3 - Common Criteria Flashcards
How many Evaluation Assurance Levels (EALs) are there?
7

What EAL typically would a commercial operating systems achieve?
EAL4
What EAL typically would a smart card receive?
EAL5
What is EAL1?
Functionally Tested
What is EAL2?
Structurally Tested
What is EAL3?
Methodically Tested and Checked
What is EAL4?
Methodically Designed, tested and reviewed
What is EAL5?
Semi-formally designed and tested
What is EAL6?
Semi-formally verified, designed and tested
What is EAL7?
Formally verified designed and tested
What is the security target (ST)?
Implementation-dependent statement of security needs for a specific identified TOE or The security target specifies what the vendor claims it can do and what options may be available Threat the product will mitigate and the security functional requirements
What is the protection profile (PP)?
The protection profile specify the areas that a product will be evaluated against (what do you want it to do?) E.g Network device, operating systems are example of protection profiles which list attributes to test the target of evaluation
What is the ISO for Evaluation Criteria for Information Technology Security
ISO 15408
What is the Target of Evaluation (TOE)
the product or system that is the subject of the evaluation
What do EAL 5-7 involve?
Formal mathematical verification of the design against how the system actually works.
Security assurance requirements (SARs)
The SARs are a description of how the TOE is to be evaluated. SARs are statements of the non functional requirements the TOE should have to have assurance. E.g Change mangement process how the source code is review/handled.
SAR is defined in part 3
Which ISO I required for common criteria testing laboratories?
ISO/IEC 17025
What are Security Objectives
intended solution to the problem specified by the security problem definition - How the TOE mitigates the threats defined by the Security Problem Definition
What is the Security Problem Definition?
describes the threats and assumptions about the operational environment.
What are SFR
How the TOE meets Security objectives. List of testable features. Detailed specification
What is TSF?
Trusted Security function - The part of the TOE being tested.
what is CEM
Common Methodology for Information Technology Security Evaluation (CEM)
Who is CEM for?
primarily evaluators applying the CC and certifiers confirming evaluator actions