atsec information security Evaluates IBM z/OS V1R7
AUSTIN, Texas – March 13, 2006 – atsec information security corporation, an independent, standards-based IT (information technology) security consulting and evaluation services company announced the completion of its security evaluation of the IBM z/OS V1R7. The operating system received Common Criteria (CC) certification at evaluation assurance level (EAL) 4+.
The challenge? Evaluate IBM z/OS, the world’s most complex operating system, at its highest ever level of scrutiny and complete this feat in less than a year. There aren’t more than a handful – a very small handful – of providers with the experience and confidence needed to take on a task of this order. Among that small set of labs, atsec information security stands head and shoulders above the rest as the world’s leading evaluator of large, complex operating systems.
atsec’s reputation for excellence and leadership in the Common Criteria industry is built on its consistent record of success in completing evaluation of complex products at ambitious assurance levels. It’s not surprising that achieving certification of this class of products presents much larger challenges than evaluating simple applications. All aspects of evaluation are more difficult to achieve from design to test. Beyond that, evaluation of large, complex products tests the Common Criteria standard itself. atsec has never shied away from playing a leadership role in working through the inherent limitations of the standard to adapt it for this larger role.
Operating system evaluation is the greatest test of competence in the field, and from early in its history as a Common Criteria evaluation lab, atsec has led the way in operating system evaluations under both the German BSI and U.S. CCEVS Schemes. atsec’s record of evaluation at this level since 2002 includes evaluations of IBM AIX 5.2; six Linux versions on five different platforms; IBM z/OS V1R6 at the EAL3 level, as well as the zSeries-based z/VM and PR/SM virtual machine and logical partitioning products.
Of the 42 successful operating system evaluations performed worldwide, as listed on the official Common Criteria Portal Web site (www.commoncriteriaportal.org), 22 were performed by atsec. This list does not yet include the recently finished evaluation of Red Hat Enterprise Linux 4 and the evaluation of z/OS V1R7. Evaluation of the z/OS V1R7 at the rigorous EAL4 level is the most challenging undertaking yet in this series of complex evaluation projects, demonstrating again the world leadership of atsec in the Common Criteria evaluation of operating systems.
atsec has completed more than 30 evaluations since its initial accreditation as a Common Criteria lab by the German BSI Scheme in 2002. Accreditation by the U.S. CCEVS Scheme followed in 2005. Today, the company’s security experts work with confidence under both Schemes to offer quality results and maximum flexibility.
The scope of atsec’s Common Criteria lab accreditations qualify atsec at the highest currently available level. atsec is accredited to perform evaluations up to and including EAL4+. In addition, atsec is fully eligible to work in direct partnership with either Scheme to conduct evaluations at EAL 5-7. In addition, the company has already completed two EAL5 evaluations of IBM PR/SM products.
atsec’s leadership in the Common Criteria industry is also demonstrated by its commitment to helping shape the standard itself. This level of involvement not only includes helping to test new versions of the standard and contribute to Scheme publications, but also includes pushing the boundaries of the standard by applying it to large, complex systems. atsec has recently performed a prototype evaluation of Linux for the main aspects of the assurance level EAL 4 as a test of the draft Common Criteria v.3 standard.
The long experience and many successes of atsec’s evaluation staff have built the company’s industry-leading ability to deliver complex evaluations in short time frames. The z/OS EAL 4 evaluation has finished less than one year after the z/OS EAL3 evaluation, and just two months after successful conclusion of the Red Hat Enterprise Linux 4 CAPP/EAL4+ Common Criteria certification, also for IBM. This is important because in the world of Common Criteria evaluations, time is very definitely money. Sponsors begin to earn back their investment when the certification is finished so there is tremendous value in working with a partner who can complete the process efficiently.
Beyond its enviable record of successful, timely completion of complex evaluations, atsec has also built its reputation on the quality of its evaluation deliverables. Interim and final reports reveal thoughtful analysis of the content of document evidence presented (not just a cursory look at the titles of documentation evidence) and provide real value to sponsors, going well beyond simply filling out a checklist of requirements to achieve certification.
About atsec information security
atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec launched its U.S. business in May 2003, building on extensive success in Europe dating back to 2000. atsec leverages its deep security, process, and standards expertise to consult on a wide range of IT security needs, enabling clients to establish integrated security management procedures in order to manage security risk and improve data, product, and business process reliability. atsec works with leading global companies such as IBM, HP, BMW, SGI, Swisscom, RWE, and Vodafone. For more information, please visit http://www.atsec.com/01/zOS.