iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 15408-2:1999

(Main)

Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements

Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements

Technologies de l'information — Techniques de sécurité — Critères d'évaluation pour la sécurité TI — Partie 2: Exigences fonctionnelles de sécurité

General Information

Status
Withdrawn
Publication Date
15-Dec-1999
Withdrawal Date
15-Dec-1999
ICS
35.030 - IT Security
35.040 - Information coding
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 3 - Security evaluation, testing and specification
Current Stage
9599 - Withdrawal of International Standard
Completion Date
07-Oct-2005
Ref Project

Relations

Revised
ISO/IEC 15408-2:2005 - Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements
Effective Date
15-Apr-2008

Buy Standard

ISO/IEC 15408-2:1999 - Information technology -- Security techniques -- Evaluation criteria for IT securityISO/IEC 15408-2:1999 - Information technology -- Security techniques -- Evaluation criteria for IT security
PreviousNext
Standard
ISO/IEC 15408-2:1999 - Information technology -- Security techniques -- Evaluation criteria for IT security
English language
343 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 15408-2
First edition
1999-12-01
Information technology — Security
techniques — Evaluation criteria for IT
security —
Part 2:
Security functional requirements
Technologies de l'information — Techniques de sécurité — Critères
d'évaluation pour la sécurité TI —
Partie 2: Exigences fonctionnelles de sécurité
Reference number
bc
ISO/IEC 15408-2:1999(E)

---------------------- Page: 1 ----------------------
ISO/IEC 15408-2:1999(E)
©  ISO/IEC 1999
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from the publisher.
ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland
Printed in Switzerland
ii

---------------------- Page: 2 ----------------------
©ISO/IEC ISO/IEC 15408-2:1999(E)
vii
Contents
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Extending and maintaining functional requirements . . . . . . . . . . . . . . . . . 1
1.2 Organisation of ISO/IEC 15408-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Functional requirements paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Security functional components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.1 Class structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.2 Family structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.3 Component structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.4 Permitted functional component operations . . . . . . . . . . . . . . . . . . . . . 13
2.2 Component catalogue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.1 Component changes highlighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Class FAU: Security audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1 Security audit automatic response (FAU_ARP) . . . . . . . . . . . . . . . . . . . . . 18
3.2 Security audit data generation (FAU_GEN) . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3 Security audit analysis (FAU_SAA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.4 Security audit review (FAU_SAR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5 Security audit event selection (FAU_SEL) . . . . . . . . . . . . . . . . . . . . . . . . 26
3.6 Security audit event storage (FAU_STG) . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4 Class FCO: Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.1 Non-repudiation of origin (FCO_NRO) . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.2 Non-repudiation of receipt (FCO_NRR) . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5 Class FCS: Cryptographic support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.1 Cryptographic key management (FCS_CKM) . . . . . . . . . . . . . . . . . . . . . . 38
5.2 Cryptographic operation (FCS_COP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6 Class FDP: User data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.1 Access control policy (FDP_ACC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
6.2 Access control functions (FDP_ACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.3 Data authentication (FDP_DAU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
6.4 Export to outside TSF control (FDP_ETC) . . . . . . . . . . . . . . . . . . . . . . . . 52
6.5 Information flow control policy (FDP_IFC) . . . . . . . . . . . . . . . . . . . . . . . 54
6.6 Information flow control functions (FDP_IFF) . . . . . . . . . . . . . . . . . . . . . 56
6.7 Import from outside TSF control (FDP_ITC) . . . . . . . . . . . . . . . . . . . . . . . 61
6.8 Internal TOE transfer (FDP_ITT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.9 Residual information protection (FDP_RIP) . . . . . . . . . . . . . . . . . . . . . . . 66
6.10 Rollback (FDP_ROL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.11 Stored data integrity (FDP_SDI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
iii

