Раздел: Документация

0 ... 45 46 47 48 49 50 51 ... 73

Evaluator action elements:

alc dvs.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

alc dvs.1.2e The evaluator shall confirm that the security measures are being applied.

ALC DVS.2 Sufficiency of security measures

Dependencies:

No dependencies.

Developer action elements:

alc dvs.2.1d The developer shall produce development security documentation. Content and presentation of evidence elements:

alc dvs.2.1c The development security documentation shall describe all the physical, procedural, personnel, and other security measures that are necessary to protect the confidentiality and integrity of the TOE design and implementation in its development environment.

alc dvs.2.2c The development security documentation shall provide evidence that these security measures are followed during the development and maintenance of the TOE.

alc dvs.2.3c The evidence shall justify that the security measures provide the necessary level of protection to maintain the confidentiality and integrity of the TOE.

Evaluator action elements:

alc dvs.2.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

alc dvs.2.2e The evaluator shall confirm that the security measures are being applied.

---

12.2 Flaw remediation (ALC FLR)

Objectives

Flaw remediation requires that discovered security flaws be tracked and corrected by the developer. Although future compliance with flaw remediation procedures cannot be determined at the time of the TOE evaluation, it is possible to evaluate the policies and procedures that a developer has in place to track and correct flaws, and to distribute the flaw information and corrections.

Component levelling

The components in this family are levelled on the basis of the increasing extent in scope of the flaw remediation procedures and the rigour of the flaw remediation policies.

Application notes

This family provides assurance that the TOE will be maintained and supported in the future, requiring the TOE developer to track and correct flaws in the TOE. Additionally, requirements are included for the distribution of flaw corrections. However, this family does not impose evaluation requirements beyond the current evaluation.

The flaw remediation procedures should describe the methods for dealing with all types of flaws encountered. Some flaws may not be fixable immediately. There may be some occasions where a flaw cannot be fixed and other (e.g. procedural) measures must be taken. The documentation provided should cover the procedures for providing the operational sites with fixes, and providing information on flaws where fixes are delayed (and what to do in the interim) or when fixes are not possible.

ALC FLR.1 Basic flaw remediation

Dependencies:

No dependencies.

Developer action elements:

alc flr.1.1d The developer shall document the flaw remediation procedures. Content and presentation of evidence elements:

alc flr.1.1c The flaw remediation procedures documentation shall describe the procedures used to track all reported security flaws in each release of the TOE.

alc flr.1.2c The flaw remediation procedures shall require that a description of the nature and effect of each security flaw be provided, as well as the status of finding a correction to that flaw.

alc flr.1.3c The flaw remediation procedures shall require that corrective actions be identified for each of the security flaws.

---

alc flr.1.4c The flaw remediation procedures documentation shall describe the methods used to provide flaw information, corrections and guidance on corrective actions to TOE users.

Evaluator action elements:

alc flr.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ALC FLR.2 Flaw reporting procedures

Dependencies :

No dependencies.

Developer action elements:

alc flr.2.1d The developer shall document the flaw remediation procedures.

alc flr.2.2d The developer shall establish a procedure for accepting and acting upon user reports of security flaws and requests for corrections to those flaws.

Content and presentation of evidence elements:

alc flr.2.1c The flaw remediation procedures documentation shall describe the procedures used to track all reported security flaws in each release of the TOE.

alc flr.2.2c The flaw remediation procedures shall require that a description of the nature and effect of each security flaw be provided, as well as the status of finding a correction to that flaw.

alc flr.2.3c The flaw remediation procedures shall require that corrective actions be identified for each of the security flaws.

alc flr.2.4c The flaw remediation procedures documentation shall describe the methods used to provide flaw information, corrections and guidance on corrective actions to TOE users.

alc flr.2.5c The procedures for processing reported security flaws shall ensure that any reported flaws are corrected and the correction issued to TOE users.

alc flr.2.6c The procedures for processing reported security flaws shall provide safeguards that any corrections to these security flaws do not introduce any new flaws.

Evaluator action elements:

0 ... 45 46 47 48 49 50 51 ... 73