ISO/IEC 15408 and your morning oatmeal

That morning bowl of oatmeal has a lot more in common with ISO/IEC 15408 than you probably thought.

For starters, oatmeal is machined to certain specifics, certified gluten-free, very unexciting, and yes, it’s nutritious.  Consider it a basic building block of a healthy breakfast.

ISO 15408 is the international standard for certifying computer security. You could say that ISO 15408, also called the Common Criteria, provides the basic recipe for cooking up a secure IT product or system. This is the framework by which organizations show that their product specs, the implementation, and security evaluations have all been done in a systematic and repeatable way. While there are no guarantees of security, it reduces the risk of a monster screw-up – just like measuring the raw oats, milk, and salt helps reduce the chances of a runny or burnt bowl of oatmeal.

Boring yes, but experience shows us that most individuals cook their oatmeal in a systematic way because they want dependable results. And, the same is true for their security.
And it is really is different than the ISO 27001 specifications for implementing an information security management system (ISMS). (A lot more will be said about  ISO 27001 at a different time.)

ISO 15408 establishes eleven different families of functional and guarantee constraint classes for evaluating security. These are much more detailed than the average oatmeal recipe and include everything from audit to user data protection:

• Audit

• Communication

• Cryptographic support

• User data protection

• Identification and authentication

• Security management

• Privacy

• Security functions protection

• Resource utilization

• Access

• Trusted path/channels

An exhaustive list? Yes. But now it gets better. Safetica 5 is able to cover 2/3s of these functional component requirements. Just in the user data protection class (labeled as FDP), Safetica helps its clients meet nine requirements including:

• FDP_ACC – Access control policy

• FDP_IFF – Information flow control functions

• FDP_RIP – Residual information protection

So remember when it comes to ISO/IEC 15408 – and your organization’s need to follow the Common Criteria – Safetica provides some great cooking guidance.  To take a look at the complete list, just download the PDF or contact Safetica.