Раздел: Документация

0 ... 65 66 67 68 69 70 71 ... 73

16 Class AMA: Maintenance of assurance

The maintenance of assurance class provides requirements that are intended to be applied after a TOE has been certified against ISO/IEC 15408. These requirements are aimed at assuring that the TOE will continue to meet its security target as changes are made to the TOE or its environment. Suchchanges include the discoveryof new threats or vulnerabilities, changes in user requirements, and the correction of bugs found in the certified TOE.

The class comprises four families, and the hierarchy of components within, as shown in Figure 16.1:

Class AMA: Maintenance of assurance

AMA AMP Assurance maintenance plan

AMA CAT TOE component categorisation report

AMA EVD Evidence of assurance maintenance

AMA SIA Security impact analysis

1

1

1

1

2

Figure 16.1 - Maintenance of assurance class decomposition

---

16.1 Assurance maintenance plan (AMA AMP)

Objectives

The Assurance Maintenance Plan (AM Plan) identifies the plans and procedures a developer must implement in order to ensure that the assurance that was established in the certified TOE is maintained as changes are made to the TOE or its environment. The AM Plan is specific to the TOE, and is tailored to the developers own practices and procedures.

Component levelling

This family contains only one component. Application notes

An AM Plan covers one assurance maintenance cycle, this being the period from the completion of the most recent evaluation of the TOE to the completion of the next planned re-evaluation.

The requirements AMA AMP.1.2C and AMA AMP.1.3C serve to provide a clear identification of the baseline for assurance maintenance, in terms of the evaluation results and the definition of the categorisation of TOE components. The TOE component categorisation report is subject to the requirements of the AMA CAT family, and provides the basis for the security impact analysis performed by the developer security analyst.

The definition of the scope of changes covered by the plan, as required by AMA AMP.1.4C, should be in terms of the category of components of the TOE that may be changed and the representational level at which changes can occur (referencing the TOE component categorisation report where appropriate).

AMA AMP.1.5C requires a description of the developers current plans for any new releases of the TOE. These plans may be subject to change, and hence require an update to the AM Plan. It should be noted, however, that in this context the term new release does not, for example, include minor (unplanned) releases of the TOE to incorporate bug fixes.

AMA AMP.1.6C requires a definition of the planned schedule for AM audits (see the AMA EVD family below) and the targeted re-evaluation of the TOE, together with a justification of the proposed schedules. The schedules may be defined in terms of elapsed time (e.g. annual AM audits), or they may be linked to specific new releases of the TOE. The planned schedules should take into account the expected changes to the TOE during the period, and also any elapsed period between the evaluation of the TOE and the establishment of the AM Plan. In particular, any changes outside the scope of the AM Plan will trigger a re-evaluation.

AMA AMP.1Assurance maintenance plan

Dependencies:

ACMCAP.2 Configuration items

ALCFLR.1 Basic flaw remediation

AMA CAT.1 TOE component categorisation report

---

ama amp.1.1d The developer shall provide an AM Plan. Content and presentation of evidence elements:

ama amp.1.1c The AM Plan shall contain or reference a brief description of the TOE, including the security functionality it provides.

ama amp.1.2c The AM Plan shall identify the certified version of the TOE, and shall reference the evaluation results.

ama amp.1.3c The AM Plan shall reference the TOE component categorisation report for the certified version of the TOE.

ama amp.1.4c The AM Plan shall define the scope of changes to the TOE that are covered by the plan.

ama amp.1.5c The AM Plan shall describe the TOE life-cycle, and shall identify the current plans for any new releases of the TOE, together with a brief description of any planned changes that are likely to have a significant security impact.

ama amp.1.6c The AM Plan shall describe the assurance maintenance cycle, stating and justifying the planned schedule of AM audits and the target date of the next re-evaluation of the TOE.

ama amp.1.7c The AM Plan shall identify the individual(s) who will assume the role of developer security analyst for the TOE.

ama amp.1.8c The AM Plan shall describe how the developer security analyst role will ensure that the procedures documented or referenced in the AM Plan are followed.

ama amp.1.9c The AM Plan shall describe how the developer security analyst role will ensure that all developer actions involved in the analysis of the security impact of changes affecting the TOE are performed correctly.

ama amp.1.1oc The AM Plan shall justify why the identified developer security analyst(s) have sufficient familiarity with the security target, functional specification and (where appropriate) high-level design of the TOE, and with the evaluation results and all applicable assurance requirements for the certified version of the TOE.

ama amp.1.11c The AM Plan shall describe or reference the procedures to be applied to maintain the assurance in the TOE, which as a minimum shall include the procedures for configuration management, maintenance of assurance evidence, performance of the analysis of the security impact of changes affecting the TOE, and flaw remediation.

0 ... 65 66 67 68 69 70 71 ... 73