Раздел: Документация

0 ... 2 3 4 5 6 7 8 ... 20

---

3 Overview

This clause introduces the main concepts of the CC. It identifies the target audience, evaluation context, and the approach taken to present the material.

3.1Introduction

Information held by IT products or systems is a critical resource that enables organisations to succeed in their mission. Additionally, individuals have a reasonable expectation that their personal information contained in IT products or systems remain private, be available to them as needed, and not be subject to unauthorised modification. IT products or systems should perform their functions while exercising proper control of the information to ensure it is protected against hazards such as unwanted or unwarranted dissemination, alteration, or loss. The term IT security is used to cover prevention and mitigation of these and similar hazards.

Many consumers of IT lack the knowledge, expertise or resources necessary to judge whether their confidence in the security of their IT products or systems is appropriate, and they may not wish to rely solely on the assertions of the developers. Consumers may therefore choose to increase their confidence in the security measures of an IT product or system by ordering an analysis of its security (i.e. a security evaluation).

The CC can be used to select the appropriate IT security measures and it contains criteria for evaluation of security requirements.

3.2Target audience of the CC

There are three groups with a general interest in evaluation of the security properties of IT products and systems: TOE consumers, TOE developers, and TOE evaluators. The criteria presented in this document have been structured to support the needs of all three groups. They are all considered to be the principal users of this CC. The three groups can benefit from the criteria as explained in the following paragraphs.

3.2.1 consumers

The CC plays an important role in supporting techniques for consumer selection of IT security requirements to express their organisational needs. The CC is written to ensure that evaluation fulfils the needs of the consumers as this is the fundamental purpose and justification for the evaluation process.

Consumers can use the results of evaluations to help decide whether an evaluated product or system fulfils their security needs. These security needs are typically identified as a result of both risk analysis and policy direction. Consumers can also use the evaluation results to compare different products or systems. Presentation of the assurance requirements within a hierarchy supports this need.

---

The CC gives consumers - especially in consumer groups and communities of interest - an implementation-independent structure termed the Protection Profile (PP) in which to express their special requirements for IT security measures in a TOE.

3.2.2developers

The CC is intended to support developers in preparing for and assisting in the evaluation of their products or systems and in identifying security requirements to be satisfied by each of their products or systems. It is also quite possible that an associated evaluation methodology, potentially accompanied by a mutual recognition agreement for evaluation results, would further permit the CC to support someone, other than the TOE developer, in preparing for and assisting in the evaluation of a developers TOE.

The CC constructs can then be used to make claims that the TOE conforms to its identified requirements by means of specified security functions and assurances to be evaluated. Each TOEs requirements are contained in an implementation-dependent construct termed the Security Target (ST). One or more PPs may provide the requirements of a broad consumer base.

The CC describes security functions that a developer could include in the TOE. The CC can be used to determine the responsibilities and actions to support evidence that is necessary to support the evaluation of the TOE. It also defines the content and presentation of that evidence.

3.2.3evaluators

The CC contains criteria to be used by evaluators when forming judgements about the conformance of TOEs to their security requirements. The CC describes the set of general actions the evaluator is to carry out and the security functions on which to perform these actions. Note that the CC does not specify procedures to be followed in carrying out those actions.

3.2.4others

While the CC is oriented towards specification and evaluation of the IT security properties of TOEs, it may also be useful as reference material to all parties with an interest in or responsibility for IT security. Some of the additional interest groups that can benefit from information contained in the CC are:

a)system custodians and system security officers responsible for determining and meeting organisational IT security policies and requirements;

b)auditors, both internal and external, responsible for assessing the adequacy of the security of a system;

c)security architects and designers responsible for the specification of the security content of IT systems and products;

d)accreditors responsible for accepting an IT system for use within a particular environment;

e)sponsors of evaluation responsible for requesting and supporting an evaluation; and

0 ... 2 3 4 5 6 7 8 ... 20