---------------------- Page: 3 ----------------------
ISO/IEC 15408-2:1999(E) ©ISO/IEC
6.12 Inter-TSF user data confidentiality transfer protection (FDP_UCT) . . . . . 72
6.13 Inter-TSF user data integrity transfer protection (FDP_UIT) . . . . . . . . . . . 73
7 Class FIA: Identification and authentication . . . . . . . . . . . . . . . . . . . . . . . . 77
7.1 Authentication failures (FIA_AFL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
7.2 User attribute definition (FIA_ATD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
7.3 Specification of secrets (FIA_SOS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
7.4 User authentication (FIA_UAU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7.5 User identification (FIA_UID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
7.6 User-subject binding (FIA_USB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
8 Class FMT: Security management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
8.1 Management of functions in TSF (FMT_MOF) . . . . . . . . . . . . . . . . . . . . . 93
8.2 Management of security attributes (FMT_MSA) . . . . . . . . . . . . . . . . . . . . 94
8.3 Management of TSF data (FMT_MTD) . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
8.4 Revocation (FMT_REV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
8.5 Security attribute expiration (FMT_SAE) . . . . . . . . . . . . . . . . . . . . . . . . . 100
8.6 Security management roles (FMT_SMR) . . . . . . . . . . . . . . . . . . . . . . . . . . 101
9 Class FPR: Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
9.1 Anonymity (FPR_ANO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
9.2 Pseudonymity (FPR_PSE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
9.3 Unlinkability (FPR_UNL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
9.4 Unobservability (FPR_UNO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
10 Class FPT: Protection of the TSF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
10.1 Underlying abstract machine test (FPT_AMT) . . . . . . . . . . . . . . . . . . . . . 118
10.2 Fail secure (FPT_FLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
10.3 Availability of exported TSF data (FPT_ITA) . . . . . . . . . . . . . . . . . . . . . . 120
10.4 Confidentiality of exported TSF data (FPT_ITC) . . . . . . . . . . . . . . . . . . . 121
10.5 Integrity of exported TSF data (FPT_ITI) . . . . . . . . . . . . . . . . . . . . . . . . . 122
10.6 Internal TOE TSF data transfer (FPT_ITT) . . . . . . . . . . . . . . . . . . . . . . . . 124
10.7 TSF physical protection (FPT_PHP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
10.8 Trusted recovery (FPT_RCV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
10.9 Replay detection (FPT_RPL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
10.10 Reference mediation (FPT_RVM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
10.11 Domain separation (FPT_SEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
10.12 State synchrony protocol (FPT_SSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
10.13 Time stamps (FPT_STM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
10.14 Inter-TSF TSF data consistency (FPT_TDC) . . . . . . . . . . . . . . . . . . . . . . . 140
10.15 Internal TOE TSF data replication consistency (FPT_TRC) . . . . . . . . . . . 141
10.16 TSF self test (FPT_TST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
11 Class FRU: Resource utilisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
11.1 Fault tolerance (FRU_FLT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
11.2 Priority of service (FRU_PRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
11.3 Resource allocation (FRU_RSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
12 Class FTA: TOE access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
12.1 Limitation on scope of selectable attributes (FTA_LSA) . . . . . . . . . . . . . . 154
iv

