IT products security evaluation laboratory

The security laboratory of RCII, as the first IT products security laboratory in Iran, is the first laboratory that has succeeded in acquiring the ISO 17025 standard certificate, concerning the accreditation of laboratories active in performing security test.

The IT products security evaluation tests carried out in RCII are based on ISO/IEC/ISIRI 15408 standard. This standard is divided into three sections. The first section includes the concepts, the second discusses the security requirements and the third describes the security assurance requirements. CEM is the methodology used in performing tests. The security requirements necessary for every IT product, considering the security objectives set for each product and the threats and also vulnerability of each objective, are identified and will be the bases for security tests. Some of the additional standards which are used besides the process of security evaluation tests are CCWAPS, OWASP, CLASP and PTES.

Procedure steps of the security evaluation test as performed in RCII’s lab are as follows: 

• Presentation of the product and the letter requesting security evaluation test, by the applicant

• Identification of security requirements necessary for the product under evaluation 

• Presentation of the product’s required documents to the laboratory by the test applicant

• Evaluation and verification of sound performance of security requirements

• Presenting the test results and failures

• Presenting the required accreditation certificate and the relevant hologram, on the applicant’s request

The procedure for preparing documentation for the tested product in the absence of such documentation includes:

• Preparing the protection profile by the laboratory and having it confirmed by a government organization

• Preparing the protection objective document by the applicant, based on the protection profile and the requested test level

• Identifying the threats and security targets regarding the product under test

• Choosing the security functional requirements for the product under test

• To reconcile the security targets with the functional requirements

• To identify the correlation of functional requirements 

• To identify the security functional requirements with respect to requirements of the security level under evaluation

• To reconcile the evaluation requirements with the security targets 

• To identify the evaluation relations