Information technology — Security techniques — Guide for the production of Protection Profiles and Security Targets

ISO/IEC TR15446:2009 provides guidance relating to the construction of Protection Profiles (PPs) and Security Targets (STs) that are intended to be compliant with the third edition of ISO/IEC 15408. It is also applicable to PPs and STs compliant with Common Criteria Version 3.1, a technically identical standard published by the Common Criteria Management Board, a consortium of governmental organizations involved in IT security evaluation and certification. ISO/IEC TR15446:2009 is not intended as an introduction to evaluation using ISO/IEC 15408. Readers who seek such an introduction should consult ISO/IEC 15408-1. ISO/IEC TR15446:2009 does not deal with associated tasks beyond PP and ST specifications such as PP registration and the handling of protected intellectual property.

Technologies de l'information — Techniques de sécurité — Guide pour la production de profils de protection et de cibles de sécurité

General Information

Status
Withdrawn
Publication Date
23-Feb-2009
Withdrawal Date
23-Feb-2009
Current Stage
9599 - Withdrawal of International Standard
Start Date
10-Oct-2017
Completion Date
10-Oct-2017
Ref Project

RELATIONS

Buy Standard

Technical report
ISO/IEC TR 15446:2009 - Information technology -- Security techniques -- Guide for the production of Protection Profiles and Security Targets
English language
81 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/IEC
REPORT TR
15446
Second edition
2009-03-01
Information technology — Security
techniques — Guide for the production of
Protection Profiles and Security Targets
Technologies de l'information — Techniques de sécurité — Guide pour
la production de profils de protection et de cibles de sécurité
Reference number
ISO/IEC TR 15446:2009(E)
ISO/IEC 2009
---------------------- Page: 1 ----------------------
ISO/IEC TR 15446:2009(E)
PDF disclaimer

This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but

shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In

downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat

accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.

Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation

parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In

the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2009

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,

electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or

ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TR 15446:2009(E)
Contents Page

Foreword ...........................................................................................................................................................vii

Introduction......................................................................................................................................................viii

1 Scope......................................................................................................................................................1

2 Normative references............................................................................................................................1

3 Terms and definitions ...........................................................................................................................1

4 Abbreviations.........................................................................................................................................1

5 Purpose and structure of this technical report ..................................................................................2

6 An overview of PPs and STs ................................................................................................................3

6.1 Introduction............................................................................................................................................3

6.2 Audience ................................................................................................................................................3

6.3 The use of PPs and STs........................................................................................................................3

6.3.1 Introduction............................................................................................................................................3

6.3.2 Specification-based purchasing processes .......................................................................................4

6.3.3 Selection-based purchasing processes..............................................................................................7

6.3.4 Other uses of PPs..................................................................................................................................8

6.4 The PP/ST development process.........................................................................................................9

6.5 Reading and understanding PPs and STs..........................................................................................9

6.5.1 Introduction............................................................................................................................................9

6.5.2 Reading the TOE overview .................................................................................................................10

6.5.3 Reading the TOE description .............................................................................................................11

6.5.4 Security objectives for the operational environment ......................................................................12

6.5.5 Reading the conformance claim........................................................................................................12

6.5.6 Conformance to Protection Profiles..................................................................................................13

© ISO 2009 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC TR 15446:2009(E)

6.5.7 EALs and other assurance issues .....................................................................................................13

6.5.8 Summary...............................................................................................................................................14

6.5.9 Further reading ....................................................................................................................................15

7 Specifying the PP/ST introduction.....................................................................................................15

8 Specifying conformance claims.........................................................................................................15

9 Specifying the security problem definition.......................................................................................16

9.1 Introduction..........................................................................................................................................16

9.2 Identifying the informal security requirement ..................................................................................18

9.2.1 Introduction..........................................................................................................................................18

9.2.2 Sources of information .......................................................................................................................18

9.2.3 Documenting the informal requirement ............................................................................................20

9.3 How to identify and specify threats ...................................................................................................21

9.3.1 Introduction..........................................................................................................................................21

9.3.2 Deciding on a threat analysis methodology .....................................................................................21

9.3.3 Identifying participants .......................................................................................................................22

9.3.4 Applying the chosen threat analysis methodology .........................................................................26

9.3.5 Practical advice....................................................................................................................................27

9.4 How to identify and specify policies..................................................................................................28

9.5 How to identify and specify assumptions.........................................................................................29

9.6 Finalising the security problem definition ........................................................................................31

10 Specifying the security objectives.....................................................................................................32

10.1 Introduction..........................................................................................................................................32