---------------------- Page: 4 ----------------------
© ISO/IEC ISO/IEC 15408-2:1999(E)
12.2 Limitation on multiple concurrent sessions (FTA_MCS) . . . . . . . . . . . . . 155
12.3 Session locking (FTA_SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
12.4 TOE access banners (FTA_TAB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
12.5 TOE access history (FTA_TAH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
12.6 TOE session establishment (FTA_TSE) . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
13 Class FTP: Trusted path/channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
13.1 Inter-TSF trusted channel (FTP_ITC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
13.2 Trusted path (FTP_TRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Annex A Security functional requirements application notes . . . . . . . . . . . . . . . . . . 169
A.1 Structure of the notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
A.1.1 Class structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
A.1.2 Family structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
A.1.3 Component structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
A.2 Dependency table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Annex B Functional classes, families, and components . . . . . . . . . . . . . . . . . . . . . . . 179
Annex C Security audit (FAU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
C.1 Security audit automatic response (FAU_ARP) . . . . . . . . . . . . . . . . . . . . . 183
C.2 Security audit data generation (FAU_GEN) . . . . . . . . . . . . . . . . . . . . . . . . 184
C.3 Security audit analysis (FAU_SAA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
C.4 Security audit review (FAU_SAR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
C.5 Security audit event selection (FAU_SEL) . . . . . . . . . . . . . . . . . . . . . . . . 194
C.6 Security audit event storage (FAU_STG) . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Annex D Communication (FCO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
D.1 Non-repudiation of origin (FCO_NRO) . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
D.2 Non-repudiation of receipt (FCO_NRR) . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Annex E Cryptographic support (FCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
E.1 Cryptographic key management (FCS_CKM) . . . . . . . . . . . . . . . . . . . . . . 209
E.2 Cryptographic operation (FCS_COP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Annex F User data protection (FDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
F.1 Access control policy (FDP_ACC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
F.2 Access control functions (FDP_ACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
F.3 Data authentication (FDP_DAU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
F.4 Export to outside TSF control (FDP_ETC) . . . . . . . . . . . . . . . . . . . . . . . . 227
F.5 Information flow control policy (FDP_IFC) . . . . . . . . . . . . . . . . . . . . . . . 229
F.6 Information flow control functions (FDP_IFF) . . . . . . . . . . . . . . . . . . . . . 232
F.7 Import from outside TSF control (FDP_ITC) . . . . . . . . . . . . . . . . . . . . . . . 238
F.8 Internal TOE transfer (FDP_ITT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
F.9 Residual information protection (FDP_RIP) . . . . . . . . . . . . . . . . . . . . . . . 245
F.10 Rollback (FDP_ROL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
F.11 Stored data integrity (FDP_SDI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
F.12 Inter-TSF user data confidentiality transfer protection (FDP_UCT) . . . . . 251
F.13 Inter-TSF user data integrity transfer protection (FDP_UIT) . . . . . . . . . . . 252
v

---------------------- Page: 5 ----------------------
ISO/IEC 15408-2:1999(E) ©ISO/IEC
Annex G Identification and authentication (FIA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
G.1 Authentication failures (FIA_AFL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
G.2 User attribute definition (FIA_ATD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
G.3 Specification of secrets (FIA_SOS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
G.4 User authentication (FIA_UAU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
G.5 User identification (FIA_UID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
G.6 User-subject binding (FIA_USB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Annex H Security management (FMT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
H.1 Management of functions in TSF (FMT_MOF) . . . . . . . . . . . . . . . . . . . . . 271
H.2 Management of security attributes (FMT_MSA) . . . . . . . . . . . . . . . . . . . . 273
H.3 Management of TSF data (FMT_MTD) . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
H.4 Revocation (FMT_REV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
H.5 Security attribute expiration (FMT_SAE) . . . . . . . . . . . . . . . . . . . . . . . . . 279
H.6 Security management roles (FMT_SMR) . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Annex I Privacy (FPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
I.1 Anonymity (FPR_ANO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
I.2 Pseudonymity (FPR_PSE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
I.3 Unlinkability (FPR_UNL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
I.4 Unobservability (FPR_UNO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Annex J Protection of the TSF (FPT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
J.1 Underlying abstract machine test (FPT_AMT) . . . . . . . . . . . . . . . . . . . . . 303
J.2 Fail secure (FPT_FLS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
J.3 Availability of exported TSF data (FPT_ITA) . . . . . . . . . . . . . . . . . . . . . . 306
J.4 Confidentiality of exported TSF data (FPT_ITC) . . . . . . . . . . . . . . . . . . . 307
J.5 Integrity of exported TSF data (FPT_ITI) . . . . . . . . . . . . . . . . . . . . . . . . . 308
J.6 Internal TOE TSF data transfer (FPT_ITT) . . . . . . . . . . . . . . . . . . . . . . . . 310
J.7 TSF physical protection (FPT_PHP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
J.8 Trusted recovery (FPT_RCV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
J.9 Replay detection (FPT_RPL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
J.10 Reference mediation (FPT_RVM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
J.11 Domain separation (FPT_SEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
J.12 State synchrony protocol (FPT_SSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
J.13 Time stamps (FPT_STM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
J.14 Inter-TSF TSF data consistency (FPT_TDC) . . . . . . . . . . . . . . . . . . . . . . . 323
J.15 Internal TOE TSF data replication consistency (FPT_TRC) . . . . . . . . . . . 324
J.16 TSF self test (FPT_TST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Annex K Resource utilisation (FRU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
K.1 Fault tolerance (FRU_FLT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
K.2 Priority of service (FRU_PRS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
K.3 Resource allocation (FRU_RSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Annex L TOE access (FTA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
L.1 Limitation on scope of selectable attributes (FTA_LSA) . . . . . . . . . . . . . . 334
L.2 Limitation on multiple concurrent sessions (FTA_MCS) . . . . . . . . . . . . . 335
L.3 Session locking (FTA_SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
L.4 TOE access banners (FTA_TAB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
vi

