iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 15408-3:1999

(Main)

Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements

Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements

Technologies de l'information — Techniques de sécurité — Critères d'évaluation pour la sécurité TI — Partie 3: Exigences d'assurance de sécurité

General Information

Status
Withdrawn
Publication Date
15-Dec-1999
Withdrawal Date
15-Dec-1999
ICS
35.030 - IT Security
35.040 - Information coding
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 3 - Security evaluation, testing and specification
Current Stage
9599 - Withdrawal of International Standard
Completion Date
07-Oct-2005
Ref Project

Relations

Revised
ISO/IEC 15408-3:2005 - Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements
Effective Date
15-Apr-2008

Buy Standard

ISO/IEC 15408-3:1999 - Information technology -- Security techniques -- Evaluation criteria for IT securityISO/IEC 15408-3:1999 - Information technology -- Security techniques -- Evaluation criteria for IT security
PreviousNext
Standard
ISO/IEC 15408-3:1999 - Information technology -- Security techniques -- Evaluation criteria for IT security
English language
213 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

ISO/IEC 15408-3:1999(E)
©  ISO/IEC 1999
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from the publisher.
ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland
Printed in Switzerland
ii

---------------------- Page: 1 ----------------------
© ISO/IEC                                        ISO/IEC 15408-3:1999(E)
Contents
1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Organisation of ISO/IEC 15408-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 ISO/IEC 15408 assurance paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2.1 ISO/IEC 15408 philosophy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.2 Assurance approach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.3 The ISO/IEC 15408 evaluation assurance scale . . . . . . . . . . . . . . . . . 4
2 Security assurance requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Class structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.2 Assurance family structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.3 Assurance component structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.4 Assurance elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.5 EAL structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.6 Relationship between assurances and assurance levels. . . . . . . . . . . . 13
2.2 Component taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Protection Profile and Security Target evaluation criteria class structure . 13
2.4 Usage of terms in ISO/IEC 15408-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.5 Assurance categorisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.6 Assurance class and family overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.6.1 Class ACM: Configuration management . . . . . . . . . . . . . . . . . . . . . . 16
2.6.2 Class ADO: Delivery and operation . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.6.3 Class ADV: Development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.6.4 Class AGD: Guidance documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.6.5 Class ALC: Life cycle support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.6.6 Class ATE: Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.6.7 Class AVA: Vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . . 20
2.7 Maintenance categorisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.8 Maintenance of assurance class and family overview . . . . . . . . . . . . . . . . 21
2.8.1 Class AMA: Maintenance of assurance . . . . . . . . . . . . . . . . . . . . . . . 21
3 Protection Profile and Security Target evaluation criteria . . . . . . . . . . . . 23
3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Protection Profile criteria overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.1 Protection Profile evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.2 Relation to the Security Target evaluation criteria . . . . . . . . . . . . . . . 23
3.2.3 Evaluator tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 Security Target criteria overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3.1 Security Target evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3.2 Relation to the other evaluation criteria in this part of ISO/IEC 15408 24
3.3.3 Evaluator tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 Class APE: Protection Profile evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1 TOE description (APE_DES) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2 Security environment (APE_ENV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3 PP introduction (APE_INT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
iii

