Evaluation/Certification
Many companies require independent analysis of their security products. This may be imposed through legislative requirement, through IT community demands, the need to demonstrate compliance to a standard or the desire to further improve the robustness of their product.There are a number of evaluation and certification schemes aimed at various aspects of security. The Common Criteria allows the evaluation sponsor (developer) to select what functions are to be tested in the evaluation and the rigour to which they will be tested, through use of a catalogue of functional (Part2) and assurance (Part3) components.
Other security evaluation and certification schemes include:
Other security evaluation and certification schemes include:
- The Commercial Product Assurance (CPA), CESG's new framework for gaining confidence in any commercial security product. Security Characteristics (akin to CC protection profiles) are under development by CESG for different classes of security product. See CPA Reportback for a reportback from the CESG CPA event held in February 2011.
- The Cryptogrpahic Module Validation Programmes (CMVP) jointly run by NIST (USA) and CSE (Canada) for the assessment of cryptographic modules against a predefined standard.
- The CESG Claims Test Mark (CCTM) Scheme now run by CESG, the UK National Technical Authority for Information Assurance, having moving from ownership from Central Sponsor for Information Assurance (CSIA) in April 2008. This scheme provides a basic level of assurance that the functionality of the IT security product/service has been independently tested.
- The UK Payment Scheme (formerly APACS) certification of Pin Entry Devices (PED) used in Point of Sales terminals evaluated against the UK Payment Scheme's Protection Profile.