Certification
Computer security evaluation is the detailed examination and testing of the security features of an IT system or product to ensure that they work correctly and effectively and do not show any exploitable vulnerabilities.
Process of Evaluation
There are three stages in the evaluation and certification process:
- Plan: The planning phase of an evaluation is used to inform the ACA
of the intention to conduct an evaluation project and to prepare for
evaluation by scheduling activities and allocating resources. The evaluation
project stakeholders commit to a challenging and realistic schedule
to ensure a timely project conclusion.
- Conduct: During the conduct phase of an evaluation project:
- evaluation input deliverables are provided by the developer/sponsor;
- the evaluators perform the technical evaluation work;
- the certifiers perform technical oversight activities in accordance
with the work program and schedule defined during the
planning phase.
- evaluation input deliverables are provided by the developer/sponsor;
- Conclude: The conclude phase of an evaluation is used to finalise all project activities in a controlled manner.
For further information contact the ACA or consult an AISEF.
Guidance for Developers
Government agencies are advised (in some circumstances required) to buy evaluated products. For this reason, evaluation under the AISEP is beneficial for companies wishing to sell their product to government.
To enter a product into evaluation within the AISEP the developer (or other sponsor) must enlist the services of an AISEF. It is also advisable to hold discussions with the DSD, as the Australasian Certification Authority (ACA), early in the planning process so all evaluation project stakeholders can work together. Early stakeholder engagement and commitment throughout the evaluation are key to achieving a timely result.
Evaluation Support Consultants provide a range of services that may assist the developer (or other sponsor) in the provision of evaluation deliverables, and can be a cost effective means of professional support throughout the evaluation process.
Persons wishing to engage the services of any company or individual appearing on the Evaluation Support Consultant list should establish, to their own satisfaction, the qualifications and suitability of that company or individual. The Australasian Information Security Evaluation Program (AISEP), Defence Signals Directorate (DSD) and the Commonwealth do not endorse the services or capabilities of the companies or individuals appearing on the Evaluation Support Consultant list.
For further information please contact the ACA or you may wish to contact
an AISEF or Evaluation Support Consultant .
Guidance for Product Purchasers
As a purchaser of information security products, potential buyers should make a decision as to whether they require independent assurance of the product and its security features, taking into consideration the security needs of their organisation.
Purchasers utilising the EPL should be aware that the evaluated portion of a product might not include all functionality of the product. To make an informed decision, purchasers should examine the information available on the EPL including the Security Target and Certification Report for any product that they intend to purchase.
The Security Target provides a description of the Target of Evaluation (TOE) and will specifically state which functionality is included within the scope of the evaluation. This information can also be found in the Certification Report, and where one exists the associated DSD Consumer Guide.
On request DSD may be able to provide draft versions of the Security Target to potential Australian or New Zealand government consumers while the product is in evaluation.
The assurance provided by a Common Criteria certificate is related to the date of issuance of the certificate and the evaluated configuration of the product. In cases where patches or updates have been subsequently issued by the developer, the user should investigate the changes involved as part of their normal risk management process and decide whether there is sufficient justification to warrant departing from the certified configuration by applying the patch/update.
Products where the vendor has an ongoing assurance continuity programme (involving discussion of changes with their certification body and re-evaluation where necessary) or an evaluated flaw remediation process will provide a much greater level of continuing assurance.
Evaluation results for the evaluated product are published in the Certification Reports. This document contains detailed information including a clarification of the scope of the evaluation and recommendations for the secure use of the product. Certification Reports are available on the EPL or upon request from the AISEP.
For Australian Government users, the EPL is the definitive reference for selecting evaluated products for use in Australian Government systems. DSD's Advice and Assistance Team can assist Australian Government users with selecting appropriate products from the EPL that will meet their security needs.
Product purchasers seeking further guidance should contact DSD's Advice and Assistance Team: assist@dsd.gov.au.nospam (*remove '.nospam' to use this address).