Computer security evaluation is the detailed examination and testing of the security features of an ICT system or product to ensure that they work correctly and effectively and do not show any exploitable vulnerabilities.
There are three stages in the evaluation and certification process:
- Plan: The planning phase of an evaluation is used to inform the Australasian Certification Authority of the intention to conduct an evaluation project and to prepare for evaluation by scheduling activities and allocating resources. The evaluation project stakeholders commit to a challenging and realistic schedule to ensure a timely project conclusion.
- Conduct: During the conduct phase of an evaluation project:
- evaluation input deliverables are provided by the developer or recommending agency
- the evaluators perform the technical evaluation work
- the certifiers perform technical oversight activities in accordance with the work program and schedule defined during the planning phase.
- Conclude: The conclude phase of an evaluation is used to finalise all project activities in a controlled manner.
For further information, contact the Australasian Certification Authority or consult an Australasian Information Security Evaluation Facility (AISEF).
Government agencies are advised (in some circumstances required) to buy evaluated products. For this reason, evaluation under the Australasian Information Security Evaluation Program (AISEP) is beneficial for companies wishing to sell their product to government.
To enter a product for evaluation the developer (or other agent) must enlist the services of an AISEF. It is also advisable to hold discussions with ASD, as the Australasian Certification Authority, early in the planning process so all evaluation project stakeholders can work together. Early stakeholder engagement and commitment throughout the evaluation are key to achieving a timely result.
As a purchaser of information security products, potential buyers should make a decision as to whether they require independent assurance of the product and its security features, taking into consideration the security needs of their organisation.
Purchasers utilising the EPL should be aware that the evaluated portion of a product might not include all functionality of the product. To make an informed decision, purchasers should examine the information available on the EPL including the Security Target and Certification Report for any product that they intend to purchase.
The Security Target provides a description of the Target of Evaluation (TOE) and will specifically state which functionality is included within the scope of the evaluation. This information can also be found in the Certification Report and, where one exists, the associated ASD Consumer Guide.
On request ASD may be able to provide draft versions of the Security Target to potential Australian or New Zealand government purchasers while the product is in evaluation.
The assurance provided by a Common Criteria certificate is related to the date of issuance of the certificate and the evaluated configuration of the product. In cases where patches or updates have been subsequently issued by the developer, the user should investigate the changes involved as part of their normal risk management process and decide whether there is sufficient justification to warrant departing from the certified configuration by applying the patch/update.
Products where the vendor has an ongoing assurance continuity program (involving discussion of changes with their certification body and re-evaluation where necessary) or an evaluated flaw remediation process will provide a much greater level of continuing assurance.
Evaluation results for the evaluated product are published in the Certification Reports. This document contains detailed information including a clarification of the scope of the evaluation and recommendations for the secure use of the product. Certification Reports are available on the EPL or upon request from the AISEP.
For Australian government users, the EPL is a reference for selecting evaluated products for use in Australian government systems. The ISM can assist Australian government users with selecting appropriate products from the EPL that will meet their security needs.
Product purchasers seeking further guidance should contact ASD Advice and Assistance.