1 / 37

Common Evaluation Methodology for Information Technology Security (CEM-97/017)

Common Evaluation Methodology for Information Technology Security (CEM-97/017). Part 2 chapter 1 – 4 TM8104, André Årnes 29. november 2004. Chapter 1: Introduction. Scope. Companion document to Common Criteria Describes minimum actions to be performed by an evaluator

huong
Download Presentation

Common Evaluation Methodology for Information Technology Security (CEM-97/017)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Evaluation Methodology for Information Technology Security (CEM-97/017) Part 2 chapter 1 – 4 TM8104, André Årnes29. november 2004

  2. Chapter 1: Introduction

  3. Scope • Companion document to Common Criteria • Describes minimum actions to be performed by an evaluator • Limited to evaluations of Protection Profiles and TOEs for EAL1 through EAL4 • Target audience: • evaluators that are applying CC • Certifiers that are confirming evaluators actions • CEM Part 2 takes precedence over CEM Part 1 (v 0.6)

  4. Terminology • Activity: the application of an assurance class of the CC part 3 • Sub-activity: the application of an assurance component of the CC part 3 • Action: related to an evaluator action element of the CC part 3 • Work-unit: most granular level of evaluation work • e.g. “4:ALC_TAT.1-2”, i.e. EAL4, CC component “ALC_TAT.1”, 2nd work unit in the sub-activity

  5. Relationship between CC and CEM

  6. Evaluator Verdicts • The evaluator assigns verdicts to the requirements of the CC and not to those of the CEM. • The most granular CC structure to which a verdict is assigned is the evaluator action element (explicit or implied). • As a result of performing the corresponding CEM action and its constituent work units. • Three mutually exclusive verdict states: • Pass: requirements for PP, ST, TOE under avaluation are met. • Inconclusive: Inconclusion of one or more work units. • Fail: requirements for PP, ST, TOE are not met. • All verdicts are initially inconclusive.

  7. Evaluator Verdicts - example

  8. Chapter 2: General Evaluation Tasks

  9. General Evaluation tasks • Two evaluator tasks in common for all evaluations (PP or TOE, including ST) • The input task • The output task • These two tasks are related to: • Management of evaluation evidence • Report generation • Each task has associated sub-tasks. • The tasks are performed to comply with the CEM – there are no verdicts • The CC does not mandate specific requirements on the input and output tasks. • The CEM does so in order to ensure conformance to the universal principles (part 1).

  10. Evaluation input task • Objective • Ensure that correct versions of all evaluation evidence necessary for the evaluation is available to the evaluator • Ensure that evaluation evidence is adequately protected • This facilitates: • technical accuracy of the evaluation • that the evaluation is being conducted in a way to allow repeatable and reproducible results • Management of evaluation evidence sub-task: • Configuration Control • Disposal (return, archive, or destroy) • Confidentiality

  11. Evaluation output task • Objectives: • Describe the Observation Report (OR) • Describe the Evaluation Technical Report (ETR) • Consistency of reporting results facilitates the achievement of the universal principles or repeatability and reproducibility of results • Write OR sub-task: • OR provide the evaluator with a mechanism to request a clarification or to identify a problem with an aspect of the evaluation. • A fail verdict shall be accompanied with an OR to reflect evaluation result • Write ETR sub-task: • Evaluator provides an ETR to present technical justification of verdicts. • CEM defines ETRs minimum content

  12. Write OR For each OR the evaluator shall report the following: • Identifier of the PP or TOE evaluated • Evaluation task/sub-activity during which the observation was generated • The observation • Assessment of its severity e.g., implies failed verdict, holds up evaluation, requires resolution before evaluation can be completed • Identification of the organisation responsible for resolving the issue • Recommended timetable for resolution • Assessment of impact on the evaluation of failure to resolve the observation

  13. ETR for PP Evaluation

  14. ETR for TOE Evaluation

  15. Evaluation sub-activities

  16. Chapter 3: PP Evaluation

  17. PP Evaluation • The PP is the description of a product or system type. As such it is expected to identify the IT security requirements that enforce the defined organisational security policies and counter the defined threats under the defined assumptions. • Introduction: • Requirements and methodology identical for each evaluation, regardless of EAL • Based on requirements of PP (CC Part 1 Annex B, and CC Part 3 class APE) • Objectives : determine that the PP is: • Complete • Sufficient • Sound

  18. PP evaluation relationships Evaluation Input Task PP Evaluation Activity

  19. PP Evaluation Activity Evaluation of TOE description Evaluation of security environment Evaluation of PP introduction Evaluation of security objectives Evaluation of ITsecurity requirements Evaluation of explicitly stated IT security requirements

  20. Evaluation of TOE description (APE_DES.1)

  21. Evaluation of security environment (APE_ENV.1)

  22. Evaluation of PP introduction (APE_INT.1)

  23. Evaluation of security objectives (APE_OBJ.1)

  24. Evaluation of IT security requirements (APE_REQ.1)

  25. Evaluation of explicitly stated IT security requirements (APE_SRE.1)

  26. Chapter 4: ST Evaluation

  27. ST Evaluation • The ST is the description of a product or system. As such, it is expected to identify the security functions, and possibly the security mechanisms that enforce the defined organisational security policies and counter the defined threats under the defined assumptions. It is also expected to define the measures that provide the assurance that the product or system correctly counters the threats and enforces the organisational security policies. • Introduction: • Started prior to any TOE evaluation activities • Final verdict on ST not possible until TOE evaluation complete • Requirements and methodology identical for each ST and all EALs • CC part 1 annex C and CC part 3 class ASE • Objectives : determine that the ST is : • Complete • Sufficient • Sound • Accuratly identified

  28. ST evaluation relationships Evaluation Input Task ST Evaluation Activity

  29. ST Evaluation Activity Evaluation of TOE description Evaluation of security environment Evaluation of ST introduction Evaluation of security objectives Evaluation ofPP claims Evaluation of ITsecurity requirements Evaluation of explicitly stated IT security requirements Evaluation of TOE summary specification

  30. Evaluation of TOE description (ASE_DES.1)

  31. Evaluation of security environment (ASE_ENV.1)

  32. Evaluation of the ST introduction (ASE_INT.1)

  33. Evaluation of security objectives (ASE_OBJ.1)

  34. Evaluation of PP claims (ASE_PPC.1)

  35. Evaluation of IT security requirements (ASE_REQ.1)

  36. Evaluation of explicitly stated IT security requirements (ASE_SRE.1)

  37. Evaluation of TOE summary specification (ASE_TSS.1)

More Related