A survey on common criteria (CC) evaluating schemes for security assessment of IT products

Abstract

Over the last few years, private and public organizations have suffered an increasing number of cyber-attacks owing to excessive exploitation of technological vulnerabilities. The major objective of these attacks is to gain illegal profits by extorting organizations which adversely impact their normal operations and reputation. To mitigate the proliferation of attacks, it is significant for manufacturers to evaluate their IT products through a set of security-related functional and assurance requirements. Common Criteria (CC) is a well-recognized international standard, focusing on ensuring security functionalities of an IT product along with the special emphasis on IS design and life-cycle. Apart from this, it provides a list of assurance classes, families, component, and elements based on which security EALs can be assigned to IT products. In this survey, we have provided a quick overview of the CC followed by the analysis of country-specific implementation of CC schemes to develop an understanding of critical factors. These factors play a significant role by providing assistance in IT products evaluation in accordance with CC. To serve this purpose, a comprehensive comparative analysis of four schemes belonging to countries including US, UK, Netherlands, and Singapore has been conducted. This comparison has aided to propose best practices for realizing an efficient and new CC scheme for the countries which have not designed it yet and for improving the existing CC schemes. Finally, we conclude the paper by providing some future directions regarding automation of the CC evaluation process.