---------------------- Page: 2 ----------------------
ISO/IEC 15408-3:1999(E)                                          © ISO/IEC
4.4 Security objectives (APE_OBJ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5 IT security requirements (APE_REQ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.6 Explicitly stated IT security requirements (APE_SRE) . . . . . . . . . . . . . . . 36
5 Class ASE: Security Target evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.1 TOE description (ASE_DES) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.2 Security environment (ASE_ENV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.3 ST introduction (ASE_INT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.4 Security objectives (ASE_OBJ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.5 PP claims (ASE_PPC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.6 IT security requirements (ASE_REQ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.7 Explicitly stated IT security requirements (ASE_SRE) . . . . . . . . . . . . . . . 49
5.8 TOE summary specification (ASE_TSS) . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6 Evaluation assurance levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.1 Evaluation assurance level (EAL) overview . . . . . . . . . . . . . . . . . . . . . . . 53
6.2 Evaluation assurance level details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2.1 EAL1 - functionally tested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.2.2 EAL2 - structurally tested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.2.3 EAL3 - methodically tested and checked . . . . . . . . . . . . . . . . . . . . . . 58
6.2.4 EAL4 - methodically designed, tested, and reviewed. . . . . . . . . . . . . 60
6.2.5 EAL5 - semiformally designed and tested . . . . . . . . . . . . . . . . . . . . . 62
6.2.6 EAL6 - semiformally verified design and tested . . . . . . . . . . . . . . . . 64
6.2.7 EAL7 - formally verified design and tested . . . . . . . . . . . . . . . . . . . . 66
7 Assurance classes, families, and components . . . . . . . . . . . . . . . . . . . . . . . . 69
8 Class ACM: Configuration management . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
8.1 CM automation (ACM_AUT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
8.2 CM capabilities (ACM_CAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.3 CM scope (ACM_SCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
9 Class ADO: Delivery and operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
9.1 Delivery (ADO_DEL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
9.2 Installation, generation and start-up (ADO_IGS) . . . . . . . . . . . . . . . . . . . . 90
10 Class ADV: Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
10.1 Functional specification (ADV_FSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
10.2 High-level design (ADV_HLD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
10.3 Implementation representation (ADV_IMP) . . . . . . . . . . . . . . . . . . . . . . . 109
10.4 TSF internals (ADV_INT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
10.5 Low-level design (ADV_LLD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
10.6 Representation correspondence (ADV_RCR) . . . . . . . . . . . . . . . . . . . . . . 122
10.7 Security policy modeling (ADV_SPM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
11 Class AGD: Guidance documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
11.1 Administrator guidance (AGD_ADM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
11.2 User guidance (AGD_USR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
iv

---------------------- Page: 3 ----------------------
© ISO/IEC                                        ISO/IEC 15408-3:1999(E)
12 Class ALC: Life cycle support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
12.1 Development security (ALC_DVS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
12.2 Flaw remediation (ALC_FLR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
12.3 Life cycle definition(ALC_LCD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
12.4 Tools and techniques (ALC_TAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
13 Class ATE: Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
13.1 Coverage (ATE_COV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
13.2 Depth (ATE_DPT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
13.3 Functional tests (ATE_FUN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
13.4 Independent testing (ATE_IND) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
14 Class AVA: Vulnerability assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
14.1 Covert channel analysis (AVA_CCA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
14.2 Misuse (AVA_MSU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
14.3 Strength of TOE security functions (AVA_SOF) . . . . . . . . . . . . . . . . . . . . 178
14.4 Vulnerability analysis (AVA_VLA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
15 Assurance maintenance paradigm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
15.2 Assurance maintenance cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
15.2.1 TOE acceptance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
15.2.2 TOE monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
15.2.3 Re-evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
15.3 Assurance maintenance class and families . . . . . . . . . . . . . . . . . . . . . . . . . 192
15.3.1 Assurance maintenance plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
15.3.2 TOE component categorisation report . . . . . . . . . . . . . . . . . . . . . . . . 193
15.3.3 Evidence of assurance maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . 194
15.3.4 Security impact analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
16 Class AMA: Maintenance of assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
16.1 Assurance maintenance plan (AMA_AMP) . . . . . . . . . . . . . . . . . . . . . . . . 198
16.2 TOE component categorisation report (AMA_CAT) . . . . . . . . . . . . . . . . . 201
16.3 Evidence of assurance maintenance (AMA_EVD) . . . . . . . . . . . . . . . . . . 203
16.4 Security impact analysis (AMA_SIA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Annex A Cross reference of assurance component dependencies . . . . . . . . . . . . . . . 209
Annex B Cross reference of EALs and assurance components . . . . . . . . . . . . . . . . . 213
v

