The examination of a system to determine its degree of compliance with a stated security model, security standard, or specification. The evaluation may be conducted (a) by analysing the detailed design, especially of the software, often using verification and validation, (b) by observing the functional behaviour of the system, or (c) by attempting to penetrate the system using techniques available to an ‘attacker’.
The US National Computer Security Center published Department of Defense Trusted Computer System Evaluation Criteria, generally known as the ‘Orange Book.’ This has commonly been used to evaluate commercially available systems. Subsequently Information Technology Security Evaluation Criteria (ITSEC) has been published by the European Union. Both have now been superseded by Common Criteria