10.2 Structuring the threats, policies and assumptions..........................................................................34

10.3 Identifying the non-IT operational environment objectives ............................................................34

10.4 Identifying the IT operational environment objectives ....................................................................35

10.5 Identifying the TOE objectives ...........................................................................................................36

10.6 Producing the objectives rationale....................................................................................................39

iv © ISO 2009 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC TR 15446:2009(E)

11 Specifying extended component definitions....................................................................................40

12 Specifying the security requirements ...............................................................................................43

12.1 Introduction..........................................................................................................................................43

12.2 The security paradigms in ISO/IEC 15408 ........................................................................................45

12.2.1 Explanation of the security paradigms and their usage for modelling the security

functionality .........................................................................................................................................45

12.2.2 Controlling access to and use of resources and objects ...............................................................45

12.2.3 User management ...............................................................................................................................49

12.2.4 TOE self protection .............................................................................................................................50

12.2.5 Securing communication ...................................................................................................................51

12.2.6 Security audit.......................................................................................................................................52

12.2.7 Architectural requirements ................................................................................................................53

12.3 How to specify security functional requirements in a PP or ST.....................................................54

12.3.1 How should security functional requirements be selected? ..........................................................54

12.3.2 Selecting SFRs from ISO/IEC 15408-2...............................................................................................57

12.3.3 How to perform operations on security functional requirements..................................................59

12.3.4 How should the audit requirements be specified?..........................................................................61

12.3.5 How should management requirements be specified?...................................................................62

12.3.6 How should SFRs taken from a PP be specified? ...........................................................................63

12.3.7 How should SFRs not in a PP be specified? ....................................................................................63

12.3.8 How should SFRs not included in Part 2 of ISO/IEC 15408 be specified? ....................................64

12.3.9 How should the SFRs be presented?................................................................................................64

12.3.10 How to develop the security requirements rationale.......................................................................65

12.4 How to specify assurance requirements in a PP or ST...................................................................66

12.4.1 How should security assurance requirements be selected? .........................................................66

12.4.2 How to perform operations on security assurance requirements .................................................67

12.4.3 How should SARs not included in Part 3 of ISO/IEC 15408 be specified in a PP or ST? ............67

12.4.4 Security assurance requirements rationale .....................................................................................68

13 The TOE summary specification........................................................................................................68

© ISO 2009 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC TR 15446:2009(E)

14 Specifying PP/STs for composed and component TOEs................................................................69

14.1 Composed TOEs..................................................................................................................................69

14.2 Component TOEs ................................................................................................................................72

15 Special cases .......................................................................................................................................72

15.1 Low assurance Protection Profiles and Security Targets...............................................................72

15.2 Conforming to national interpretations.............................................................................................73

15.3 Functional and assurance packages.................................................................................................73

16 Use of automated tools.......................................................................................................................73

Annex A (informative) Example for the definition of an extended component.........................................75

Bibliography......................................................................................................................................................78

Index ...............................................................................................................................................................79

vi © ISO 2009 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC TR 15446:2009(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are members of

ISO or IEC participate in the development of International Standards through technical committees

established by the respective organization to deal with particular fields of technical activity. ISO and IEC

technical committees collaborate in fields of mutual interest. Other international organizations, governmental

and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information

technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as

an International Standard requires approval by at least 75 % of the national bodies casting a vote.

In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report

of one of the following types:

— type 1, when the required support cannot be obtained for the publication of an International Standard,

despite repeated efforts;

— type 2, when the subject is still under technical development or where for any other reason there is the

future but not immediate possibility of an agreement on an International Standard;

— type 3, when the joint technical committee has collected data of a different kind from that which is

normally published as an International Standard (“state of the art”, for example).

Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether

they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to

be reviewed until the data they provide are considered to be no longer valid or useful.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent

rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC TR 15446, which is a Technical Report of type 3, was prepared by Joint Technical Committee

ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

This second edition cancels and replaces the first edition (ISO/IEC TR 15446:2004), which has been

technically revised.
© ISO 2009 – All rights reserved vii
---------------------- Page: 7 ----------------------
ISO/IEC TR 15446:2009(E)
Introduction

This Technical Report is an adjunct to ISO/IEC 15408 Information technology — Security techniques —

Evaluation criteria for IT security. ISO/IEC 15408 introduces the concepts of Protection Profiles (PPs) and

Security Targets (STs). A Protection Profile is an implementation-independent statement of security needs for

a type of IT product that can then be evaluated against ISO/IEC 15408, whereas a Security Target is a

statement of security needs for a specific ISO/IEC 15408 target of evaluation (TOE).

