Google
 
   
Login
Username:

Password:


Lost Password?

Register now!
Search

Advanced Search
Main Menu
top books
Polls
What do you think about php-deluxe.net?
Excellent!
Cool
Hmm..not bad
What the hell is this?
encyclopedia
Computing technology
American Dream Radio
Scope (programming)
Tara Calishain
Launchd
Canary trap
Thomas Siebel
recommendation
compare webbrowser
Freenet DSL
Who's Online
7 user(s) are online (6 user(s) are browsing encyclopedia)

Members: 0
Guests: 7

more...
browser tip
Unix Befehle
manual of unix befehle
recommendation!
Sponsored
partner

Evaluation Assurance Level

An Evaluation Assurance Level (EAL) is an assurance requirement as defined by Common Criteria, an international standard in effect since 1999, to replace the ratings (e.g. C2 ) found in TCSEC that were set by National Computer Security Center. The increasing assurance levels define increasing assurance requirements in computer systems.

Reaching a particular EAL is a process that takes time. An unrated product or system, or one with a low EAL rating, may reach a higher ranking after further testing, so these rankings are not precise indicators of their security for these reasons; a high ranking merely shows the minimum assurance level you can expect from a product or IT system. Operating systems generally called secure rarely reach higher rankings than EAL4. Examples of such operating systems are Novell NetWare, Suse linux, and Windows 2000 Service Pack 3.

Assurance levels

EAL1: Functionally Tested

EAL1 is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious. It will be of value where independent assurance is required to support the contention that due care has been exercised with respect to the protection of personal or similar information. EAL1 provides an evaluation of the TOE (Target of Evaluation) as made available to the customer, including independent testing against a specification, and an examination of the guidance documentation provided. It is intended that an EAL1 evaluation could be successfully conducted without assistance from the developer of the TOE, and for minimal cost. An evaluation at this level should provide evidence that the TOE functions in a manner consistent with its documentation, and that it provides useful protection against identified threats.

EAL2: Structurally Tested

EAL2 requires the cooperation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time. EAL2 is therefore applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems, or where access to the developer may be limited.

EAL3: Methodically Tested and Checked

EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices. EAL3 is applicable in those circumstances where developers or users require a moderate level of independently assured security, and require a thorough investigation of the TOE and its development without substantial re-engineering.

EAL4: Methodically Designed, Tested and Reviewed

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

EAL5: Semiformally Designed and Tested

EAL5 permits a developer to gain maximum assurance from security engineering based upon rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a TOE will probably be designed and developed with the intent of achieving EAL5 assurance. It is likely that the additional costs attributable to the EAL5 requirements, relative to rigorous development without the application of specialized techniques, will not be large. EAL5 is therefore applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs attributable to specialist security engineering techniques.

EAL6: Semiformally Verified Design and Tested

EAL6 permits developers to gain high assurance from application of security engineering techniques to a rigorous development environment in order to produce a premium TOE for protecting high value assets against significant risks. EAL6 is therefore applicable to the development of security TOEs for application in high risk situations where the value of the protected assets justifies the additional costs.

EAL7: Formally Verified Design and Tested

EAL7 is applicable to the development of security TOEs for application in extremely high risk situations and/or where the high value of the assets justifies the higher costs. Practical application of EAL7 is currently limited to TOEs with tightly focused security functionality that is amenable to extensive formal analysis.

External links

*[http://www.cesg.gov.uk/site/iacs/index.cfmmenuSelected=1&displayPage=13 Common Criteria Assurance Level information from IACS] *[http://www.windowsecurity.com/articles/Windows-Common-Criteria-Certification-Part-I.html Microsoft Windows and the Common Criteria Certification] *[http://www.linuxsecurity.com/content/view/118374/65/ SuSE Linux awarded government security cert]