For this section of the exam, you should be familiar with the Common Criteria for Information Technology Security Evaluation. The Common Criteria (CC) unifies older standards (CTCPEC, ITSEC and TCSEC) to provide a standard to evaluate systems against. CC evaluations are focused on security-related systems and products. The important concepts for this section are:
- To perform an evaluation, you need to select the target of evaluation (TOE). This might be a firewall or an antimalware app.
- The evaluation process will look at the protection profile (PP), which is a document that outlines the security needs. A vendor might opt to use a specific protection profile for a particular solution.
- The evaluation process will look at the security target (ST), which identifies the security properties for the TOE. The ST is usually published to customers and partners and available to internal staff.
- The evaluation will attempt to gauge the confidence level of a security feature. Security assurance requirements (SARs) are documented and based on the development of the solution. Key actions during development and testing should be captured along the way. An evaluation assurance level (EAL) is a numerical rating used to assess the rigor of an evaluation. The scale is EAL 1 (cheap and easy) to EAL7 (expensive and complex).