Security Target

Common Criteria for Information Technology Security Evaluation, version 3.1 Part 1 (Called “CC 3.1” or “CC”) [1] defines the Security Target (ST) as an “implementation-specific statement of security needs for a specific identified Target of Evaluation (TOE)”. In other words, the ST defines boundary and specifies the details of the TOE. In a product evaluation process according to the CC the ST document is provided by the vendor of the product.

An ST defines information assurance security and functional requirements for the given information system product, which is called the Target of Evaluation (TOE). An ST is a complete and rigorous description of a security problem in terms of TOE description, threats, assumptions, security objectives, security functional requirements (SFRs), security assurance requirements (SARs), and rationales. The SARs are typically given as a number 1 through 7 called Evaluation Assurance Level (EAL), indicating the depth and rigor of the security evaluation, usually in the form of supporting documentation and testing, that the product meets the SFRs.

An ST contains some (but not very detailed) implementation-specific information that demonstrates how the product addresses the security requirements. It may refer to one or more Protection Profiles (PPs). In such a case, the ST must fulfill the generic security requirements given in each of these PPs, and may define further requirements.

Security Target Outline

1. Introduction  – an overview of what the TOE does, including key features and purpose.

2. Conformance Claims  – identifies conformance claims for the TOE evaluation.

3. Security Problem Definition  - describes the threats and assumptions about the operational environment. Objective is to demonstrate the security problem intended to be addressed by the TOE and its operational environment.

4. Security Objectives  – a concise and abstract statement of the intended solution to the problem specified by the security problem definition. Each security objective must trace back to at least one threat or OSP.

5. Extended Components Definition  – the extended components must consist of measurable and objective elements where conformance can be demonstrated.
6. Security Requirements  - defines and describes the SFRs from CC Part 2 and SARs from CC Part 3.

7.TOE Summary Specifications - enables evaluators and potential consumers to gain a general understanding of how the TOE is implemented.

See also

References

This article is issued from Wikipedia - version of the 10/25/2013. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.