---------------------- Page: 4 ----------------------
ISO/IEC 15408-3:1999(E)                                         © ISO/IEC
List of Figures
Figure 2.1 - Assurance class/family/component/element hierarchy . . . . . . . . . . . . . . . . . . . 6
Figure 2.2 - Assurance component structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2.3 - EAL structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 2.4 - Assurance and assurance level association . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 2.5 - Sample class decomposition diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 4.1 - Protection Profile evaluation class decomposition . . . . . . . . . . . . . . . . . . . . . . 27
Figure 5.1 - Security Target evaluation class decomposition . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 8.1 - Configuration management class decomposition . . . . . . . . . . . . . . . . . . . . . . . 71
Figure 9.1 - Delivery and operation class decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 10.1 - Development class decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Figure 10.2 - Relationships between TOE representations and requirements . . . . . . . . . . . . 95
Figure 11.1 - Guidance documents class decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figure 12.1 - Life-cycle support class decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Figure 13.1 - Tests class decomposition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Figure 14.1 - Vulnerability assessment class decomposition . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 15.1 - Example assurance maintenance cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Figure 15.2 - Example TOE acceptance approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Figure 15.3 - Example TOE monitoring approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Figure 16.1 - Maintenance of assurance class decomposition . . . . . . . . . . . . . . . . . . . . . . . . 197
vi

---------------------- Page: 5 ----------------------
© ISO/IEC                                        ISO/IEC 15408-3:1999(E)
List of Tables
Table 2.1 - Assurance family breakdown and mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table 2.2 - Maintenance of assurance class decomposition . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 3.1 - Protection Profile families - only ISO/IEC 15408 requirements . . . . . . . . . . . 24
Table 3.2 - Protection Profile families - ISO/IEC 15408 extended requirements . . . . . . . . 24
Table 3.3 - Security Target families - only ISO/IEC 15408 requirements . . . . . . . . . . . . . 25
Table 3.4 - Security Target families - ISO/IEC 15408 extended requirements . . . . . . . . . 25
Table 6.1 - Evaluation assurance level summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Table 6.2 - EAL1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Table 6.3 - EAL2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 6.4 - EAL3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Table 6.5 - EAL4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 6.6 - EAL5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Table 6.7 - EAL6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 6.8 - EAL7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Table 15.1 - Maintenance of assurance family breakdown and mapping . . . . . . . . . . . . . . . 192
Table A.1 - Assurance component dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Table A.2 - AMA Internal Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Table B.1 - Evaluation assurance level summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
vii

---------------------- Page: 6 ----------------------
ISO/IEC 15408-3:1999(E) © ISO/IEC
1.2.1 ISO/IEC 15408 philosophy
The ISO/IEC 15408 philosophy is that the threats to security and organisational security policy
commitments should be clearly articulated and the proposed security measures be demonstrably
sufficient for their intended purpose.
Furthermore, measures should be adopted that reduce the likelihood of vulnerabilities, the ability
to exercise (i.e. intentionally exploit or unintentionally trigger) a vulnerability, and the extent of
the damage that could occur from a vulnerability being exercised. Additionally, measures should
be adopted that facilitate the subsequent identification of vulnerabilities and the elimination,
mitigation, and/or notification that a vulnerability has been exploited or triggered.
1.2.2 Assurance approach
The ISO/IEC 15408 philosophy is to provide assurance based upon an evaluation (active
investigation) of the IT product or system that is to be trusted. Evaluation has been the traditional
means of providing assurance and is the basis for prior evaluation criteria documents. In aligning
the existing approaches, ISO/IEC 15408 adopts the same philosophy. ISO/IEC 15408 proposes
measuring the validity of the documentation and of the resulting IT product or system by expert
evaluators with increasing emphasis on scope, depth, and rigour.
ISO/IEC 15408 does not exclude, nor does it comment upon, the relative merits of other means of
gaining assurance. Research continues with respect to alternative ways of gaining assurance. As
mature alternative approaches emerge from these research activities, they will be considered for
inclusion in the standard, which is so structured as to allow their future introduction.
1.2.2.1 Significance of vulnerabilities
It is assumed that there are threat agents that will actively seek to exploit opportunities to violate
security policies both for illicit gains and for well-intentioned, but nonetheless insecure actions.
Threat agents may also accidentally trigger security vulnerabilities, causing harm to the
organisation. Due to the need to process sensitive information and the lack of availability of
sufficiently trusted products or systems, there is significant risk due to failures of IT. It is, therefore,
likely that IT security breaches could lead to significant loss.
IT security breaches arise through the intentional exploitation or the unintentional triggering of
vulnerabilities in the application of IT within business concerns.
Steps should be taken to prevent vulnerabilities arising in IT products and systems. To the extent
feasible, vulnerabilities should be:
a) eliminated — that is, active steps should be taken to expose, and remove or neutralise,
all exercisable vulnerabilities;
b) minimised — that is, active steps should be taken to reduce, to an acceptable residual
level, the potential impact of any exercise of a vulnerability;
c) monitored — that is, active steps should be taken to ensure that any attempt to exercise
a residual vulnerability will be detected so that steps can be taken to limit the damage.
2

