Раздел: Документация

0 1 2 3 4 5 6 ... 20

the TOE are treated as secure usage assumptions where these have an impact on the ability of the IT security measures to counter the identified threats.

b)The evaluation of technical physical aspects of IT security such as electromagnetic emanation control is not specifically covered, although many of the concepts addressed will be applicable to that area. In particular, the CC addresses some aspects of physical protection of the TOE.

c)The CC addresses neither the evaluation methodology nor the administrative and legal framework under which the criteria may be applied by evaluation authorities. However, it is expected that the CC will be used for evaluation purposes in the context of such a framework and such a methodology.

d)The procedures for use of evaluation results in product or system accreditation are outside the scope of the CC. Product or system accreditation is the administrative process whereby authority is granted for the operation of an IT product or system in its full operational environment. Evaluation focuses on the IT security parts of the product or system and those parts of the operational environment that may directly affect the secure use of IT elements. The results of the evaluation process are consequently a valuable input to the accreditation process. However, as other techniques are more appropriate for the assessments of non-IT related product or system security properties and their relationship to the IT security parts, accreditors should make separate provision for those aspects.

e)The subject of criteria for the assessment of the inherent qualities of cryptographic algorithms is not covered in the CC. Should independent assessment of mathematical properties of cryptography embedded in a TOE be required, the evaluation scheme under which the CC is applied must make provision for such assessments.

---

2 Definitions

2.1 Common abbreviations

The following abbreviations are common to more than one part of the CC:

CCCommon Criteria, the name used historically for this multipart standard

ISO/IEC 15408 in lieu of its official ISO name of "Evaluation criteria for information technology security"

EALEvaluation Assurance Level

ITInformation Technology

PPProtection Profile

SFSecurity Function

SFPSecurity Function Policy

SOFStrength of Function

STSecurity Target

TOETarget of Evaluation

TSCTSF Scope of Control

TSF TOE Security Functions TSFI TSF Interface TSP TOE Security Policy

2.2 Scope of glossary

This subclause 2.2 contains only those terms which are used in a specialised way throughout the CC. The majority of terms in the CC are used either according to their accepted dictionary definitions or according to commonly accepted definitions that may be found in ISO security glossaries or other well-known collections of security terms. Some combinations of common terms used in the CC, while not meriting glossary definition, are explained for clarity in the context where they are used. Explanations of the use of terms and concepts used in a specialised way in ISO/IEC 15408-2 and ISO/IEC 15408-3 can be found in their respective "paradigm" subclauses.

---

2.3 Glossary

Assets - Information or resources to be protected by the countermeasures of a TOE.

Assignment - The specification of an identified parameter in a component.

Assurance - Grounds for confidence that an entity meets its security objectives.

Attack potential - The perceived potential for success of an attack, should an attack be launched, expressed in terms of an attackers expertise, resources and motivation.

Augmentation - The addition of one or more assurance component(s) from Part 3 to an EAL or assurance package.

Authentication data - Information used to verify the claimed identity of a user. Authorised user - A user who may, in accordance with the TSP, perform an operation. Class - A grouping of families that share a common focus.

Component - The smallest selectable set of elements that may be included in a PP, an ST, or a package.

Connectivity - The property of the TOE which allows interaction with IT entities external to the TOE. This includes exchange of data by wire or by wireless means, over any distance in any environment or configuration.

Dependency - A relationship between requirements such that the requirement that is depended upon must normally be satisfied for the other requirements to be able to meet their objectives.

Element - An indivisible security requirement.

Evaluation - Assessment of a PP, an ST or a TOE, against defined criteria.

Evaluation Assurance Level (EAL) - A package consisting of assurance components from Part 3 that represents a point on the CC predefined assurance scale.

Evaluation authority - A body that implements the CC for a specific community by means of an evaluation scheme and thereby sets the standards and monitors the quality of evaluations conducted by bodies within that community.

Evaluation scheme - The administrative and regulatory framework under which the CC is applied by an evaluation authority within a specific community.

Extension - The addition to an ST or PP of functional requirements not contained in Part 2 and/ or assurance requirements not contained in Part 3 of the CC.

External IT entity - Any IT product or system, untrusted or trusted, outside of the TOE that interacts with the TOE.

0 1 2 3 4 5 6 ... 20