Раздел: Документация

0 ... 67 68 69 70 71 72 73

16.3 Evidence of assurance maintenance (AMA EVD)

Objectives

The aim of this family of requirements is to establish confidence that the assurance in the TOE is being maintained by the developer, in accordance with the AM Plan. This is achieved through the provision of evidence which demonstrates that the assurance in the TOE has been maintained, which is independently checked by an evaluator. This check, termed an AM audit, is periodically applied during the lifetime of the AM Plan.

Component levelling

This family contains only one component.

Application notes

This family includes some evidence requirements that are similar to assurance requirements defined in the ACM, ATE and AVA classes. However, the AM audit does not require the evaluators to examine the evidence to the same extent as required by the components in these classes; rather, it requires a sampling approach to establish confidence that the assurance maintenance procedures are being followed correctly.

As part of the AM audit, the evaluators check (by sampling) that the configuration list and security impact analysis are consistent for the current version of the TOE, in terms of their identification of the TOE components that have changed from the certified version of the TOE.

AMA EVD.1.3C requires the provision of evidence that the assurance maintenance procedures in the AM Plan are being followed. This covers all procedures referred to in AMA AMP.1.11C, i.e. evidence of application of procedures relating to configuration management, maintenance of assurance evidence, performance of security impact analysis, and flaw remediation.

The evidence required in AMA EVD.1.4C includes the provision of a list of identified vulnerabilities in the current version of the TOE. This is highlighted as a separate requirement because of the importance of ensuring, to a level consistent with the original evaluation assurance requirements, that the current version contains no security weakness that are exploitable within the TOE environment. The list in AMAEVD.1.4C should include vulnerabilities arising from:

a)the developers analysis required by AVA VLA.1, or higher component (if required for the certified version of the TOE);

b)any other reported security flaws handled by the flaw remediation procedures required by ALCFLR. 1(or ALCFLR.2 if required for the certified version of the TOE).

AMAEVD.1.5E requires the evaluators to confirm that functional testing has been performed on the current version of the TOE, and that the coverage and depth of testing is commensurate with the level of assurance being maintained. This check is performed by sampling the test documentation for the current version of the TOE.

---

AMA EVD.1 Evidence of maintenance process

Dependencies:

AMA AMP.1 Assurance maintenance plan AMA SIA.1 Sampling of security impact analysis

Developer action elements:

ama evd.1.1d The developer security analyst shall provide AM documentation for the current version of the TOE.

Content and presentation of evidence elements:

ama evd.1.1c The AM documentation shall include a configuration list and a list of identified vulnerabilities in the TOE.

ama evd.1.2c The configuration list shall describe the configuration items that comprise the current version of the TOE.

ama evd.1.3c The AM documentation shall provide evidence that the procedures documented or referenced in the AM Plan are being followed.

ama evd.1.4c The list of identified vulnerabilities in the current version of the TOE shall show, for each vulnerability, that the vulnerability cannot be exploited in the intended environment for the TOE.

Evaluator action elements:

ama evd.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ama evd.1.2e The evaluator shall confirm that the procedures documented or referenced in the AM Plan are being followed.

ama evd.1.3e The evaluator shall confirm that the security impact analysis for the current version of the TOE is consistent with the configuration list.

ama evd.1.4e The evaluator shall confirm that all changes documented in the security impact analysis for the current version of the TOE are within the scope of changes covered by the AM Plan.

ama evd.1.5e The evaluator shall confirm that functional testing has been performed on the current version of the TOE, to a degree commensurate with the level of assurance being maintained.

---

16.4 Security impact analysis (AMA SIA)

Objectives

The aim of the security impact analysis is to provide confidence that assurance has been maintained in the TOE, through an analysis performed by the developer of the security impact of all changes affecting the TOE since it was certified.

Component levelling

This family consists of two components, levelled according to the degree to which an evaluator validates the developers security impact analysis.

Application notes

AMA SIA.1 requires a sampling approach to validate the developers security impact analysis. In some cases, AMA SIA.2 may be preferred where a sampling approach is not considered sufficient to establish confidence that assurance has been maintained in the current version of the TOE, but where a formal re-evaluation is not considered necessary.

Both components in this family require the security impact analysis to identify all new and modified TOE components in the current version of the TOE (as compared with the certified version). The accuracy of this information is checked during either the associated AM audit (by sampling), or the associated re-evaluation of the TOE when the configuration list is checked under

ACM CAP.

AMA SIA.1 Sampling of security impact analysis

Dependencies:

AMACAT.1 TOE component categorisation report

Developer action elements:

ama sia.1.1d The developer security analyst shall, for the current version of the TOE, provide a security impact analysis that covers all changes affecting the TOE as compared with the certified version.

Content and presentation of evidence elements:

ama sia.1.1c The security impact analysis shall identify the certified TOE from which the current version of the TOE was derived.

ama sia.1.2c The security impact analysis shall identify all new and modified TOE components that are categorised as TSP-enforcing.

ama sia.1.3c The security impact analysis shall, for each change affecting the security target or TSF representations, briefly describe the change and any effects it has on lower representation levels.

0 ... 67 68 69 70 71 72 73