Unlike previous editions, the third edition of ISO/IEC 15408 provides a comprehensive explanation of what

needs to go into a PP or ST. However, the third edition of ISO/IEC 15408 still does not provide any

explanation or guidance of how to go about creating a PP or ST, or how to use a PP or ST in practice when

specifying, designing or implementing secure systems.

This Technical Report is intended to fill that gap. It represents the collective experience over many years from

leading experts in ISO/IEC 15408 evaluation and the development of secure IT products.

viii © ISO 2009 – All rights reserved
---------------------- Page: 8 ----------------------
TECHNICAL REPORT ISO/IEC TR 15446:2009(E)
Information technology — Security techniques — Guide for the
production of Protection Profiles and Security Targets
1 Scope

This Technical Report provides guidance relating to the construction of Protection Profiles (PPs) and Security

Targets (STs) that are intended to be compliant with the third edition of ISO/IEC 15408. It is also applicable to

PPs and STs compliant with Common Criteria Version 3.1 [1], a technically identical standard published by the

Common Criteria Management Board, a consortium of governmental organizations involved in IT security

evaluation and certification.

This Technical Report is not intended as an introduction to evaluation using ISO/IEC 15408. Readers who

seek such an introduction should read Part 1 of ISO/IEC 15408.

This Technical Report does not deal with associated tasks beyond PP and ST specifications such as PP

registration and the handling of protected intellectual property.
2 Normative references

The following referenced documents are indispensable for the application of this document. For dated

references, only the edition cited applies. For undated references, the latest edition of the referenced

document (including any amendments) applies.

ISO/IEC 15408-1:— , Information technology — Security techniques — Evaluation criteria for IT security —

Part 1: Introduction and general model

ISO/IEC 15408-2:2008, Information technology — Security techniques — Evaluation criteria for IT security —

Part 2: Security functional components

ISO/IEC 15408-3:2008, Information technology — Security techniques — Evaluation criteria for IT security —

Part 3: Security assurance components

ISO/IEC 18045:2008, Information technology — Security techniques — Methodology for IT security evaluation

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 15408-1:— apply.

4 Abbreviations

For the purposes of this document, the abbreviations given in ISO/IEC 15408-1:— and the following apply.

COTS Commercial Off The Shelf
1) To be published. Technical revision of ISO/IEC 15408-1:2005.
© ISO 2009 – All rights reserved 1
---------------------- Page: 9 ----------------------
ISO/IEC TR 15446:2009(E)
CRL Certificate Revocation List
LDAP Lightweight Directory Access Protocol
SPD Security Problem Definition
SSL Secure Sockets Layer
TLS Transport Layer Security
5 Purpose and structure of this technical report

This Technical Report is intended to help people who have to prepare Protection Profiles (PPs) or Security

Targets (STs) for use in evaluation against the third edition of ISO/IEC 15408. It provides detailed guidance

relating to the various parts of a PP or ST, and how they interrelate.

This Technical Report applies only to the third edition of ISO/IEC 15408. Earlier versions of ISO/IEC 15408

have different and incompatible technical requirements. However, the strategies proposed in this Technical

Report will, in the main, also be applicable to earlier versions of ISO/IEC 15408.

This Technical Report is primarily aimed at those who are involved in the development of PPs and STs. It will

also be of interest to consumers and users of PPs and STs who wish to understand the contents of PPs and

STs developed by others, and wish to confirm the relevance and accuracy of the information that they contain.

It is also likely to be useful to evaluators of PPs and STs and to those who are responsible for monitoring PP

and ST evaluation.

It is assumed that readers of this Technical Report are familiar with ISO/IEC 15408-1, and in particular

Annexes A and B which describe STs and PPs respectively. PP and ST authors will (of course) need to

become familiar with the other parts of ISO/IEC 15408 as described in this Report, including introductory

material such as the functional requirements paradigm described in ISO/IEC 15408-2:2008, Clause 5.

This Technical Report is intended for guidance only. It should not be cited as a Standard on the content or

structure for the evaluation of PPs and STs. It is intended to be fully consistent with ISO/IEC 15408; however,

in the event of any inconsistency between this Technical Report and ISO/IEC 15408, the latter as a normative

Standard takes precedence.

Clauses 1 to 4 contain introductory and reference material, and are followed by this overview clause (Clause

5).

Clause 6 provides an introduction to Protection Profiles and Security Targets – what they are, when and why

they might be used. This clause also discusses the relationship between PPs and STs and issues relating to

the PP/ST development process.

