ISO/IEC TR 19791:2006

TECHNICAL ISO/IEC
REPORT TR
19791
First edition
2006-05-15


Information technology — Security
techniques — Security assessment
of operational systems
Technologies de l'information — Techniques de sécurité — Évaluation
de la sécurité des systèmes opérationnels




Reference number
ISO/IEC TR 19791:2006(E)
©
ISO/IEC 2006

---------------------- Page: 1 ----------------------
ISO/IEC TR 19791:2006(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2006 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 19791:2006(E)
Contents Page
Foreword. v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 2
4 Abbreviated terms . 4
5 Structure of this Technical Report. 4
6 Technical approach . 5
6.1 The nature of operational systems . 5
6.2 Establishing operational system security. 5
6.3 Security in the operational system life cycle. 7
6.4 Relationship to other systems . 9
7 Extending ISO/IEC 15408 evaluation concepts to operational systems. 9
7.1 Overview . 9
7.2 General philosophy . 9
7.3 Operational system assurance. 11
7.4 Composite operational systems . 13
7.5 Types of security controls . 16
7.6 System security functionality. 17
7.7 Timing of evaluation. 18
7.8 Use of evaluated products. 19
7.9 Documentation requirements. 20
7.10 Testing activities. 20
7.11 Configuration management . 21
8 Relationship to existing security standards . 22
8.1 Overview . 22
8.2 Relationship to ISO/IEC 15408. 23
8.3 Relationship to non-evaluation standards. 24
8.4 Relationship to Common Criteria development . 24
9 Evaluation of operational systems . 24
9.1 Introduction . 24
9.2 Evaluation roles and responsibilities . 24
9.3 Risk assessment and determination of unacceptable risks . 26
9.4 Security problem definition . 27
9.5 Security objectives . 27
9.6 Security requirements. 27
9.7 The system security target (SST). 29
9.8 Periodic reassessment. 31
Annex A (normative) Operational system Protection Profiles and Security Targets. 32
A.1 Specification of System Security Targets.32
A.2 Specification of System Protection Profiles . 39
Annex B (normative) Operational system functional control requirements . 46
B.1 Introduction . 46
B.2 Class FOD: Administration . 48
B.3 Class FOS: IT systems . 56
B.4 Class FOA: User Assets. 66
© ISO/IEC 2006 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 19791:2006(E)
B.5 Class FOB: Business. 68
B.6 Class FOP: Facility and Equipment . 70
B.7 Class FOT: Third parties . 75
B.8 Class FOM: Management . 77
Annex C (normative) Operational system assurance requirements . 81
C.1 Introduction . 81
C.2 Class ASP: System Protection Profile evaluation . 88
C.3 Class ASS: System Security Target evaluation. 100
C.4 Class AOD: Operational system guidance document. 113
C.5 Class ASD: Operational System Architecture, Design and Configuration Documentation. 121
C.6 Class AOC: Operational System Configuration Management. 128
C.7 Class AOT: Operational System Test . 134
C.8 Class AOV: Operational System Vulnerability Analysis . 145
C.9 Class AOL: Operational system life cycle support. 153
C.10 Class ASI: System security installation and delivery. 154
C.11 Class ASO: Records on operational system. 158
Annex D (informative) Relationship to Common Criteria development. 162
Bibliography . 165

iv © ISO/IEC 2006 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 19791:2006(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report
of one of the following types:
⎯ type 1, when the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts;
⎯ type 2, when the subject is still under technical development or where for any other reason there is the
future but not immediate possibility of an agreement on an International Standard;
⎯ type 3, when the joint technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to
be reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 19791, which is a Technical Report of type 2, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
The technical content of this Technical Report has been published as a Common Criteria Supporting
Document by the Common Criteria Development Board.
© ISO/IEC 2006 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 19791:2006(E)
Introduction
This support document defines extensions to ISO/IEC 15408 to enable the security assessment (evaluation)
of operational systems. ISO/IEC 15408, as currently defined, provides support for specifying the IT security
functionality that exists in products and systems. However, it does not capture certain critical aspects of an
operational system that must be precisely specified in order to effectively evaluate such a system.
This Technical Report provides extended evaluation criteria and guidance for assessing both the information
technology and the operational aspects of such systems. The document is primarily aimed at those who are
involved in the development, integration, deployment and security management of operational systems, as
well as evaluators seeking to apply ISO/IEC 15408 to such systems. It will be relevant to evaluation authorities
responsible for approving and confirming evaluator actions. Evaluation sponsors, and other parties interested
in operational system security, will be a secondary audience, for their background information.
Considering the complexity of this project and the need for additional work, the target has been defined to be
a type 2 Technical Report. In the future, once additional experience has been gained in this area, it is hoped
that it may be possible to convert this Technical Report into an International Standard to support
ISO/IEC 15408 specifically for evaluations of operational systems. Until some formalisation of an approach is
performed, it is considered unlikely that many operational system evaluations of this nature will be undertaken
due to the lack of specific guidance available, a gap that this TR is designed to fill.
There are fundamental issues in regard to the definition and use of the term system. ISO/IEC 15408, with its
focus on product evaluation, uses the term to include only the information technology (IT) aspects of the
system. The term operational system, as used within this Technical Report, covers the combination of
personnel, procedures and processes integrated with technology-based functions and mechanisms, applied
together to establish an acceptable level of residual risk in a defined operational environment.