---------------------- Page: 6 ----------------------
© ISO/IEC ISO/IEC 15408-2:1999(E)
L.5 TOE access history (FTA_TAH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
L.6 TOE session establishment (FTA_TSE) . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Annex M Trusted path/channels (FTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
M.1 Inter-TSF trusted channel (FTP_ITC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
M.2 Trusted path (FTP_TRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
vii

---------------------- Page: 7 ----------------------
ISO/IEC 15408-2:1999(E) ©ISO/IEC
reflecting the needs of the market. These security functional requirements are presented as the
current state of the art in requirements specification and evaluation.
This part of ISO/IEC 15408 does not presume to include all possible security functional
requirements but rather contains those that are known and agreed to be of value by the ISO/IEC
15408-2 authors at the time of release.
Since the understanding and needs of consumers may change, the functional requirements in this
part of ISO/IEC 15408 will need to be maintained. It is envisioned that some PP/ST authors may
have security needs not (yet) covered by the functional requirement components in ISO/IEC
15408-2. In those cases the PP/ST author may choose to consider using functional requirements
not taken from the standard (referred to as extensibility), as explained in Annexes B and C of ISO/
IEC 15408-1.
1.2 Organisation of ISO/IEC 15408-2
Clause 1 is the introductory material for ISO/IEC 15408-2.
Clause 2 introduces the catalogue of ISO/IEC 15408-2 functional components while clauses 3
through 13 describe the functional classes.
Annex A provides additional information of interest to potential users of the functional
components including a complete cross reference table of the functional component dependencies.
Annexes B through M provide the application notes for the functional classes. They are a
repository for informative supporting material for the users of this part of ISO/IEC 15408, which
may help them to apply relevant operations and select appropriate audit or documentation
information.
Those who author PPs or STs should refer to Clause 2 of ISO/IEC 15408-1 for relevant structures,
rules, and guidance:
- ISO/IEC 15408-1, clause 2 defines the terms used in ISO/IEC 15408.
- ISO/IEC 15408-1, Annex B defines the structure for PPs.
- ISO/IEC 15408-1, Annex C defines the structure for STs.
1.3 Functional requirements paradigm
This subclause describes the paradigm used in the security functional requirements of this part of
ISO/IEC 15408. Figures 1.1 and 1.2 depict some of the key concepts of the paradigm. This
subclause provides descriptive text for those figures and for other key concepts not depicted. Key
concepts discussed are highlighted in bold/italics. This subclause is not intended to replace or
supersede any of the terms found in the ISO/IEC 15408 glossary in ISO/IEC 15408-1, clause 2.
2

