Evaluation Criteria MindMap

Introduction

Hey, I’m Rob Witcher from Destination Certification, and I’m here to help YOU pass the CISSP exam. We are going to go through a review of the major topics related to Evaluation Criteria in Domain 3, to understand how they interrelate, and to guide your studies.

This is the second of 9 videos for domain 3. I have included links to the other MindMap videos in the description below. These MindMaps are one part of our complete CISSP MasterClass.

As part of building a secure environment, every organization is going to need to acquire various products from vendors (firewalls, routers, intrusion detection systems, etc.). As security professionals, advising the acquisition process for such products, we must ensure the products are well designed and provide the security functionality we require.

But here we encounter a challenge. If we ask, say, a firewall vendor: hey how secure is your product? What are they going to say?

Evaluation Criteria

Evaluation criteria.

Evaluation Criteria are independent objective evaluation systems for products.

Here’s how this works: a vendor will create a product, then the vendor will pay an independent testing lab to evaluate their product using one of the Evaluation Criteria we are going to talk about in a moment. The independent lab will test the product, give it a rating, and produce a report that the vendor can then hand out to their customers. And customers are going to trust the rating in the report because it was provided by an independent testing lab, not the vendor.

Certification

There are two major steps involved with Evaluation Criteria. The first is certification, and the second is Accreditation. We’ll start with certification, which is the comprehensive technical analysis of a solution or a product to ensure it meets our needs. In other words, the certification step is where the independent testing lab evaluates a product and gives it a rating.

TCSEC (Orange Book)

Let’s look at the different evaluation criteria systems that have been developed starting with one of the oldest. TCSEC, the Trusted Computer System Evaluation Criteria, otherwise known as the Orange Book… because the book cover for TCSEC was pink..

It’s orange.

Confidentiality only

TCSEC was only designed to evaluate the confidentiality that a system provides.

Single Box only

And TCSEC was only designed to evaluate a product that is not connected to a network. Single stand-alone boxes only.

Functional Levels

TCSEC defines 7 functional levels that a product could be rated based on the evaluation.

D1 – failed or not tested

Starting with the lowest possible rating which is D1, which means the product failed or wasn’t tested. Not a reassuring rating for a product.

C1 – Weak protection mechanisms

Next up is C1 which means the product provides weak protection mechanisms.

C2 – Strict login procedures

Next is C2, and each level builds on the previous, so C2 adds that products provide strict login procedures. C2 is the most common rating for products.

B1 - Security labels

B2 - Security labels and verification of no covert channels

B2 means products provide security labels and verification of no covert channels.

B3 - Security labels, verification of no covert channels, and must stay secure during start-up

B3 means products provide security labels, verification of no covert channels, and must stay secure during start-up

A1 – Verified design

ITSEC

ITSEC, the Information Technology Security Evaluation Criteria, is a big improvement on the older TCSEC.

Confidentiality + Integrity

ITSEC can be used to evaluate not just the confidentiality that a product provides, and but also the integrity

Networked devices

ITSEC can be used to evaluate devices that are connected to a network

Same Functional levels as TCSEC

And ITSEC uses exactly the same functional levels as TCSEC that we just went through, D1, C1, C2, B1, etc…

Assurance Levels

The final major improvement that ITSEC provides is that it can be used to evaluate not just the functionality that a product provides, but also the assurance. Remember functional means what a system should do, and assurance means how do we verify / test that it is working correctly. So ITSEC can be used to evaluate the level of assurance that a product can provide. These levels are referred to as the Evaluation levels. Or E Levels, and there are seven of them

E0

E0

E1

And ITSEC uses exactly the same functional levels as TCSEC that we just went through, D1, C1, C2, B1, etc…

E2

And ITSEC uses exactly the same functional levels as TCSEC that we just went through, D1, C1, C2, B1, etc…

E3

to

E4

E5

E6

E6. I don’t think you need to memorize the specifics of these levels

Common Criteria

Okay, now the latest and greatest evaluation criteria: The Common Criteria for Information Technology Security Evaluation – everyone just calls it Common Criteria.

ISO 15408

Common Criteria has been adopted as an international standard. Specifically, ISO 15408

Protection Profile

The Common Criteria evaluation process begins with defining a Protection Profile (PP) which identifies the security requirements for a class of security devices (e.g. firewalls, smart cards, etc.)

Target of Evaluation

The Target of Evaluation (TOE), defines the specific product or system that will be evaluated. This is the specific product provided by the vendor to be evaluated. For example, a Cisco ASA 5515-X Firewall could be the TOE. The Target of Evaluation.

Security Targets

The Security Target (ST) is a document prepared by the product vendor which defines the specific functional and assurance security properties and capabilities that the vendor claims are built into the Target of Evaluation.

Functional & Assurance Requirements

The independent testing lab will then test the functional and assurance aspects of the Target of Evaluation

Assign EAL

And the end result will be an EAL rating. An Evaluation Assurance Level rating.

Before we get into the EAL ratings, here is a visual summary of the common criteria process.

Now onto the EAL ratings, of which there are 7.

EAL1 – Functionally tested

Starting from the lowest rating EAL1 – which means only the functionality of the product was tested

EAL2 – Structurally tested

EAL3 – Methodically tested & checked

EAL4 – Methodically designed, tested & reviewed

You will see that these levels build on each other
EAL4 - Methodically designed, tested & reviewed

EAL5 – Semi formally designed & tested

EAL5 - Semi formally designed & tested

EAL6 – Semi formally verified designed & tested

EAL7 – Formally verified designed and tested

And the best possible rating:
EAL7 - Formally verified designed & tested

I would highly recommend that you memorize these EAL levels and the order of them

Accreditation

And now last, but certainly not least the final major piece of Evaluation Criteria: Accreditation.

As I discussed at the beginning, the whole point of evaluation criteria is to help an organization evaluate and compare different products and choose the best solution for their organization.

The final step in selecting a product is management’s approval and sign off. This is accreditation: official management signoff for a set period-of-time to purchase and deploy a product in the organization.

And that is an overview of Evaluation Criteria within Domain 3, covering the most critical concepts you need to know for the exam.

Are you looking for the easiest way to get your CISSP certification? You should check out our CISSP MasterClass at: destcert.com/CISSP

Link in the description below as well.

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.

I will provide links to the other MindMap videos in the description below.

Thanks very much for watching! And all the best in your studies!