Course content

The course is about principles and methods for development of criteria for ICT security evaluation and how these are used to evaluate security.

Example topics are: protection profiles (PPs),security targets (STs), security functionality, functionality classes, assurance correctness, assurance effectiveness, evaluation assurance levels (EALs), certification, accreditation, standardisation of evaluation criteria, national scheme for evaluation and certification.

Learning outcome

A. Knowledge: After having completed the course, the students shall have obtained basic knowledge of the principles and methods which are employed for evaluation of the security of an ICT product or service
B. Skills: To be able to perform a security evaluation based on the requirements expressed in the international standard ISO/IEC IS 15408 Evaluation Criteria for IT Security, Parts 1/3 and the methods described in CEM

Learning methods and activities

Lectures, colloquia, discretionary exercises. If postponed exam (continuation exam) is used, an oral exam may be used as opposed to the normal written exam.

The grading rule is pass/fail. The minimum passing grade is 70/100 points (70%).

Recommended previous knowledge

Master Degree in ICT with emphasis on information security.

Course materials

Internationally standardised criteria for ICT Security evaluation (ISO 15408, Part 1-3, ISO 27001), security evaluation methodology (CEM).

Credit reductions