Common Criteria Based OS Compliance Framework for Windows 10

Abstract

This era of global inter-connectivity has made the working community utterly reliant on computer systems for their operations. Such dependence has led to an increased number of cyberattacks that adversely impact the business objectives of organizations and single users alike. Internationally recognized standards such as Common Criteria (CC), NIST SP 800-53 and ISO 27001-2 provide guidelines for the security of IT products. These standards can also be applied to assess security functionality of Operating Systems (OS) that act as the last defensive layer in case of cyberattacks. Considering this, computer system users must adopt a reliable strategy for analyzing their OS’s security potency. The already existing methods to achieve this purpose are either not reliable or are complex and expensive for application by every organization or single user. Hence, we have used an integrated and systematic approach to propose two flexible and cost-effective Security Compliance Evaluation (SCE) frameworks that perform tests to evaluate Windows 10 and Linux Ubuntu 20.04 OSs in the light of internationally recognized security guidelines. The frameworks so formulated can be easily adopted by any user and incorporates the use of scoring system for each aspect of cybersecurity in order to compute percentage compliance of the evaluated PC. Validation has been done on a personal computer at home for both the frameworks and on a system in a security research lab for only Windows 10 framework to demonstrate the efficacy of correct security policy implementation on the extent of compliance of the OS. Lastly, an operating system security policy has been proposed which can be adopted by organizations or single users to ensure their compliance with NIST SP 800-53, ISO 27001-2 and Common Criteria along with extended packages for VPN, WLAN and SSH for broader aspect of security.