---------------------- Page: 8 ----------------------
©ISO/IEC ISO/IEC 15408-2:1999(E)

Target of Evaluation (TOE)
TOE Security Functions Interface (TSFI)
Human
TOE Security Functions
User
Security
(TSF)
/ Remote IT
Attributes
Product
Enforces TOE Security Policy
Subject
(TSP)
Object/
Subject
Information
Subject
Security
Security
Attributes
Security
Attributes
Attributes
Security Resource Process
User Attributes
Subject
TSF Scope of Control (TSC)
Figure 1.1 - Security functional requirements paradigm (Monolithic TOE)
This part of ISO/IEC 15408 is a catalogue of security functional requirements that can be specified
for a Target of Evaluation (TOE). A TOE is an IT product or system (along with user and
administrator guidance documentation) containing resources such as electronic storage media (e.g.
disks), peripheral devices (e.g. printers), and computing capacity (e.g. CPU time) that can be used
for processing and storing information and is the subject of an evaluation.
TOE evaluation is concerned primarily with ensuring that a defined TOE Security Policy (TSP) is
enforced over the TOE resources. The TSP defines the rules by which the TOE governs access to
its resources, and thus all information and services controlled by the TOE.
The TSP is, in turn, made up of multiple Security Function Policies (SFPs). Each SFP has a scope
of control, that defines the subjects, objects, and operations controlled under the SFP. The SFP is
implemented by a Security Function (SF), whose mechanisms enforce the policy and provide
necessary capabilities.
3

---------------------- Page: 9 ----------------------
ISO/IEC 15408-2:1999(E) ©ISO/IEC
Local (Internal TOE)
Local User
Trusted Path
Internal TOE Transfer
SF
SF
SF
SF
SF SF
Local TOE
Inter-TSF
Transfers
Transfer
Outside TSF
Control
Inter-TSF
Trusted
RF: Remote
Path
Function
Untrusted IT Product
Remote Trusted IT Product
Remote User
Figure 1.2 - Diagram of security functions in a distributed TOE
Those portions of a TOE that must be relied on for the correct enforcement of the TSP are
collectively referred to as the TOE Security Functions (TSF). The TSF consists of all hardware,
software, and firmware of a TOE that is either directly or indirectly relied upon for security
enforcement.
A reference monitor is an abstract machine that enforces the access control policies of a TOE. A
reference validation mechanism is an implementation of the reference monitor concept that
possesses the following properties: tamperproof, always invoked, and simple enough to be
subjected to thorough analysis and testing. The TSF may consist of a reference validation
mechanism and/or other security functions necessary for the operation of the TOE.
The TOE may be a monolithic product containing hardware, firmware, and software.
Alternatively a TOE may be a distributed product that consists internally of multiple separated
parts. Each of these parts of the TOE provides a particular service for the TOE, and is connected
to the other parts of the TOE through an internal communication channel. This channel can be as
small as a processor bus, or may encompass a network internal to the TOE.
4

---------------------- Page: 10 ----------------------
©ISO/IEC ISO/IEC 15408-2:1999(E)

