Embed Size (px)
Citation preview
Five Easy Steps to Successful CC Evaluations
Wesley H. HigakiInternational Common Criteria ConferenceSeptember 2008
2
Five Easy Steps
Do some research11
Work with competent consultants and labs 22
Gather internal documentation33
Allocate time44
Track business impact55
3
Symantec Background
• Commercial Off-The-Shelf (COTS) product vendor
– Provide security and availability products
– Comprised of many small acquisitions
• Experience with CC Consultants
– Experience with both good and bad ones
– We’ve tried doing it without consultants
• Experience with CC Schemes
– Used US CCTLs
– As well as UK and Canadian Labs
• CC Certifications
– 12 successful certifications
– EAL 2 through 4
3
4
Intended Audience
• Vendors going through their first CC evaluation
– Tips and pitfalls
• Consultants and labs
– Opportunities to offer additional service
4
5
Step 1: Do Some Research
• Clearly define the business case
– Develop the business justification
• Understand the costs for evaluation
– Evaluator, consultant visible costs
– Development team hidden costs
– Lost opportunity costs
• Understand what is involved in the CC evaluation process
– Consultant opportunity
• Provide the motivation to engage the technical team
– Weigh the costs vs. benefits
5
6
Step 2: Hire Competent Consultants and Labs
• Do not go it alone!
• Go with experience
– With CC
– With product technology type
– Good track record
• Pre-evaluation assessment
– Make go/no-go decision after the assessment
• Seek firm, fixed-price contracts
– Incentives for everyone to do things right
6
7
Step 3: Gather Internal Documentation
• Hackers and slackers need not apply
• Have procedures and document them
– Documentation needs to reflect reality
• Without documentation be prepared to answer a lot of questions about the product and processes
7
8
Step 4: Allocate Time
• Development and QA cooperation and time allocation is critical to success
– Speaking from experience, without it, the project will fail
• This is a reflection of commitment and business justification
8
9
Step 5: Track the Business Impact
• Knowing how much business impact certified products have is important to justify future efforts
• Makes justifying the next certification easier
9
© 2006 Symantec Corporation. All rights reserved.
THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.
Thank You!
Wes Higaki, Director – Product Certifications
+ 1 (650) 527-4701