vi © ISO/IEC 2006 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 19791:2006(E)

Information technology — Security techniques — Security
assessment of operational systems
1 Scope
This Technical Report provides guidance and criteria for the security evaluation of operational systems. It
provides an extension to the scope of ISO/IEC 15408, by taking into account a number of critical aspects of
operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required
address evaluation of the operational environment surrounding the TOE, and the decomposition of complex
operational systems into security domains that can be separately evaluated.
This Technical Report provides
a) a definition and model for operational systems;
b) a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such
operational systems;
c) a methodology and process for performing the security evaluation of operational systems;
d) additional security evaluation criteria to address those aspects of operational systems not covered by the
ISO/IEC 15408 evaluation criteria.
This Technical Report permits the incorporation of security products evaluated against ISO/IEC 15408 into
operational systems evaluated as a whole using this Technical Report.
This Technical Report is limited to the security evaluation of operational systems and does not consider other
forms of system assessment. It does not define techniques for the identification, assessment and acceptance
of operational risk.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 15408-1:2005, Information technology — Security techniques — Evaluation criteria for IT security —
Part 1: Introduction and general model
ISO/IEC 15408-2:2005, Information technology — Security techniques — Evaluation criteria for IT security —
Part 2: Security functional requirements
ISO/IEC 15408-3:2005, Information technology — Security techniques — Evaluation criteria for IT security —
Part 3: Security assurance requirements
© ISO/IEC 2006 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC TR 19791:2006(E)
3 Terms and definitions
For the purposes of this document, terms and definitions given in ISO/IEC 15408-1:2005 and the following
apply.
3.1
component
identifiable and distinct portion of an operational system that implements part of that system’s functionality
3.2
external operational system
separate operational system which interfaces to the operational system that is the subject of evaluation
3.3
management controls
security controls (i.e., safeguards and countermeasures) for an information system that focus on the
management of risk and the management of information system security
[NIST SP 800-53]
3.4
operational controls
security controls (i.e., safeguards and countermeasures) for an information system that primarily are
implemented and executed by people (as opposed to systems)
[NIST SP 800-53]
3.5
operational system
information system, including its non-IT aspects, considered in the context of its operating environment
3.6
residual risk
risk that remains after risk treatment
[ISO/IEC 13335-1:2004]
3.7
risk
potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm
to the organization
NOTE Risk is measured in terms of a combination of the probability of an event and its consequence.
[ISO/IEC 13335-1:2004]
3.8
risk analysis
systematic approach of estimating the magnitude of risks
[ISO/IEC 13335-1:2004]
3.9
risk assessment
process of combining risk identification, risk analysis and risk evaluation
[ISO/IEC 13335-1:2004]
2 © ISO/IEC 2006 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC TR 19791:2006(E)
3.10
risk management
total process of identifying, controlling and eliminating or minimizing uncertain events that may affect system
resources
NOTE Adapted from ISO/IEC 13335-1:2004. Risk management typically includes risk assessment, risk treatment,
risk acceptance and risk communication (exchange or sharing of information about risk between the decision-maker and
other stakeholders).
3.11
risk treatment
process of selection and implementation of security controls to modify risk
NOTE Adapted from ISO/IEC 13335-1:2004.
3.12
security controls
management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an
information system to protect the confidentiality, integrity, and availability of the system and its information
[NIST SP 800-53]
NOTE This definition is intended to include controls that provide accountability, authenticity, non-repudiation, privacy
and reliability, which are sometimes considered as distinct from confidentiality, integrity and availability.
3.13
security domain
portion of an operational system that implements the same set of security policies
3.14
subsystem
one or more operational system components that are capable of execution separately from the rest of the
system
3.15
system target of evaluation
operational system that is being operated in accordance with its operational guidance, including both technical
and operational controls
NOTE Operational controls form part of the operational environment. They are not evaluated in ISO/IEC 15408
evaluation.
3.16
technical controls
security controls (i.e., safeguards and countermeasures) for an information system that are primarily
implemented and executed by the information system through mechanisms contained in the hardware,
software, or firmware components of the system
[NIST SP 800-53]
3.17
verification
assessment processes used to confirm that the security controls for an operational system are implemented
correctly and are effective in their application
3.18
vulnerability
flaw, weakness or property of the design or implementation of an information system (including its security
controls) or its environment that could be intentionally or unintentionally exploited to adversely effect an
organization’s assets or operations
© ISO/IEC 2006 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC TR 19791:2006(E)
4 Abbreviated terms
For the purposes of this document, the abbreviated terms given in ISO/IEC 15408-1:2005 and the following
apply.
COTS Commercial Off The Shelf
ETR Evaluation Technical Report
ISMS Information Security Management System
OSF Operational Security Functionality
SP Special Publication
SPP System Protection Profile
SSA System Security Assurance
SSF System Security Functionality
SST System Security Target
STOE System Target of Evaluation
5 Structure of this Technical Report
