Necessity and significance of IT Security Evaluation based on International Standards
ISO/IEC 15408 "Common Criteria for Information Technology Security Evaluation" standards stipulate security evaluation criteria for judging whether products and systems related to information technology have been properly designed and whether their designs have been correctly implemented. ISO/IEC 15408 is primarily based on the Common Criteria (CC), which is developed in a CC project and carried out by seven institutions from Canada, Germany, France, Netherlands, U.K., and U.S. It was approved as an ISO/IEC standard in June 1999 and was established in Japan as JIS X 5070 in July 2000.
This standard has made it possible to systematically evaluate the security functions of IT products from various perspectives. When considering which products to purchase, users can compare them by the same standards and thus can more easily install secure products and systems at reasonable cost. On the other hand, developers can convince society as a whole that they are providing highly secure products and systems.
IPA to become Japan's Sole Certification Body from April 2004
The IT Security Evaluation and Certification Scheme was created to check the security functions and quality of IT-related products in Japan in April 2001 as a step preceding the construction of a secure foundation for e-Government. IPA developed and verified security evaluation technology, surveyed U.S. and European schemes, and promoted the establishment of the scheme in Japan in cooperation with METI (Ministry of Economy, Trade and Industry) and NITE (National Institute of Technology and Evaluation). IPA has been conducting a variety of activities to make the scheme more widely known and utilized. For example, IPA has been releasing information on this scheme via its Web site, translating CC (Common Criteria) and CEM (Common Evaluation Methodology) into Japanese, creating tools to support security design evaluation, and holding seminars to ensure a better understanding of the scheme.
CC certification of IT products has been in use since March 2001, following the decision of government ministries at their yearly ministry liaison conference for government information policy. This also marks the foundation of JISEC. In order to increase security reliability, they implemented an international standard (ISO/IEC 15408) that sets regulations for the evaluation and certification of security products.