---------------------- Page: 7 ----------------------
© ISO/IEC ISO/IEC 15408-3:1999(E)
1.2.2.2 Cause of vulnerabilities
Vulnerabilities can arise through failures in:
a) requirements — that is, an IT product or system may possess all the functions and
features required of it and still contain vulnerabilities that render it unsuitable or
ineffective with respect to security;
b) construction — that is, an IT product or system does not meet its specifications and/or
vulnerabilities have been introduced as a result of poor constructional standards or
incorrect design choices;
c) operation — that is, an IT product or system has been constructed correctly to a correct
specification but vulnerabilities have been introduced as a result of inadequate controls
upon the operation.
1.2.2.3 ISO/IEC 15408 assurance
Assurance is grounds for confidence that an IT product or system meets its security objectives.
Assurance can be derived from reference to sources such as unsubstantiated assertions, prior
relevant experience, or specific experience. However, the standard provides assurance through
active investigation. Active investigation is an evaluation of the IT product or system in order to
determine its security properties.
1.2.2.4 Assurance through evaluation
Evaluation has been the traditional means of gaining assurance, and is the basis of the ISO/IEC
15408 approach. Evaluation techniques can include, but are not limited to:
a) analysis and checking of process(es) and procedure(s);
b) checking that process(es) and procedure(s) are being applied;
c) analysis of the correspondence between TOE design representations;
d) analysis of the TOE design representation against the requirements;
e) verification of proofs;
f) analysis of guidance documents;
g) analysis of functional tests developed and the results provided;
h) independent functional testing;
i) analysis for vulnerabilities (including flaw hypothesis);
j) penetration testing.
3

---------------------- Page: 8 ----------------------
ISO/IEC 15408-3:1999(E) © ISO/IEC
1.2.3 The ISO/IEC 15408 evaluation assurance scale
The ISO/IEC 15408 philosophy asserts that greater assurance results from the application of
greater evaluation effort, and that the goal is to apply the minimum effort required to provide the
necessary level of assurance. The increasing level of effort is based upon:
a) scope — that is, the effort is greater because a larger portion of the IT product or
system is included;
b) depth — that is, the effort is greater because it is deployed to a finer level of design and
implementation detail;
c) rigour — that is, the effort is greater because it is applied in a more structured, formal
manner.
4

---------------------- Page: 9 ----------------------
© ISO/IEC ISO/IEC 15408-3:1999(E)
2 Security assurance requirements
2.1 Structures
The following subclauses describe the constructs used in representing the assurance classes,
families, components, and EALs along with the relationships among them.
Figure 2.1 illustrates the assurance requirements defined in this part of ISO/IEC 15408. Note that
the most abstract collection of assurance requirements is referred to as a class. Each class contains
assurance families, which then contain assurance components, which in turn contain assurance
elements. Classes and families are used to provide a taxonomy for classifying assurance
requirements, while components are used to specify assurance requirements in a PP/ST.
2.1.1 Class structure
Figure 2.1 illustrates the assurance class structure.
2.1.1.1 Class name
Each assurance class is assigned a unique name. The name indicates the topics covered by the
assurance class.
A unique short form of the assurance class name is also provided. This is the primary means for
referencing the assurance class. The convention adopted is an “A” followed by two letters related
to the class name.
2.1.1.2 Class introduction
Each assurance class has an introductory subclause that describes the composition of the class and
contains supportive text covering the intent of the class.
2.1.1.3 Assurance families
Each assurance class contains at least one assurance family. The structure of the assurance families
is described in the following subclause.
5