Clauses 7 to 13 provide information on how to specify the seven mandatory parts of the contents of a PP or

ST, following the order outlined in ISO/IEC 15408-1:—, clauses A.2 and B.2.

Clause 14 examines the issues specific to PPs and STs for composed TOEs, i.e. TOEs that are composed of

two or more component TOEs, each of which has its own PP or ST.

Clause 15 deals with some special cases, namely low assurance reduced PP/ST contents, conforming to

national restrictions and interpretations and the use of functional and assurance packages.

Clause 16 discusses the topic of use of automated tools in PP/ST development.
2 © ISO 2009 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC TR 15446:2009(E)
6 An overview of PPs and STs
6.1 Introduction

This clause provides an overview of the roles of PPs and STs in information security evaluation using

ISO/IEC 15408.
6.2 Audience
This Technical Report is intended for use by two distinct audiences:

a) IT professionals with security knowledge (e.g. security officers/architects with an understanding of a

security requirement) but who are not experts in information security evaluation, and who have no prior

knowledge of ISO/IEC 15408;

b) Experts in information security with good knowledge of ISO/IEC 15408, who are engaged in developing

PPs and STs as part of their professional activities.

If you fall into the former category, this clause should provide you with the information you need to understand

the purpose and structure of PPs and STs. It should also provide you with the background information you

will need to read and understand PPs and STs, and to identify their relevance and correctness with respect to

your particular circumstances. Following clauses will explain the contents of each part of PPs and STs in

detail, but are oriented towards the production of such documents and assume knowledge of ISO/IEC 15408.

If you are an expert, you should already be familiar with the contents of this clause. Subsequent clauses will

provide you with methodologies, techniques and practical tips that you can use to prepare PPs and STs in an

efficient yet consistent manner.

If you are not an expert in information security, and you need to produce a PP or ST, this Technical Report will

help you do so. However, you will also need to find, read and understand published examples of PPs or STs

similar to your requirement. You should also consider calling on the services of others who do have the

necessary specialist knowledge and experience.
6.3 The use of PPs and STs
6.3.1 Introduction

The main use of ISO/IEC 15408 is to assess the security of IT products. The term “IT product” is never

actually defined in ISO/IEC 15408; however, it can be understood to cover any type of entity built using

information technology, whether a complete IT system used exclusively by one organisation, or a COTS

package created by a product manufacturer for sale to many different and unrelated customers. In this

Technical Report, when we talk about IT products, or just products, our advice is intended to apply to all such

entities. Where the scope of our advice is limited to a particular type of product, we talk about systems, or

COTS products, or some other explicitly specific wording.

As IT products may be used in many ways, and in many types of environment, the notion of security will vary

with the product. The end result of an ISO/IEC 15408 evaluation is therefore never “this IT product is secure”,

but is always “this IT product meets this security specification”.
ISO/IEC 15408 has standardised security specifications to (among others):

- mandate specific content needed to assess a product against the security specification;

- allow comparison of security specifications of different products.
© ISO 2009 – All rights reserved 3
---------------------- Page: 11 ----------------------
ISO/IEC TR 15446:2009(E)

ISO/IEC 15408 recognises two different types of security specifications: Protection Profiles (PPs) and Security

Targets (STs). The difference between these two is best explained by the roles they are intended to play in a

typical product purchasing process, where a customer seeks to buy a product from a developer.

The notions of customer, developer and product are deliberately kept abstract. A customer is someone who

wants to buy a product. It can be a single individual, an organization, a group of organizations, a government

department etc. A developer is someone who wants to sell a product. It can be a single programmer, a small

company, a large company, a group of companies working together etc. Finally, a product could be anything

from a small software application or a smart card to a large operating system or a complete computer system

containing hundreds of distinct components.
When our customer wishes to buy a product, he has essentially two possibilities:

- The customer contacts a developer, specifies his needs, and the developer creates a product that is

specifically targeted towards that customer and exactly fulfils the demands of that customer. This may be

expensive but the customer gets what he wants. In the remainder of this section, we will call this a

specification-based purchasing process.

- The customer selects a product from a number of existing products. This is probably cheaper, but the

resulting product may or may not exactly fulfil the customer’s needs. In the remainder of this section we

will call this a selection-based purchasing process.

When IT security is important, these purchasing processes have an added difficulty. For the average

customer it is:
- hard to define what kind of IT security he needs;

- harder to determine whether the IT security that a given product claims to have is useful or sufficient to

meet his needs;
- and even harder
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.