atsec information security Evaluates IBM z/OS V1R9 - Common Criteria Certification at EAL4+

Business Wire, March 13, 2008

MUNICH, Germany -- atsec information security recently completed the Common Criteria evaluation of IBM z/OS V1R9. The certificate was awarded by Germany's Federal Office for Information Security (BSI) to IBM at the CeBIT trade fair.

atsec performed the first z/OS evaluation, examining z/OS V1R6, in 2005 at evaluation assurance level 3 (EAL3), followed by re-evaluations of V1R7 in 2006 at EAL4 and V1R8 in 2007 with added security features. For z/OS V1R9, IBM followed its yearly cycle of evaluations for the current z/OS release, adding new security functions like increased support for certificate-based authentication, including support of PKCS#11 tokens and centralized certificate management; support for distribution of policies through policy agents; support for remote authorization and auditing via LDAP; AES encryption support in Kerberos; and support for audit log streams.

Operating system evaluation is the greatest test of competence in the field. From early in its history as an evaluation laboratory, atsec has led the way in operating system evaluations under both the German BSI and U.S. CCEVS Schemes. Among the small set of evaluation laboratories with the experience and confidence to take on such projects, atsec information security has proven its competence as the world's leading evaluator of large, complex operating systems.

The long experience and many successes of atsec's evaluation staff have built the company's industry-leading ability to deliver complex evaluations in enviably short time frames. This is important because in the world of Common Criteria evaluations, time is very definitely money. Sponsors begin to earn back their investment when the certification is finished - so there is tremendous value in working with a partner who can complete the process efficiently.

Gerald Krummeck, Common Criteria Lab Director for atsec information security GmbH, added: "We are very proud about this success: We managed to add security functionality important to IBM's customers to the most complex evaluation ever attempted under Common Criteria. Again, this certification demonstrates the success of our strategy to start an evaluation effort at a moderate level with a core functionality, and then move to higher assurance levels, while constantly adding valuable security functionality. This has now resulted in a certificate for a complete, real-world system with a level of assurance that customers require for their business-critical operations."

Beyond its enviable record of successful, timely completion of complex evaluations, atsec has also built its reputation on the quality of its evaluation deliverables. atsec's modus operandi uses the Common Criteria methodology to the advantage of the customer. Interim and final evaluation reports reveal thoughtful analysis of the content of document evidence presented providing real value to sponsors in the form of product and process improvements (not just a cursory look at the titles of documentation evidence and going well beyond simply filling out a checklist of requirements to achieve certification). Looking at the real-world assurance evidence produced by developers as part of their regular development process has always been a feature of atsec's evaluation process.

About atsec information security

atsec information security is an independent, standards-based information technology security services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec was founded in Munich (Germany) in 2000 and has extensive international operations with offices in the U.S., Germany, Sweden, and China. atsec offers evaluation and testing services leading to formal certification for IT security including evaluation under Common Criteria schemes in the U.S., Germany, and Sweden; cryptographic module and algorithm testing under the Cryptographic Module Validation Program of the National Institute of Standards and Technology (NIST) in the U.S. and Communications Security Establishment Canada (CSEC) in Canada; and compliance validation to the Payment Card Industry (PCI) Data Security Standard. atsec also offers secure code review, ISO/IEC 27001 ISMS consulting, and penetration testing and scanning services. atsec works with leading global companies such as IBM, HP, Oracle, Cray, BMW, SGI, Vodafone, Swisscom, RWE, and Wincor-Nixdorf.