3 - Common Criteria

Question 1

How many Evaluation Assurance Levels (EALs) are there?

Answer 1

7

Question 2

What EAL typically would a commercial operating systems achieve?

Answer 2

EAL4

Question 3

What EAL typically would a smart card receive?

Answer 3

EAL5

Question 4

What is EAL1?

Answer 4

Functionally Tested

Question 5

What is EAL2?

Answer 5

Structurally Tested

Question 6

What is EAL3?

Answer 6

Methodically Tested and Checked

Question 7

What is EAL4?

Answer 7

Methodically Designed, tested and reviewed

Question 8

What is EAL5?

Answer 8

Semi-formally designed and tested

Question 9

What is EAL6?

Answer 9

Semi-formally verified, designed and tested

Question 10

What is EAL7?

Answer 10

Formally verified designed and tested

Question 11

What is the security target (ST)?

Answer 11

Implementation-dependent statement of security needs for a specific identified TOE or The security target specifies what the vendor claims it can do and what options may be available Threat the product will mitigate and the security functional requirements

Question 12

What is the protection profile (PP)?

Answer 12

The protection profile specify the areas that a product will be evaluated against (what do you want it to do?) E.g Network device, operating systems are example of protection profiles which list attributes to test the target of evaluation

Question 13

What is the ISO for Evaluation Criteria for Information Technology Security

Answer 13

ISO 15408

Question 14

What is the Target of Evaluation (TOE)

Answer 14

the product or system that is the subject of the evaluation

Question 15

What do EAL 5-7 involve?

Answer 15

Formal mathematical verification of the design against how the system actually works.

Question 16

Security assurance requirements (SARs)

Answer 16

The SARs are a description of how the TOE is to be evaluated. SARs are statements of the non functional requirements the TOE should have to have assurance. E.g Change mangement process how the source code is review/handled.

SAR is defined in part 3

Question 17

Which ISO I required for common criteria testing laboratories?

Answer 17

ISO/IEC 17025

Question 18

What are Security Objectives

Answer 18

intended solution to the problem specified by the security problem definition - How the TOE mitigates the threats defined by the Security Problem Definition

Question 19

What is the Security Problem Definition?

Answer 19

describes the threats and assumptions about the operational environment.

Question 20

What are SFR

Answer 20

How the TOE meets Security objectives. List of testable features. Detailed specification

Question 21

What is TSF?

Answer 21

Trusted Security function - The part of the TOE being tested.

Question 22

what is CEM

Answer 22

Common Methodology for Information Technology Security Evaluation (CEM)

Question 23

Who is CEM for?

Answer 23

primarily evaluators applying the CC and certifiers confirming evaluator actions