Evaluation of application systems by ISO/IEC TR 19791


Although ISO/IEC 15408 (Common Criteria: CC) addresses both IT products and systems applicable to evaluation, the present criteria has the strong tendency which points to applicability for a products rather. The most of an evaluation track record is products evaluation, and most evaluations of systems are not carried out. A system is the integrated unit of plural products. Since the system contains many different factors from products, such as; operational environment changes every moment, and behavior of personnel influences protected assets extremely in accordance with IT security functions, it is necessary to establish the new evaluation technology which added the system's factors to the present criteria.
The security techniques for system evaluation are named ISO/IEC TR 19791, and the work to standardization is done. As part of the work, JEITA IT Security Center carries out pilot evaluation of the application system model which actually operates. In this presentation, from experience which carried out pilot evaluation of the application system, we propose a point of developing an SST, the view of the Evaluation Assurance Level (EAL) of the systems, and the associated method of efficient evaluation aimed mainly System Security Target (SST).