Раздел: Документация
0 ... 11 12 13 14 15 16 17 ... 73 ape req.i.2e The evaluator shall confirm that the statement of IT security requirements is complete, coherent, and internally consistent. 4.6 Explicitly stated IT security requirements (APE SRE) Objectives If, after careful consideration, none of the requirements components in ISO/IEC 15408-2 or ISO/ IEC 15408-3 are readily applicable to all or parts of the IT security requirements, the PP author may state other requirements which do not reference ISO/IEC 15408. The use of such requirements shall be justified. This family presents evaluation requirements that permit the evaluator to determine that the explicitly stated requirements are clearly and unambiguously expressed. The evaluation of requirements taken from ISO/IEC 15408 in conjunction with valid explicitly stated security requirements is addressed by the APEREQ family. Explicitly stated IT security requirements for a TOE presented or cited in a PP need to be evaluated in order to demonstrate that they are clearly and unambiguously expressed. Application notes Formulation of the explicitly stated requirements in a structure comparable to those of existing ISO/IEC 15408 components and elements involves choosing similar labelling, manner of expression, and level of detail. Using the ISO/IEC 15408 requirements as a model means that the requirements can be clearly identified, that they are self-contained, and that the application of each requirement is feasible and will yield a meaningful evaluation result based on a compliance statement of the TOE for that particular requirement. The term "IT security requirements" refers to "TOE security requirements" and the optionally included "security requirements for the IT environment". The term "TOE security requirements" refers to "TOE security functional requirements" and/or "TOE security assurance requirements". APE SRE.1 Protection Profile, Explicitly stated IT security requirements, Evaluation requirements Dependencies: APEREQ.l Protection Profile, IT security requirements, Evaluation requirements Developer action elements: ape sre.i.id The PP developer shall provide a statement of IT security requirements as part of the PP. ape sre.i.2d The PP developer shall provide the security requirements rationale. ape sre.i.ic All TOE security requirements that are explicitly stated without reference to ISO/IEC 15408 shall be identified. ape sre.i.2c All security requirements for the IT environment that are explicitly stated without reference to ISO/IEC 15408 shall be identified. ape sre.i.3c The evidence shall justify why the security requirements had to be explicitly stated. ape sre.i.4c The explicitly stated IT security requirements shall use the ISO/IEC 15408 requirements components, families and classes as a model for presentation. ape sre.i.5c The explicitly stated IT security requirements shall be measurable and state objective evaluation requirements such that compliance or noncompliance of a TOE can be determined and systematically demonstrated. ape sre.i.6c The explicitly stated IT security requirements shall be clearly and unambiguously expressed. ape sre.i.7c The security requirements rationale shall demonstrate that the assurance requirements are applicable and appropriate to support any explicitly stated TOE security functional requirements. Evaluator action elements: ape sre.i.ie The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ape sre.i.2e The evaluator shall determine that all of the dependencies of the explicitly stated IT security requirements have been identified. 0 ... 11 12 13 14 15 16 17 ... 73
|
