Contact Us for a Free Initial Business Impact Assessment - Domestic: 1-303-357-9818
Contact Us for a Free Initial Business Impact Assessment - Domestic: 1-303-357-9818
XSEC uses internationally recognized security standards and protocols like OWASP, NIST framework, CC, etc., and our assessment approach is designed to assess, identify, and provide a analysis that can identify any gaps your organization has in key areas for cyber security. As Wikipedia defines, these areas can include:
Risk Identification: Tools, strategies, and techniques for the identification and tracking of potential risks, and the organization’s willingness to accept cyber security risk.
Event Protection and Prevention: Tools, strategies, and techniques used to safeguard and ensure delivery of critical information technology infrastructures and systems.
Event Detection: Tools, strategies, and techniques used to detect potential and actual occurrences of a cyber security event taking place, or an event that has taken place.
Event Response: Plans and actions taken in response to an identified cyber security event.
Event Recovery: Plans and actions taken for the resilience and restoration of capabilities or services impaired by a cyber security event.
Common Criteria (CC) evaluations are performed on computer security products and systems.
Target of Evaluation (TOE) – the product or system that is the subject of the evaluation. The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target's security features. This is done through the following:
Protection Profile (PP) – a document, typically created by a user or user community, which identifies security requirements for a class of security devices (for example, smart cards used to provide digital signatures, or network firewalls) relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product's ST (Security Target, as defined below), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target's ST document. Customers looking for particular types of products can focus on those certified against the PP that meets their requirements.
Security Target (ST) – the document that identifies the security properties of the target of evaluation. The ST may claim conformance with one or more PPs. The TOE is evaluated against the SFRs (Security Functional Requirements. Again, see below) established in its ST, no more and no less. This allows vendors to tailor the evaluation to accurately match the intended capabilities of their product. This means that a network firewall does not have to meet the same functional requirements as a database management system, and that different firewalls may in fact be evaluated against completely different lists of requirements. The ST is usually published so that potential customers may determine the specific security features that have been certified by the evaluation.
Security Functional Requirements (SFRs) – specify individual security functions which may be provided by a product. The Common Criteria presents a standard catalogue of such functions. For example, a SFR may state how a user acting a particular role might be authenticated. The list of SFRs can vary from one evaluation to the next, even if two targets are the same type of product. Although Common Criteria does not prescribe any SFRs to be included in an ST, it identifies dependencies where the correct operation of one function (such as the ability to limit access according to roles) is dependent on another (such as the ability to identify individual roles).
xSEC establishes a roadmap through our evaluation process that will show an individual or a company any weakness and how to resolve them. xSEC's strict quality control process for Security Assurance is extensive and can include the following:
Security Assurance Requirements (SARs) – descriptions of the measures taken during development and evaluation of the product to assure compliance with the claimed security functionality. For example, an evaluation may require that all source code is kept in a change management system, or that full functional testing is performed. The Common Criteria provides a catalogue of these, and the requirements may vary from one evaluation to the next. The requirements for particular targets or types of products are documented in the ST and PP, respectively.
Evaluation Assurance Level (EAL) – the numerical rating describing the depth and rigor of an evaluation. Each EAL corresponds to a package of security assurance requirements (SARs, see above) which covers the complete development of a product, with a given level of strictness. Common Criteria lists seven levels, with EAL 1 being the most basic (and therefore cheapest to implement and evaluate) and EAL 7 being the most stringent (and most expensive). Normally, an ST or PP author will not select assurance requirements individually but choose one of these packages, possibly 'augmenting' requirements in a few areas with requirements from a higher level. Higher EALs do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively verified.
XSEC SECURITY ASSESSMENTS PROTECT YOU AND YOUR COMPANY
xSec Limited
Denver, CO / NYC, NY
Copyright © 2020 xSec Limited - All Rights Reserved.
Proudly GoDaddy Driven
We use cookies on our website. By continuing to use this site, you accept our use of cookies.