Раздел: Документация

0 ... 13 14 15 16 17 18 19 20

Note that security requirements for the non-IT environment, while often useful in practice, are not required to be a formal part of the PP as they do not relate directly to the implementation of the TOE.

c) The following common conditions shall apply equally to the expression of security functional and assurance requirements for the TOE and its IT environment:

1)All IT security requirements should be stated by reference to security requirements components drawn from Part 2 or Part 3 where applicable. Should none of the Part 2 or Part 3 requirements components be readily applicable to all or part of the security requirements, the PP may state those requirements explicitly without reference to the CC.

2)Any explicit statement of TOE security functional or assurance requirements shall be clearly and unambiguously expressed such that evaluation and demonstration of compliance is feasible. The level of detail and manner of expression of existing CC functional or assurance requirements shall be used as a model.

3)When requirements components that specify required operations (assignment or selection) are selected, the PP shall use those operations to amplify the requirements to the level of detail necessary to demonstrate that the security objectives are met. Any required operations that are not performed within the PP shall be identified as such.

4)By using operations on the requirements components, the TOE security requirements statements may optionally prescribe or forbid the use of particular security mechanisms where necessary.

5)All dependencies among the IT security requirements should be satisfied. Dependencies may be satisfied by the inclusion of the relevant requirement within the TOE security requirements, or as a requirement on the environment.

b.2.7 application notes

This optional part of the PP may contain additional supporting information that is considered relevant or useful for the construction, evaluation, or use of the TOE.

b.2.8 rationale

This part of the PP presents the evidence used in the PP evaluation. This evidence supports the claims that the PP is a complete and cohesive set of requirements and that a conformant TOE would provide an effective set of IT security countermeasures within the security environment. The rationale shall include the following:

a) The security objectives rationale shall demonstrate that the stated security objectives are traceable to all of the aspects identified in the TOE security environment and are suitable to cover them.

---

The security requirements rationale shall demonstrate that the set of security requirements (TOE and environment) is suitable to meet and traceable to the security objectives. The following shall be demonstrated:

1)that the combination of the individual functional and assurance requirements components for the TOE and its IT environment together meet the stated security objectives;

2)that the set of security requirements together forms a mutually supportive and internally consistent whole;

3)that the choice of security requirements is justified. Any of the following conditions shall be specifically justified:

-choice of requirements not contained in Parts 2 or 3;

-choice of assurance requirements not including an EAL; and

-non-satisfaction of dependencies;

4)that the selected strength of function level for the PP, together with any explicit strength of function claim, is consistent with the security objectives for the

TOE.

This potentially bulky material may be distributed separately as it may not be appropriate or useful to all PP users.

b)

---

Annex C (normative)

Specification of Security Targets

C.1 Overview

An ST contains the IT security requirements of an identified TOE and specifies the functional and assurance security measures offered by that TOE to meet stated requirements.

The ST for a TOE is a basis for agreement between the developers, evaluators and, where appropriate, consumers on the security properties of the TOE and the scope of the evaluation. The audience for the ST is not confined to those responsible for the production of the TOE and its evaluation, but may also include those responsible for managing, marketing, purchasing, installing, configuring, operating, and using the TOE.

The ST may incorporate the requirements of, or claim conformance to, one or more PPs. The impact of such a PP conformance claim is not considered when initially defining the required ST content in subclause C.2. Subclause C.2.8 addresses the impact of a PP conformance claim on the required ST content.

This annex contains the requirements for the ST in descriptive form. The assurance class ASE, contained in clause 5 of ISO/IEC 15408-3, contains these requirements in the form of assurance components to be used for evaluation of the ST.

C.2 Content of Security Target c.2.1 content and presentation

An ST shall conform to the content requirements described in this annex. An ST should be presented as a user-oriented document that minimises reference to other material that might not be readily available to the ST user. The rationale may be supplied separately, if that is appropriate.

The contents of the ST are portrayed in Figure C.1, which should be used when constructing the structural outline of the ST.

c.2.2 st introduction

The ST introduction shall contain the following document management and overview information.

a)The ST identification shall provide the labelling and descriptive information necessary to control and identify the ST and the TOE to which it refers.

b)The ST overview shall summarise the ST in narrative form. The overview should be sufficiently detailed for a potential consumer of the TOE to determine whether the

0 ... 13 14 15 16 17 18 19 20