A CC-based security engineering process evaluation model

Common criteria (CC) provides only the standard for evaluating information security product or system, namely target of evaluation (TOE). On the other hand, SSE-CMM provides the standard for security engineering process evaluation. Based on the CC, TOE's security quality may be assured, but its advantage is that the development process is neglected. SSE-CMM seems to assure the quality of TOE developed in an organization equipped with security engineering process, but the TOE developed in such environment cannot avoid CC-based security assurance evaluation. We propose an effective method of integrating two evaluation methods, CC and SSE-CMM, and develop CC-based assurance evaluation model, CC/spl I.bar/SSE-CMM. CC/spl I.bar/SSE-CMM presents the specific and realistically operable organizational security process maturity assessment and CC evaluation model.