CISSP Domain 3 Review / Mind Map (2 of 9) | Evaluation Criteria

hey I'm Rob Witcher and I'm here to help you pass the CISSP exam we're going to go through a review of the major topics related to evaluation criteria in domain 3 to understand how they interrelate and to guide your studies this is the second of nine videos for domain 3 I've included links to the other mindmap videos in the description below as part of building a secure environment every organization is going to need to acquire various products from vendors firewalls routers intrusion detection systems and so on as security professionals advising the acquisition process for such

products we must ensure the products are well designed and provide the security functionality of the organization requires but here we encounter a challenge if we ask say a firewall vendor hey how secure is your product what are they going to say they're gonna say something like my firewalls the greatest thing since sliced bread grown men literally weep in awe of my products shining brilliance should we as security professionals believe this marketing malarkey absolutely not so how then do we compare different vendors products and trust the claims about a products of functionality evaluation criteria evaluation criteria

are independent objective evaluation systems for products here's how this works a vendor will create a product then the vendor will pay an independent testing lab to evaluate their product using one of the evaluation criteria we're going to talk about in a moment the independent lab will test the product give it a rating and produce a report that the vendor can then hand out to their customers and customers are going to trust the rating in the report because it was provided by an independent testing lab not the vendor there are two major steps involved with evaluation

criteria the first is certification and the second is accreditation will start with certification which is the comprehensive technical analysis of a solution or product to ensure it meets our needs in other words the certification step is where the independent testing lab evaluates a product and gives it a rating let's look at the different evaluation criteria systems that have been developed starting with one of the oldest TC SEC the trusted computing system evaluation criteria otherwise known as the orange book because the cover of the TC SEC was pink it's orange it was orange TC SEC was

only designed to evaluate the confidentiality that a system provides and TC SEC was only designed to evaluate a product that is not connected to a network single standalone boxes only TC ii defines seven functional levels that a product could be rated based on the evaluation starting with the lowest possible rating which is d1 which means the product failed or it wasn't tested not a reassuring rating for a product next up is c1 which means the product provides weak protection mechanisms next is c2 and each of these levels build on the previous so c2 adds that

products provides strict login procedures c2 is the most common rating for products b1 is we're labeling becomes a requirement for products remember that b1 labeling b2 means products provide security labels and verification of no cover channels B three means products provide security labels verification of Doak over channels and must stay secure during startup and finally the highest possible functional rating that a product can achieve is a one verified design so secure it is virtually unusable IT SEC the information technology security evaluation criteria is a big improvement on the older TC SEC IT SEC can be

used to evaluate not just the confidentiality that a product provides but also the integrity IT SEC can be used to evaluate devices that are connected to a network and IT SEC uses exactly the same functional levels as TC SEC that we just went through D 1 C 1 C 2 b1 etc the final major improvement that IT sector ID is that it can be used to evaluate not just the functionality that a product provides but also the assurance remember functional means what the system should do and assurance means how do we verify how do we

test that is working correctly so IT second can be used to evaluate the level of assurance that a product can provide these are the levels refer to as the evaluation levels or ee levels and there are seven of them 0 up to e6 I don't think you need to memorize the specifics of these levels ok now the latest and greatest evaluation criteria the common criteria for information technology security evaluation everyone just calls at common criteria common criteria has been adopted as an international standard specifically ISO 15,400 and 8 the common criteria evaluation process begins with

defining a protection profile which identifies the security requirements for a class of security devices for firewalls for smart cards etc so the protection profile is a class of devices the target of evaluation the t OE defines the specific product or system that will be evaluated this is the specific product provided by the vendor to be evaluated for example a Cisco a sa 50 1005 a ik - X firewall could be the Toa the target of evaluation the security targets is a document prepared by the product vendor which defines the specific functional and assurance security properties

and capabilities that the vendor claims are built into the target of evaluation the independent testing lab will then test the functional and assurance aspects of the target of evaluation and the end result will be an e al rating and evaluation assurance level rating before we get into the e al ratings here's a visual summary of the Common Criteria process now on to the e al ratings of which there are seven starting from the lowest rating e al 1 which means only the functionality of the product was tested ei L 2 means only the structure of

a product was tested ei L 3 methodically tested and checked you'll notice that these build on each other al 4 methodically designed and reviewed al5 semi formally designed and tested a l6 semi formally verified designed and tested and the best possible rating e-a-l seven formally verified and designed I would highly recommend that you memorize these ei L levels and the order of them and now last but certainly not least the final major piece of evaluation criteria accreditation as I discussed at the beginning the whole point of evaluation criteria is to help an organization evaluate and

compare different products and choose the best solution for their organization the final step in selecting a product is management's approval and sign-off this is accreditation official management sign off for a set period of time to purchase and deploy a product in the organization and that is an overview of evaluation criteria within domain three covering the most critical concepts to know for the exam if you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this mind map series then please subscribe and

hit the bow icon to get notifications I'll provide links to the other mindmap videos in the description below thanks very much for watching and all the best in your studies you