When the TOE consists of multiple parts, each part of the TOE may have its own part of the TSF
which exchanges user and TSF data over internal communication channels with other parts of the
TSF. This interaction is called internal TOE transfer. In this case the separate parts of the TSF
abstractly form the composite TSF, which enforces the TSP.
TOE interfaces may be localised to the particular TOE, or they may allow interaction with other
IT products over external communication channels. These external interactions with other IT
products may take two forms:
a) The security policy of the ‘remote trusted IT product’ and the TSP of the local TOEs
have been administratively coordinated and evaluated. Exchanges of information in
this situation are called inter-TSF transfers, as they are between the TSFs of distinct
trusted products.
b) The remote IT product may not be evaluated, indicated in Figure 1.2 as ‘untrusted IT
product’, therefore its security policy is unknown. Exchanges of information in this
situation are called transfers outside TSF control, as there is no TSF (or its policy
characteristics are unknown) on the remote IT product.
The set of interactions that can occur with or within a TOE and are subject to the rules of the TSP
is called the TSF Scope of Control (TSC). The TSC encompasses a defined set of interactions
based on subjects, objects, and operations within the TOE, but it need not encompass all resources
of a TOE.
The set of interfaces, whether interactive (man-machine interface) or programmatic (application
programming interface), through which resources are accessed that are mediated by the TSF, or
information is obtained from the TSF, is referred to as the TSF Interface (TSFI). The TSFI defines
the boundaries of the TOE functions that provide for the enforcement of the TSP.
Users are outside of the TOE, and therefore outside of the TSC. However, in order to request that
services be performed by the TOE, users interact with the TOE through the TSFI. There are two
types of users of interest to the ISO/IEC 15408-2 security functional requirements: human users
and external IT entities. Human users are further differentiated as local human users, meaning
they interact directly with the TOE via TOE devices (e.g. workstations), or remote human users,
meaning they interact indirectly with the TOE through another IT product.
A period of interaction between users and the TSF is referred to as a user session. Establishment
of user sessions can be controlled based on a variety of considerations, for example: user
authentication, time of day, method of accessing the TOE, and number of allowed concurrent
sessions per user.
This part of ISO/IEC 15408 uses the term authorised to signify a user who possesses the rights
and/or privileges necessary to perform an operation. The term authorised user, therefore, indicates
that it is allowable for a user to perform an operation as defined by the TSP.
To express requirements that call for the separation of administrator duties, the relevant ISO/IEC
15408-2 security functional components (from family FMT_SMR) explicitly state that
administrative roles are required. A role is a pre-defined set of rules establishing the allowed
interactions between a user and the TOE. A TOE may support the definition of any number of roles.
For example, roles related to the secure operation of a TOE may include “Audit Administrator”
and “User Accounts Administrator”.
5

---------------------- Page: 11 ----------------------
ISO/IEC 15408-2:1999(E) ©ISO/IEC
TOEs contain resources that may be used for the processing and storing of information. The
primary goal of the TSF is the complete and correct enforcement of the TSP over the resources and
information that the TOE controls.
TOE resources can be structured and utilised in many different ways. However, ISO/IEC 15408-2
makes a specific distinction that allows for the specification of desired security properties. All
entities that can be created from resources can be characterised in one of two ways. The entities
may be active, meaning that they are the cause of actions that occur internal to the TOE and cause
operations to be performed on information. Alternatively, the entities may be passive, meaning that
they are either the container from which information originates or to which information is stored.
Active entities are referred to as subjects. Several types of subjects may exist within a TOE:
a) those acting on behalf of an authorised user and which are subject to all the rules of the
TSP (e.g. UNIX processes);
b) those acting as a specific functional process that may in turn act on behalf of multiple
users (e.g. functions as might be found in client/server architectures); or
c) those acting as part of the TOE itself (e.g. trusted processes).
ISO/IEC 15408-2 addresses the enforcement of the TSP over types of subjects as those listed
above.
Passive entities (i.e. information containers) are referred to in the ISO/IEC 15408-2 security
functional requirements as objects. Objects are the targets of operations that may be performed by
subjects. In the case where a subject (an active entity) is the target of an operation (e.g. interprocess
communication), a subject may also be acted on as an object.
Objects can contain informatio
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 18032:2020(Main)
Information security — Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates. Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented. NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one. Annex A provides error probabilities that are utilized by the Miller-Rabin primality test. Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met. Annex C defines primitives utilized by the prime generation and verification methods.

  • Standard
    33 pages
    English language
    sale 15% off
  • Draft
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 24761:2019(Main)
Information technology — Security techniques — Authentication context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report. Biometric identification is out of the scope of this document. This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.

  • Standard
    75 pages
    English language
    sale 15% off
ISO
ISO/IEC 30111:2019(Main)
Information technology — Security techniques — Vulnerability handling processes

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service. This document is applicable to vendors involved in handling vulnerabilities.

