	Product Resources White Papers Demos Web Seminars Podcasts Product Fact Sheets

Cognos Home > Products > Regulatory Framework > Common Criteria for Information Technology Security

Regulatory Framework

Common Criteria for Information Technology Security

Cognos is the world leader in business intelligence (BI) and performance planning software for the enterprise. Our solutions allow companies to improve and direct corporate performance by enabling all of the key steps in the management cycle - from planning and budgeting, to measuring and monitoring performance, to reporting and analysis. Our integrated and comprehensive capabilities for enterprise planning, scorecarding, and business intelligence deliver the comprehensive software foundation for Corporate Performance Management (CPM) and compliant corporate reporting.

Customers are seeking assurance from their strategic vendors, such as Cognos, about the security of the products they are purchasing, and the reliability of the processes used to build those products. Such assurances are particularly important to companies in public sectors and regulated industries, such as military organizations and the pharmaceutical industry.

The National Information Assurance Partnership (NIAP) is a U.S. Government initiative designed to meet the security testing, evaluation, and assessment needs of both Information Technology (IT) producers and consumers. The NIAP security certification is based on the globally adopted Common Criteria Evaluation Scheme.

The Common Criteria for Information Technology Security Evaluation (Common Criteria), ISO/IEC 15408 Standard, defines general concepts and principles of IT security evaluation and provides a general model of evaluation. It presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. It specifies information security functional requirements and seven predefined assurance packages, known as Evaluation Assurance Levels (EALs), against which products' functions are tested and assessed.

The EALs are predefined levels that range from EAL1, the lowest level of assurance, to EAL7, which is the highest. The EAL provides a reference for the amount of analysis and testing performed on the product. Some organizations (e.g., U.S. Department of Defense) offer guidance as to appropriate assurance levels for given threat environments. The Validation Body of NIAP maintains a Validated Products List containing all IT products that have successfully completed evaluation and validation under the scheme. The fact that a product appears on the Validated Product List means that the product was evaluated against its security claims and that it has met those claims.

The Common Criteria include key practices in different areas, called "Evaluation Assurance Classes", such as Development [ADV], Guidance Documents [AGD], and Vulnerability Assessment [AVA]. Cognos supports the Common Criteria principles as an effective way to develop highly secure and robust products. In practice, this is expressed through a commitment to sound software development practices that include the areas required in the Common Criteria Evaluation Assurance Classes.

Cognos understands the need for secure and reliable products for our customers, and addresses it in many ways. At the beginning, security is addressed as a set of requirements in the development of a product. Then, the architecture of the product is designed on the basis of these security requirements. Cognos products are built in accordance with the architecture. Finally, these products are specifically tested to verify the security capabilities of the product.

Cognos software effectively sits on top of lower-level systems - including the operating system, database, directory servers and public key infrastructures - and utilizes data and services provided by those systems. When used in conjunction with NIAP certified products, the overall security of Cognos products is significantly enhanced. In addition, Cognos software itself provides robust security, through functionality such as anonymous access rights, row and column data security, 168-bit data transmission encryption, and other features that enable organizations to balance ready access with the appropriate level of security.

Finally, wherever appropriate, Cognos products are designed and built to leverage the leading security infrastructures in the market, in combination with our core competency, to deliver the best solutions for our customers. For example, Cognos ReportNet® leverages NIAP certified products and currently offers support for the following validated products:

Operating Systems		Trusted Database Management Systems
AIX 5L for Power V5.2 HP-UX (11i) Version 11.11 Red Hat Enterprise Linux V3 Solaris 8 Solaris 9 Windows 2000 Professional	EAL4 EAL4 EAL3 EAL4 EAL4 EAL4	IBM DB2 Version 8.2 IBM Websphere Application Server Oracle 9i Sybase Version 12 Teradata Version 2	EAL4 EAL2 EAL4 EAL4 EAL2

Directory Servers		Public Key Infrastructure
IBM Directory Server 5.2	EAL3	Entrust Authority	EAL3

Leveraging the security capabilities of NIAP certified products; Cognos products provide simple and straightforward utilities for security and encryption, including anonymous access rights, row and column data security, 168-bit data transmission encryption, and many other features that make it easy to balance ready access with ironclad security.

Cognos has always been committed to delivering high levels of security in its products. This philosophy is put into practice through a high commitment to implement security requirements, by following effective software development practices, and by using robust third-party security products, that are mature and demonstrably open to our customers.

For further information please contact your Cognos account representative.

Cognos is a registered trademark of Cognos Incorporated in the United States and/or other countries.