the protection profile for their class of device. TOE security requirements are broken down into functional requirements and security assurance requirements.

A router with a built in firewall has a higher EAL rating than one without.
A router with a built in firewall has a higher EAL rating than one without. | Source

Evaluation Assurance Levels

What is EAL? Evaluation Assurance Levels or EALs are defined in ISO 15408-3. Evaluation Assurance Levels range from one to seven, with one being the lowest and seven being the highest in terms of the information security protection level offered. Evaluation Assurance Level 1 means that it has been functionally tested. EAL or Evaluation Assurance Level 2 products have been structurally tested. Evaluation Assurance Level 3 items have had the item security tested and found to meet ISO 15048 security levels with minimal changes.

Evaluation Assurance Level 4 items have had significant independent security testing. The product may have been re-engineered to meet ISO information security standards or the developer is willing to make changes to the product to meet ISO security standards.

Evaluation Assurance Level 5 means that the item must meet very high security standard and has been independently tested from the development stage. This level is called semi-formally designed and tested.

Evaluation Assurance Level 6 (EAL 6) means that the product is designed for high security risk applications and has had additional information security protections built in. This level of EAL generally increases the cost of the product. Evaluation Assurance Level 7 or EAL 7 is called “formally verified design and tested”. The product was evaluated both in the design phase and the development stage to offer very high levels of protection.

Related Standards

ISO 24759 gives the test requirements set by the ISO for cryptographic modules. ISO 18043 gives the standards for the selection, installation and operations of intrusion detection systems, also called IDS. ISO 27004 outlines the process of creating measures to assess how effective information security management system and controls are.

ISO standard 31000 is the general set of standards for risk management. ISO 27005 is the standard specifically intended for information security risk management. ISO Guide 73 gives the definitions of vocabulary terms used in all risk management standards by the ISO.

More by this Author


Comments

No comments yet.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working