Young-whan Bang, Yeun-hee Kang and Gang-soo Lee
University, email: gslee@eve.hannam.ac.kr
Many sorts of information security products have been developed, evaluated and certified since middle of 1980's under various evaluation criteria and schemes such as TCSEC, ITSEC, CTCPEC and CC(Common Criteria). The CC, pronounced as ISO/IEC 15408, is an unification evaluation criteria of the other criteria.
Most product evaluations are completed within 6 to 12 months or more and few hundreds of thousand dollars or more from starting depending on the target Evaluation Assurance Level (EAL) and Security Target which is a security requirement specification. Additionally, the elapsed time and cost for the security evaluation process is not only dependent on the availability of the correct developer documentation (or deliverable) and the reusability of work performed from previous evaluations of the same product or system, but also the effectiveness of evaluation environment in an evaluation facility. An evaluation facility (e.g., CLEFF, CCTL) should have a cost-effective Security Evaluation Management System (SEMS) in their evaluation environment for the purpose of corporative and concurrent managing evaluation resources such as evaluator, tool, deliverable and criteria. Thus, we develop a SEMS which is to be used as a cost-effective evaluation project management tool for a CC based security evaluation facility. SEMS is not only an instance of groupware or work-flow management system, but also an application of the Security Engineering paradigm.