This paper examines the value of security evaluation criteria and the accompanying evaluation process in a commercial environment. It argues this question must be approached systematically within the context of a full complement of security measures so as to maximize the value from associated investments. It then focuses on the potential benefit specific to evaluations and makes recommendations as to the processes for creating an IT security program with special emphasis on security evaluations.
Annex A is a review of the history and current status of formal evaluation programs. Readers unfamiliar with this topic may wish to read this first.