8(495)909-90-01
8(964)644-46-00
pro@sio.su
Главная
Системы видеонаблюдения
Охранная сигнализация
Пожарная сигнализация
Система пожаротушения
Система контроля удаленного доступа
Оповещение и эвакуация
Контроль периметра
Система домофонии
Парковочные системы
Проектирование слаботочных сетей
Аварийный
контроль
Раздел: Документация

0 ... 15 16 17 18 19 20 21 ... 73

5.6 IT security requirements (ASE REQ)

Objectives

The IT security requirements chosen for a TOE and presented or cited in an ST need to be evaluated in order to confirm that they are internally consistent and lead to the development of a TOE that will meet its security objectives.

This family presents evaluation requirements that permit the evaluator to determine that an ST is suitable for use as a statement of requirements for the corresponding TOE. The additional criteria necessary for the evaluation of explicitly stated requirements is covered in the ASE SRE family.

Application notes

The term "IT security requirements" refers to "TOE security requirements" and the optionally included "security requirements for the IT environment".

The term "TOE security requirements" refers to "TOE security functional requirements" and/or "TOE security assurance requirements".

In the ASEREQ.1 component, the word "appropriate" is used to indicate that certain elements allow options in certain cases. Which options are applicable depends on the given context in the ST. Detailed information for all these aspects is contained in ISO/IEC 15408-1, Annex C.

ASE REQ.1 Security Target, IT security requirements, Evaluation requirements

Dependencies:

ASEOBJ.l Security Target, Security objectives, Evaluation requirements

Developer action elements:

ase req.i.id The developer shall provide a statement of IT security requirements as part of

the ST.

ase req.i.2d The developer shall provide the security requirements rationale. Content and presentation of evidence elements:

ase req.i.ic The statement of TOE security functional requirements shall identify the TOE security functional requirements drawn from ISO/IEC 15408-2 functional requirements components.

ase req.i.2c The statement of TOE security assurance requirements shall identify the TOE security assurance requirements drawn from ISO/IEC 15408-3 assurance requirements components.

ase req.i.3c The statement of TOE security assurance requirements should include an Evaluation Assurance Level (EAL) as defined in ISO/IEC 15408-3.


ase req.i.4c The evidence shall justify that the statement of TOE security assurance requirements is appropriate.

ase req.i.5c The ST shall, if appropriate, identify any security requirements for the IT environment.

ase req.i.6c Operations on IT security requirements included in the ST shall be identified and performed.

ase req.i.7c Dependencies among the IT security requirements included in the ST should be satisfied.

ase req.i.8c The evidence shall justify why any non-satisfaction of dependencies is appropriate.

ase req.i.9c The ST shall include a statement of the minimum strength of function level for the TOE security functional requirements, either SOF-basic, SOF-medium or SOF-high, as appropriate.

ase req.i.i0c The ST shall identify any specific TOE security functional requirements for which an explicit strength of function is appropriate, together with the specific metric.

ase req.i.iic The security requirements rationale shall demonstrate that the minimum strength of function level for the ST together with any explicit strength of function claim is consistent with the security objectives for the TOE.

ase req.i.i2c The security requirements rationale shall demonstrate that the IT security requirements are suitable to meet the security objectives.

ase req.i.i3c The security requirements rationale shall demonstrate that the set of IT security requirements together forms a mutually supportive and internally consistent whole.

Evaluator action elements:

ase req.i.ie The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ase req.i.2e The evaluator shall confirm that the statement of IT security requirements is complete, coherent, and internally consistent.


5.7 Explicitly stated IT security requirements (ASE SRE)

Objectives

If, after careful consideration, none of the requirements components in ISO/IEC 15408-2 or ISO/ IEC 15408-3 are readily applicable to all or parts of the IT security requirements, the ST author may state other requirements which do not reference ISO/IEC 15408. The use of such requirements shall be justified.

This family presents evaluation requirements that permit the evaluator to determine that the explicitly stated requirements are clearly and unambiguously expressed. The evaluation of requirements taken from ISO/IEC 15408 in conjunction with valid explicitly stated security requirements is addressed by the ASEREQ family.

Explicitly stated IT security requirements for a TOE presented or cited in an ST need to be evaluated in order to demonstrate that they are clearly and unambiguously expressed.

Application notes

Formulation of the explicitly stated requirements in a structure comparable to those of existing ISO/IEC 15408 components and elements involves choosing similar labelling, manner of expression, and level of detail.

Using the ISO/IEC 15408 requirements as a model means that the requirements can be clearly identified, that they are self-contained, and that the application of each requirement is feasible and will yield a meaningful evaluation result based on a compliance statement of the TOE for that particular requirement.

The term "IT security requirements" refers to "TOE security requirements" and the optionally included "security requirements for the IT environment".

The term "TOE security requirements" refers to "TOE security functional requirements" and/or "TOE security assurance requirements".

ASE SRE.1 Security Target, Explicitly stated IT security requirements, Evaluation requirements

Dependencies:

ASEREQ.l Security Target, IT security requirements, Evaluation requirements

Developer action elements:

ase sre.i.id The developer shall provide a statement of IT security requirements as part of

the ST.

ase sre.i.2d The developer shall provide the security requirements rationale.



0 ... 15 16 17 18 19 20 21 ... 73