There is no way to say it, I found this system assurance evaluation stuff incredibly boring.
It’s probably not going to be tested heavily on the CISSP exam, but there are a few things they might want you to know.
Think of this post as a place where you can come to to get some quick memory-refreshing facts about the Common Criteria EAL levels instead of having to comb through a giant book or technical Google search.
Why Do We Need the Common Criteria?
Common Criteria is now the industry standard measure for system evaluation.
When we say “system”, think of an operating system like Windows.
TCSEC and ITSEC either had too many levels of evaluation (confusing), or didn’t cover all the issues in a growing security world(frustrating).
Common Criteria solves both these issues by asking “What’s the issue these days and how can it be resolved?” through the use of protection profiles.
Programmers use protection profiles to design the system.
The Different Assurance Levels for Common Criteria
Memorize more the EAL levels, rather than the bullet points.
EAL1 – Functionally Tested
Security is not a serious concern
Some confidence in correct operations of system
EAL2 – Structurally Tested
Some developer insight and cooperation is required, mostly for legacy systems
EAL3 – Methodically Tested and Checked
Some level of assured security
Thorough analysis of TOE without extra engineering
EAL4 – Methodically Designed, Tested and Reviewed
Some to high level of security assurance
MOST operating systems today are evaluated at EAL4 < Remember this!
EAL5 – Semiformally Designed and Tested
High level of security assurance
Thorough development cycle process without extra cost
TOE is most likely customized to meet EAL5
EAL6 – Semiformally Verified Design and Tested
Designed for high value systems that are at high risk
Could be for custom military operating systems
EAL7 – Formally Verified Design and Tested
For extremely high value assets which are vulnerable to high security risks
The assets the system is used to protect are worth the costs