Evaluation Assurance Level

The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

Although every product and system must fulfill the same assurance requirements to achieve a particular level, they do not have to fulfill the same functional requirements. The functional features for each certified product are established in the Security Target document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL should indicate the more trustworthy product for that application.

Read more about Evaluation Assurance Level:  Implications of Assurance Levels

Other articles related to "assurance, evaluation":

IT Risk - Standards Organizations and Standards - Short Description of Standards - ISO
... Information technology—Security techniques—A framework for IT security assurance referencehttp//www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=39733 (Note this is a reference ... Topic Security assurance – the Technical Report (TR) contains generally accepted guidelines which can be used to determine an appropriate assurance method for assessing a ... Information technology — Security techniques — Evaluation criteria for IT security — Part 1 Introduction and general model (15408-1) Part 2 ...

Famous quotes containing the words level, evaluation and/or assurance:

    One of the peculiar sins of the twentieth century which we’ve developed to a very high level is the sin of credulity. It has been said that when human beings stop believing in God they believe in nothing. The truth is much worse: they believe in anything.
    Malcolm Muggeridge (1903–1990)

    Good critical writing is measured by the perception and evaluation of the subject; bad critical writing by the necessity of maintaining the professional standing of the critic.
    Raymond Chandler (1888–1959)

    The essence of democracy is its assurance that every human being should so respect himself and should be so respected in his own personality that he should have opportunity equal to that of every other human being to “show what he was meant to become.”
    Anna Garlin Spencer (1851–1931)