Common Criteria (CC) is an ISO 15408 standard for evaluting security functionality of IT products. Has anybody on this forums worked in this area ?

It is supposed to replace the orange book standards and is adopted by more than 22 nations.

I am 2 months old to this standard and already see a lot of loop holes and ways to better this standard.

Is anybody interested to collabarate and research on ways to improve this international standard ? Measuring the effectiveness of security products is a non-deterministic function and CC is actually a good step forward but still requires a lot of refinement.

 I would like to hear from the group if anybody is interested.

Thanks

Venkata Achanta

CLEF's (Certified Licensed Evaluation Facilities) and the industry around evaluation criterias are pretty mature.

Have you thought about joining the ISO panel to influence it that way?

Hi Mark,

 You are right! how would i go about joining an ISO panel ?

 Anyways, i was thinking about collabrating and researching the pitfalls and advantages of the current standard and developing a research document to present at a conference like this http://www.8iccc.com/ not this year as the time is too less, but for next year.

 or even at RSA conf 2008

 The standard is a great framework in theory but not so practicable, as it is its a great burden to all the bodies involved without significant payouts( in terms of improvement in the security posture of the product).

A major problem that I currently see consistently is the mix of policies, procedures, and standards all in one document.  I think before starting the policy framework as a group we need to have solid definitions for each of these terms.  We should also develop a top 10 list of items that must be documented in a policy to help with SOX, ISO, COBIT type audits.  For, example I recently did a post on my blog about security roles and responsibilities and the different ways they are documented.  I'm sure if we did a more detailed analysis there are many other items, such as policy owner, confidentiality level, etc.

Blog:  http://infosecalways.com/2007/05/08/roles-responsibilities-in-policy/