Security evaluation is a process by which independent but accredited organizations provide assurance in the security of IT products and systems to commercial, government, and military institutions. Such evaluations, and the criteria upon which they are based, serve to establish a level of confidence for IT purchasers and vendors alike. Furthermore, security evaluation criteria and ratings can be used as concise expressions of IT security requirements. There are two important components of IT security evaluations; the criteria against which the evaluations are performed, and the schemes or methodologies which govern how and by whom such evaluations can be officially performed.
Security evaluation is a process by which independent but accredited organizations provide assurance in the security of IT products and systems to commercial, government, and military institutions. Such evaluations, and the criteria upon which they are based, serve to establish an acceptable level of confidence for IT purchasers and vendors alike. Furthermore, security evaluation criteria and ratings can be used as concise expressions of IT security requirements. There are two important components of IT security evaluations; the criteria against which the evaluations are performed, and the schemes or methodologies which govern how and by whom such evaluations can be officially performed.
1. Common Criteria is an international framework (ISO/IEC 15408) which defines a common approach for evaluating security features and capabilities of information technology security products. A certified product is one that a recognized certification body asserts as having been evaluated by a qualified, accredited, and independent evaluation laboratory competent in the field of IT security evaluation to the requirements of the Common Criteria and Common Methodology for Information Technology Security Evaluation.
2. The FIPS 140-2 program is jointly administered by the US and Canada. In the US, the program is administered by NIST (National Institute of Standards and Technology) through the CMVP (Cryptographic Module Validation Program). In Canada, the program is administered by the Communications Security Establishment of the Government of Canada (CSEC).
For more information, see the Security Evaluations website on Oracle technology Network. For a matrix of Oracle security evaluations currently in progress as well as those completed, please go to Oracle Security Evaluations Status.
Please email seceval_us@oracle.com for all inquiries regarding Oracle security evaluations.
| Independent verification | Security evaluations of product security claims from accredited evaluation facilities. |
| Standard and independent measures of assurance | Each vendors’ security claims are evaluated against standard assurance measures. |
| Product enhancements | Security evaluations can lead to improvements in overall design and implementation of security in the certified solutions. |
| Identification of architectural vulnerabilities | Security evaluations can lead to the identification of architectural vulnerabilities. |