Training provided by Your Creative Solutions (YourCreativeSolutions.nl)

Although we have an extensive library of presentations, we prefer to adapt these or create new ones to customize the whole course to your situation. We appreciate the difficulty of knowing what courses you want, so we list some repeating sets below.

As with all our services, should your needs not be listed explicitly below, please contact us, most likely we can provide you with a custom workshop.

Common Criteria introduction

This course provides the participants with the necessary knowledge and understanding to decide whether Common Criteria is suitable for their situation. It also describes what impact a Common Criteria evaluation process will have on the product, its documentation and the processes of development and production. The course covers all aspects of the CC at the industry standard level EAL4+ from beginning to end, including protection profiles (PPs), security targets (STs), the actual evaluation and surrounding process aspects. These aspects are described from the views of

the requirement setters (such as government organizations and credit card companies),
the product developers,
the evaluators (and behind them: the certifiers), and
the end-users.

The main focus of course will be on the practical implementation aspects for the developer, using examples from the smartcard domain.

Subjects covered

The following subjects are covered by this course:

Common Criteria positioned amongst alternative, discussing relevancy and applicability for your product.
The benefits and costs of Common Criteria evaluations, with comparison to alternatives like EMVco and FIPS-140 evaluations .
The history, current state and developments for the near future of the Common Criteria standard.
The essence of the most frequently used protection profiles.
The process of a Common Criteria evaluation project, including management information such as project outline.
Common Criteria terminology such as PP, ST, SFR, SAR, FCS_COP, and many more.

Program

The program is designed for participants with limited experience in Common Criteria, with room for in-depth discussions as needed. We expect participants with a prior understanding of the development process in IT security such as smart card products and/or experience with external product testing will enjoy the course in particular.

Day 1: Theoretical side of the Common Criteria

To explain the application of the Common Criteria, some theoretical groundwork needs to be explained:

History of product evaluation methodologies from past (ITSEC) to present (Common Criteria up to the current version 3.1)
Introduction to Common Criteria
- What is my role in CC as developer, and what are the roles of the Sponsors, Evaluators, Certifiers and end-users?
- What security assurance level (EAL1-EAL7) do I offer my customers?
- What do the various security assurance requirements mean for my documentation, site and processes?
- What do the various security functional requirements mean for my product?
What are existing popular set of requirements (Protection Profiles) are there?
- General use products
  - Operating systems
  - Firewalls
- Smartcard domain
  - Smartcard hardware
  - ePassport
  - Java Card
- (Others available on request)

Day 2: Practical side of the Common Criteria

How does an evaluation against the smartcard hardware protection profile (BSI-PP-0035) go?
- What are the minimum requirements on the product (and what could I add)?
- What are the minimum requirements on the development and production processes?
- What are the pitfalls and how can I avoid them?
Executive summary of the course
- What are my benefits and costs of CC, also in comparison with other evaluation methods like EMVco?
- How do I set up the evaluation project?