Ontological Mapping of Common Criteria’s Security Assurance Requirements
The Common Criteria (CC) for Information Technology Security Evaluation provides comprehensive guidelines for the evaluation and certification of IT security regarding data security and data privacy. Due to the very complex and time-consuming certification process a lot of companies abstain from a CC certification. We created the CC Ontology tool, which is based on an ontological representation of the CC catalog, to support the evaluator at the certification process. Tasks such as the planning of an evaluation process, the review of relevant documents or the creating of reports are supported by the CC Ontology tool. With the development of this tool we reduce the time and costs needed to complete a certification.
KeywordsResource Description Framework Common Criterion Certification Process Configuration Management Ontological Mapping
- 1.CC, “Common criteria for information technology security evaluation, part 1: Introduction and general model, version 2.3,” 2005.Google Scholar
- 2.V. Raskin, C. F. Hempelmann, K. E. Triezenberg, and S. Nirenburg, “Ontology in information security: a useful theoretical foundation and methodological tool.” in In Proceedings of the 2001 Workshop on New Security Paradigms, NSPW’ 01, ACM Press, New York, 2001.Google Scholar
- 3.K. Olthoff, “A cursory examination of market forces driving the use of protection profiles.” in In Proceedings of the 1999 Workshop on New Security Paradigms, NSPW’ 99, ACM Press, 2000.Google Scholar
- 4.J. Hearn, “Does the common criteria paradigm have a future?” Security & Privacy Magazine, IEEE, vol. 2, p. 6465, 2004.Google Scholar
- 5.S. Katzke, “The common criteria years (19931998): Looking back and ahead.” Presentation, 4th International Common Criteria Conference, 2003.Google Scholar
- 6.CC, “Common criteria for information technology security evaluation, part 3: Security assurance requirements, version 2.3,” 2005.Google Scholar
- 7.A. Ekelhart, S. Fenz, M. Kiemen, and E. Weippl, “Security ontologies: Improving quantitative risk analysis,” in in Proceedings HICCS, 2007.Google Scholar
- 8.A. Ekelhart, S. Fenz, M. Kiemen, A. Tjoa, and E. Weippl, “Ontology-based business knowledge for simulating threats to corporate assets,” in in Proceedings of the International Conference on Practical Aspects of Knowledge Management PAKM, Springer Lecture Notes in Computer Science, 2006.Google Scholar
- 9.S. Fenz and E. Weippl, “Ontology based it-security planning,“ in in IEEE Proceedings on IEEE International Symposium Pacific Rim Dependable Computing PRDC, 2006.Google Scholar
- 10. CC, “Common criteria for information technology security evaluation, part 2: Security functional requirements, version 2.3,” 2005.Google Scholar
- 11. RDF, “Resource description framework, http://www.w3.org/rdf,” 2006.
- 12. OWL, “http://www.w3.org/tr/owl-features,” 2004.
- 13. SPARQL, “Sparql query language for rdf. http://www.w3.org/tr/rdf-sparqlquery,” 2006.
- 14.R. Neches, R. Fikes, T. Finin, T. Gruber, R. Patil, T. Senator, and W. Swartout, “Enabling technology for knowledge sharing.” AI Magazin 12, vol. 3, pp. 36–56, 1991.Google Scholar
- 15.A. Gmez-Prez, M. Fernndez-Lpez, and O. Corcho, Ontological Engineering. Springer, London, first edition, 2004.Google Scholar
- 16. Protege, “The protege ontology editor and knowledge acquisition system. http://protege.stanford.edu,” 2005.
- 18.M. Vetterling, G. Wimmel, and A. Wisspeintner, “Secure systems development based on the common criteria: the palme project,” in In Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, SIGSOFT’ 02/FSE-10, ACM Press, New York, 2002.Google Scholar