Uncommon Assurance With Common Criteria

Corporations spend millions of dollars in getting their products Common Criteria-certified. It is a validation of being tested per an international security evaluation standard for meeting stated security claims.  Yet, the claims made by companies are not mandated to be at rigorous security levels by the Common Criteria standard—it merely advocates thorough testing.

Much has been written and voiced about the limitations and costs of Common Criteria by the technology industry, standards bodies and government sectors that utilize the certification as a buying criterion into their programs. Yet, Common Criteria certifications are being pursued at increasing rates to get accreditation for sales – especially into the government sector. Through 2007, almost 900 Common Criteria evaluations of products or Protection Profiles – and an increasing number of re-certifications – were completed internationally.

Are we doing the right thing?

Why Yet Another Blog On Security?

Because I am big on information security, particularly security that is done right—Security that addresses information risk as directly as possible. Security that enables business and consumers to conduct their affairs without the fear of grave business impacts.

I seek Security that is Sustainable—Security that is designed not in one point in time, but with the potential to be dynamic and that grows to address newer threats. Security that covers the comprehensive data or product lifecycles— from creation through expiration.

This blog is one that mostly underscores Security done right— in industry, with organizations, through strategies and with creative solutions.

Sustainable Security is about doing Security right.