Using the Common Criteria for IT Security Evaluation. By Debra S. Herrmann; published by Auerbach Publications, 800/272-7737 (phone), www.crcpress.com [1] (Web); 304 pages; $79.95.

How trustworthy is a computer system? The answer depends on what the system's owner wants in terms of security performance. Usually in a business, governmental, or academic setting, the owner wants the system to enforce certain access rules to restrict users from reading, writing to, or executing certain data elements. How well a system enforces various access controls determines its trustworthiness.

Nothing is absolutely secure, but high levels of trust or confidence in a system are attainable. The Common Criteria--an international standard for evaluating and certifying the security of IT products and systems--is one rating scale by which to judge a system's level of trust. Debra Herrmann's book is a guide to understanding the highly technical process of certifying a computer system with the Common Criteria.

Herrmann knows her stuff. The book lacks nothing in rigor and erudition. Multiple tables and flowcharts, which abound throughout the text, yield insights into the technical aspects of the Common Criteria. Dense with technical terms, however, the book is not an easy read, though its richness of detail offers a good reference for security system evaluation.

For the security generalist, the text deserves a brief examination. For anyone not familiar with formal vulnerability and threat assessments, some tables provide useful, detailed background information. Exhibits 14 and 15, for example, provide comprehensive lists of threats to IT systems.

Due to the Common Criteria's complexity, the audience for this book is limited. That's not a reflection on the quality of this book, however.

Reviewer: Ronald L. Mendell is an independent writer on security topics. His latest book, The Quiet Threat: Fighting Industrial Espionage in America, was published in 2003 by Charles C. Thomas, Publisher.