---------------------- Page: 10 ----------------------
ISO/IEC 15408-3:1999(E) © ISO/IEC
Common criteria assurance requirements
Assurance class
Class name
Class introduction
Assurance family
Family name
Objectives
Component levelling
Application notes
Assurance component
Component identification
Objectives
Application notes
Dependencies
Assurance element
Assurance elements
Assurance elements
Figure 2.1 - Assurance class/family/component/element hierarchy
2.1.2 Assurance family structure
Figure 2.1 illustrates the assurance family structure.
6

---------------------- Page: 11 ----------------------
© ISO/IEC ISO/IEC 15408-3:1999(E)
2.1.2.1 Family name
Every assurance family is assigned a unique name. The name provides descriptive information
about the topics covered by the assurance family. Each assurance family is placed within the
assurance class that contains other families with the same intent.
A unique short form of the assurance family name is also provided. This is the primary means used
to reference the assurance family. The convention adopted is that the short form of the class name
is used, followed by an underscore, and then three letters related to the family name.
2.1.2.2 Objectives
The objectives subclause of the assurance family presents the intent of the assurance family.
This subclause describes the objectives, particularly those related to the ISO/IEC 15408 assurance
paradigm, that the family is intended to address. The description for the assurance family is kept at
a general level. Any specific details required for objectives are incorporated in the particular
assurance component.
2.1.2.3 Component levelling
Each assurance family contains one or more assurance components. This subclause of the
assurance family describes the components available and explains the distinctions between them.
Its main purpose is to differentiate between the assurance components once it has been determined
that the assurance family is a necessary or useful part of the assurance requirements for a PP/ST.
Assurance families containing more than one component are levelled and rationale is provided as
to how the components are levelled. This rationale is in terms of scope, depth, and/or rigour.
2.1.2.4 Application notes
The application notes subclause of the assurance family, if present, contains additional information
for the assurance family. This information should be of particular interest to users of the assurance
family (e.g. PP and ST authors, designers of TOEs, evaluators). The presentation is informal and
covers, for example, warnings about limitations of use and areas where specific attention may be
required.
2.1.2.5 Assurance components
Each assurance family has at least one assurance component. The structure of the assurance
components is provided in the following subclause.
2.1.3 Assurance component structure
Figure 2.2 illustrates the assurance component structure.
7

---------------------- Page: 12 ----------------------
ISO/IEC 15408-3:1999(E) © ISO/IEC
Assurance
Component
component
identification
Objectives
Application
notes
Dependencies
Assurance
elements
Figure 2.2 - Assurance component structure
The relationship between components within a family is highlighted using a bolding convention.
Those parts of the requirements that are new, enhanced or modified beyond the requirements of the
previous component within a hierarchy are bolded. The same bolding convention is also used for
dependencies.
2.1.3.1 Component identification
The component identification subclause provides descriptive information necessary to identify,
categorise, register, and reference a component.
Every assurance component is assigned a unique name. The name provides descriptive information
about the topics covered by the assurance component. Each assurance component is placed within
the assurance family that shares its security objective.
A unique short form of the assurance component name is also provided. This is the primary means
used to reference the assurance component. The convention used is that the short form of the family
name is used, followed by a period, and then a numeric character. The numeric characters for the
components within each family are assigned sequentially, starting from 1.
2.1.3.2 Objectives
The objectives subclause of the assurance component, if present, contains specific objectives for
the particular assurance component. For those assurance components that have this subclause, it
presents the specific intent of the component and a more detailed explanation of the objectives.
2.1.3.3 Application notes
The application notes subclause of an assurance component, if present, contains additional
information to facilitate the use of the component.
8

---------------------- Page: 13 ----------------------
© ISO/IEC ISO/IEC 15408-3:1999(E)
2.1.3.4 Dependencies
Dependencies among assurance components arise when a component is not self-sufficient, and
relies upon the presence of another component.
Each assurance component provides a complete list of dependencies to other assurance
components. Some components may list “No dependencies”, to indicate that no dependencies have
been identified. The components d
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 18032:2020(Main)
Information security — Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates. Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented. NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one. Annex A provides error probabilities that are utilized by the Miller-Rabin primality test. Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met. Annex C defines primitives utilized by the prime generation and verification methods.

  • Standard
    33 pages
    English language
    sale 15% off
  • Draft
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 24761:2019(Main)
Information technology — Security techniques — Authentication context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report. Biometric identification is out of the scope of this document. This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.