Clauses 1 to 4 contain introductory and reference material, and are followed by this overview of the contents
of the Report (Clause 5).
Clause 6, Technical approach, describes the technical approach to operational systems assessment used in
this Technical Report.
Clause 7, Extending ISO/IEC 15408 evaluation concepts to operational systems, describes how
ISO/IEC 15408 evaluation concepts have been extended for use in operational system evaluation.
Clause 8, Relationship to existing security standards, describes the relationship between this Technical
Report and other security standards which have been used in its development.
Clause 9, Evaluation of operational systems, contains requirements for specification of security problems,
security objectives, security requirements, SST contents and periodic reassessment which are needed in
order to evaluate operational systems.
Annex A, Operational system Security Targets and System Protection Profiles, defines the security
requirement specifications needed for operational systems.
Annex B, Operational system functional control requirements, defines the additional security functional
requirements needed for operational systems.
Annex C, Operational system assurance requirements, defines the additional security assurance requirements
needed for operational systems.
Annex D, Relationship to Common Criteria development, identifies necessary differences between the
evaluation of operational systems and product evaluation based upon proposed changes to the Common
Criteria.
4 © ISO/IEC 2006 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC TR 19791:2006(E)
6 Technical approach
6.1 The nature of operational systems
For the purposes of this Technical Report, an operational system is defined as an information system,
including its non-IT aspects, considered in the context of its operating environment.
Many operational systems are complex in nature, made up of a combination of subsystems that are partially
proprietary and unique in nature, and partially constructed using bought-in general products. They interact
with and have dependencies upon other systems. An operational system is typically built using components
from multiple vendors. These components may be integrated to compose the operational system by an
integrator that does not perform any development functions, only configuration and interconnection.
However, operational systems typically:
⎯ are under the control of a single entity, the operational system owner;
⎯ are built against specific needs, for a specific type of operation;
⎯ change frequently; either in technical set-up and/or in operational requirements;
⎯ contain a considerable (or even large) number of components;
⎯ contain bought-in components that possess a large number of possible configuration alternatives;
⎯ enable the operational system owner to balance technical (and specifically IT) and non-technical security
measures;
⎯ contain components with different degrees and types of security assurance.
6.2 Establishing operational system security
Secure products offer an important contribution to operational system security and indeed the use of products
evaluated against ISO/IEC 15408 may be preferable in construction of a secure operational system. However,
security problems in operational systems are caused not only from product problems but also from operational
system problems in a real operational environment, such as poor application of bug fixes, poor setting of
access control parameters or filtering rules of a firewall, poor linking of files directories, etc. Furthermore, in
the case of a network, the security level of an operational system connected to the network might be of
concern to other operational systems that have to communicate with it.
This Technical Report is based upon a three step approach to establishing the necessary level of security for
an operational system:
a) risk assessment, to determine the security risks applicable to a system;
b) risk reduction, to counter or eliminate security risks by the selection, application and assessment of
security controls;
c) accreditation, to confirm that the residual risks remaining within the system after the controls are applied
are appropriate for the system to be used in live operation.
Conceptually, this three step process is shown in Figure 1 following.
This Technical Report addresses only the middle step of the three step process, namely risk reduction through
the selection, application and assessment of security controls. To do this, it uses a security evaluation
approach, based upon the security evaluation model for IT security controls defined in ISO/IEC 15408, but
extended to deal with all types of security controls.
© ISO/IEC 2006 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC TR 19791:2006(E)
Techniques and methods for risk assessment are beyond the scope of this report. For more information on
risk assessment, see part 3 of ISO/IEC 13335 [1].
NOTE Note that part 3 of ISO/IEC 13335-3 is a Technical Report. International Standard ISO/IEC 27005, when
published, will supersede ISO/IEC TR 13335.
Techniques and models for accreditation are a management responsibility, beyond the scope of this report.
For more information on one possible approach, see NIST SP 800-37 [2].
The security evaluation model of ISO/IEC 15408 excludes consideration of the operational environment
surrounding the IT portion of the information system. The operational environment is treated as assumptions
in ISO/IEC 15408 evaluation, but cannot be discounted for operational systems. Typically, operational
systems are reliant on non-IT security measures, e.g. measures of an administrative or physical nature. There
is therefore a need to define ways to express and evaluate such requirements and controls, as an extension
to the ISO/IEC 15408 specification criteria. This Technical Report extends ISO/IEC 15408 to do this.
Risk Assessment
Risk identification
Risk analysis
Risk evaluation
Selection of controls
Specification of controls in the System
Security Target (SST)
Application of controls
Risk Reduction
(Scope of this
Application of security controls to the
Technical Report)
System Target of Evaluation (STOE)
Assessment of controls
Evaluation of compliance with the SST
Accreditation
Acceptance of residual risks
Figure 1 — Process for establish
...