A CC-based security engineering process evaluation model

Abstract

Common criteria (CC) provides only the standard for evaluating information security product or system, namely target of evaluation (TOE). On the other hand, SSE-CMM provides the standard for security engineering process evaluation. Based on the CC, TOE's security quality may be assured, but its advantage is that the development process is neglected. SSE-CMM seems to assure the quality of TOE developed in an organization equipped with security engineering process, but the TOE developed in such environment cannot avoid CC-based security assurance evaluation. We propose an effective method of integrating two evaluation methods, CC and SSE-CMM, and develop CC-based assurance evaluation model, CC/spl I.bar/SSE-CMM. CC/spl I.bar/SSE-CMM presents the specific and realistically operable organizational security process maturity assessment and CC evaluation model.