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    15 pages
    French language
    sale 15% off
ISO
ISO/IEC 9798-2:2019(Main)
IT Security techniques — Entity authentication — Part 2: Mechanisms using authenticated encryption

This document specifies entity authentication mechanisms using authenticated encryption algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require an on-line trusted third party for the establishment of a common secret key. They also realize mutual or unilateral entity authentication. Annex A defines Object Identifiers for the mechanisms specified in this document.

  • Standard
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 9798-3:2019(Main)
IT Security techniques — Entity authentication — Part 3: Mechanisms using digital signature techniques

This document specifies entity authentication mechanisms using digital signatures based on asymmetric techniques. A digital signature is used to verify the identity of an entity. Ten mechanisms are specified in this document. The first five mechanisms do not involve an on-line trusted third party and the last five make use of on-line trusted third parties. In both of these two categories, two mechanisms achieve unilateral authentication and the remaining three achieve mutual authentication. Annex A defines the object identifiers assigned to the entity authentication mechanisms specified in this document.

  • Standard
    25 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 27008:2019(Main)
Information technology — Security techniques — Guidelines for the assessment of information security controls

This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks.

  • Technical specification
    91 pages
    English language
    sale 15% off
ISO
ISO/IEC 10118-3:2018(Main)
IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions

This document specifies dedicated hash-functions, i.e. specially designed hash-functions. The hash-functions in this document are based on the iterative use of a round-function. Distinct round-functions are specified, giving rise to distinct dedicated hash-functions. The use of Dedicated Hash-Functions 1, 2 and 3 in new digital signature implementations is deprecated. NOTE As a result of their short hash-code length and/or cryptanalytic results, Dedicated Hash-Functions 1, 2 and 3 do not provide a sufficient level of collision resistance for future digital signature applications and they are therefore, only usable for legacy applications. However, for applications where collision resistance is not required, such as in hash-functions as specified in ISO/IEC 9797‑2, or in key derivation functions specified in ISO/IEC 11770‑6, their use is not deprecated. Numerical examples for dedicated hash-functions specified in this document are given in Annex B as additional information. For information purposes, SHA-3 extendable-output functions are specified in Annex C.

  • Standard
    398 pages
    English language
    sale 15% off
ISO
ISO/IEC 29147:2018(Main)
Information technology — Security techniques — Vulnerability disclosure

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides: — guidelines on receiving reports about potential vulnerabilities; — guidelines on disclosing vulnerability remediation information; — terms and definitions that are specific to vulnerability disclosure; — an overview of vulnerability disclosure concepts; — techniques and policy considerations for vulnerability disclosure; — examples of techniques, policies (Annex A), and communications (Annex B). Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111. This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.

  • Standard
    32 pages
    English language
    sale 15% off
  • Standard
    34 pages
    French language
    sale 15% off
ISO
ISO/IEC TS 19608:2018(Main)
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408

This document provides guidance for: — selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII); — the procedure to define both privacy and security functional requirements in a coordinated manner; and — developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2. The intended audience for this document are: — developers who implement products or systems that deal with PII and want to undergo a security evaluation of those products using ISO/IEC 15408. They will get guidance how to select security functional requirements for the Security Target of their product or system that map to the privacy principles defined in ISO/IEC 29100; — authors of Protection Profiles that address the protection of PII; and — evaluators that use ISO/IEC 15408 and ISO/IEC 18045 for a security evaluation. This document is intended to be fully consistent with ISO/IEC 15408; however, in the event of any inconsistency between this document and ISO/IEC 15408, the latter, as a normative standard, takes precedence.

  • Technical specification
    48 pages
    English language
    sale 15% off
ISO
ISO/IEC 27050-2:2018(Main)
Information technology — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery

This document provides guidance for technical and non-technical personnel at senior management levels within an organization, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. It describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.

  • Standard
    9 pages
    English language
    sale 15% off