  • Standard
    75 pages
    English language
    sale 15% off
ISO
ISO/IEC 30111:2019(Main)
Information technology — Security techniques — Vulnerability handling processes

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service. This document is applicable to vendors involved in handling vulnerabilities.

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    15 pages
    French language
    sale 15% off
ISO
ISO/IEC 9798-2:2019(Main)
IT Security techniques — Entity authentication — Part 2: Mechanisms using authenticated encryption

This document specifies entity authentication mechanisms using authenticated encryption algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require an on-line trusted third party for the establishment of a common secret key. They also realize mutual or unilateral entity authentication. Annex A defines Object Identifiers for the mechanisms specified in this document.

  • Standard
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 9798-3:2019(Main)
IT Security techniques — Entity authentication — Part 3: Mechanisms using digital signature techniques

This document specifies entity authentication mechanisms using digital signatures based on asymmetric techniques. A digital signature is used to verify the identity of an entity. Ten mechanisms are specified in this document. The first five mechanisms do not involve an on-line trusted third party and the last five make use of on-line trusted third parties. In both of these two categories, two mechanisms achieve unilateral authentication and the remaining three achieve mutual authentication. Annex A defines the object identifiers assigned to the entity authentication mechanisms specified in this document.

  • Standard
    25 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 27008:2019(Main)
Information technology — Security techniques — Guidelines for the assessment of information security controls

This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks.

  • Technical specification
    91 pages
    English language
    sale 15% off
ISO
ISO/IEC 10118-3:2018(Main)
IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions

This document specifies dedicated hash-functions, i.e. specially designed hash-functions. The hash-functions in this document are based on the iterative use of a round-function. Distinct round-functions are specified, giving rise to distinct dedicated hash-functions. The use of Dedicated Hash-Functions 1, 2 and 3 in new digital signature implementations is deprecated. NOTE As a result of their short hash-code length and/or cryptanalytic results, Dedicated Hash-Functions 1, 2 and 3 do not provide a sufficient level of collision resistance for future digital signature applications and they are therefore, only usable for legacy applications. However, for applications where collision resistance is not required, such as in hash-functions as specified in ISO/IEC 9797‑2, or in key derivation functions specified in ISO/IEC 11770‑6, their use is not deprecated. Numerical examples for dedicated hash-functions specified in this document are given in Annex B as additional information. For information purposes, SHA-3 extendable-output functions are specified in Annex C.

  • Standard
    398 pages
    English language
    sale 15% off
ISO
ISO/IEC 29147:2018(Main)
Information technology — Security techniques — Vulnerability disclosure

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides: — guidelines on receiving reports about potential vulnerabilities; — guidelines on disclosing vulnerability remediation information; — terms and definitions that are specific to vulnerability disclosure; — an overview of vulnerability disclosure concepts; — techniques and policy considerations for vulnerability disclosure; — examples of techniques, policies (Annex A), and communications (Annex B). Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111. This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.

  • Standard
    32 pages
    English language
    sale 15% off
  • Standard
    34 pages
    French language
    sale 15% off
ISO
ISO/IEC TS 19608:2018(Main)
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408

This document provides guidance for: — selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII); — the procedure to define both privacy and security functional requirements in a coordinated manner; and — developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2. The intended audience for this document are: — developers who implement products or systems that deal with PII and want to undergo a security evaluation of those products using ISO/IEC 15408. They will get guidance how to select security functional requirements for the Security Target of their product or system that map to the privacy principles defined in ISO/IEC 29100; — authors of Protection Profiles that address the protection of PII; and — evaluators that use ISO/IEC 15408 and ISO/IEC 18045 for a security evaluation. This document is intended to be fully consistent with ISO/IEC 15408; however, in the event of any inconsistency between this document and ISO/IEC 15408, the latter, as a normative standard, takes precedence.

  • Technical specification
    48 pages
    English language
    sale 15% off
ISO
ISO/IEC 27050-2:2018(Main)
Information technology — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery

This document provides guidance for technical and non-technical personnel at senior management levels within an organization, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. It describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.

  • Standard
    9 pages
    English language
    sale 15% off