Is the CC the only way?


Working with many product vendors and other users of evaluation criteria, since their very conception in the days of the Orange Book and the ITSEC, sheds light on why the CC does some things rather well and others not. There can be no doubt, for example, that the CC has helped some vendors improve their software engineering processes and gain market penetration. On the other hand there have always been complaints about the time and cost of evaluations, technical deficiencies, particularly in the area of “evaluation by parts”, mutual recognition and so on.It is interesting to compare these experiences with developments in other areas of information security over the same time frame, such as computer audit as seen from the perspective of the accountancy profession. In doing so, we learn that different groups of experts have tackled similar problems but in widely different ways.This presentation examines the history of the CC and its predecessors, in comparison with other standards, such as information security management and computer audit. It identifies their strengths and weaknesses and suggests some ways that the CC community could learn from techniques used in other areas of information security in the future".