HomeWork-Network Security is Evaluated Assurance Level (EAL) enough?

Hello:

I would like to know how does the Common Criteria and EAL of a product determines how much security is acceptable. Below is the  assignment question:

Question
Sometimes commercial products include the fact that they are approved to meet Common Criteria at some specified Evaluated Assurance Level  (often EAL 3 or EAL 4) in the product literature. Assuming that this is a true claim ( verify it by looking at the “evaluated products list” on the National Information Assurance Partnership website), why is this not enough to just say “this product meets our security requirements”? Discuss what else needs to be considered before selecting such a product for a system.
SundayyAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
Think about this in terms of umbrellas.  The EAL level is for the software itself.  It does not include (necessarily) include the server OS, the firewall changes, the ports open, the protocols.  It includes just what the software on the server/workstation is doing while on that server/workstation.

Once a EAL approved software is selected, you will have to see how it affects the enterprise as a whole: what ports needs to be opened which are currently closed, what STIG Waivers will this require, how will this affect other technologies used, etc.

DrUltima
0
 
SundayyAuthor Commented:
Thank you for the info.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.