A relationship of configuration management requirements between KISEC and ISO/IEC 15408

There are very many assurance methods and most of them are listed in the ISO/IEC 15443. The objective of ISO/IEC 15443 is to present a variety of assurance methods, and to guide the IT Security Professional in the selection of an appropriate assurance method (or combination of methods) to achieve confidence that a given IT security product, system, service, process or environmental factor satisfies its stated security assurance requirements. In the Part 2 of ISO/IEC 15443, many assurance methods and approaches proposed by various types of organizations are introduced, and in the Part 3 of ISO/IEC 15443, Analysis of Assurance Methods, various assurance methods are analyzed with respect to relationships and equivalency, effectiveness and required resources. This analysis may form the basis for determining assurance approaches and making trade-offs among the various factors for given security applications. The materials in Part 3 contain the mapping SSE-CMM (System Security Engineering Capability Maturity Model) to CC (Common Criteria), TCMM (Technical-CMM) to CC and so forth. SSE-CMM and T-CMM are listed in the Part 2, and the Part 3 selects the assurance method or approach in the Part 2 to verify the relationship of them by using the concepts based on the software engineering. An assurance method KISEC (Korea Information Security Evaluation Criteria) will be included in ISO/IEC 15443 Part 2, and the research about the relationship with respect to software engineering between KISEC and CC is needed. This paper is about the research for the relationship of assurance requirements for configuration management between KISEC and CC. This paper will help the development company of IT product and system to understand the evaluation criteria CC and prepare for an evaluation.