© crown copyright (2000) module 3.1 evaluation process
TRANSCRIPT
![Page 1: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/1.jpg)
© Crown Copyright (2000)
Module 3.1
Evaluation Process
![Page 2: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/2.jpg)
“You Are Here”
M3.1 Evaluation Process
M3.2 Evaluation Management
MODULE 3 - SCHEME RULES AND PROCEDURES
![Page 3: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/3.jpg)
People Involved
• Sponsor
• Developer
• Evaluator
• Certification Body
• Accreditor
![Page 4: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/4.jpg)
Role of Sponsor
• Pay for the evaluation
• Sponsor may also be the developer
• Point of contact between CLEF and Developer
• Produce/Help in production of deliverables
• Resolution of Problem Reports
![Page 5: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/5.jpg)
Role of Developer
• Provision of TOE
• Design/Development Documentation
• Guidance Documents
• Support during evaluator testing
• Support during Development Environment Assessment
• Resolution of Problem Reports
![Page 6: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/6.jpg)
Role of Evaluator
• Assess evaluation deliverables to identify whether they meet criteria requirements
• Assess, through the deliverables provided for the appropriate level of assurance, whether the TOE meets the security requirements specified in the Security Target
![Page 7: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/7.jpg)
Role of Certification Body
• Oversight of evaluations conducted under UK Scheme
• Guidance on evaluation methodology
• Provide Certification Report/Certificate
![Page 8: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/8.jpg)
Role of Accreditor
• Responsibility for granting authority to operate a system processing protectively marked data
• Mandates security requirements of system and level of assurance required
• May use results of an evaluation on which to base decision to grant Accreditation
![Page 9: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/9.jpg)
Evaluation Process
PreparationPhase
Conduct Phase
ConclusionPhase
![Page 10: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/10.jpg)
Preparation Phase
• Inputs– Security Target– Certification Body Questionnaire – UKSP 06 Entry
• Task Start-Up Meeting
• Outputs– Acceptance into Scheme
![Page 11: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/11.jpg)
Conduct Phase
• Inputs– Deliverables
• Evaluation Progress Meetings
• Outputs– Observation Reports– Work Package Reports
![Page 12: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/12.jpg)
Conduct Phase - Deliverables
• Deliverables List
• Schedule
• Management– under configuration control– timescales and impact on evaluation
![Page 13: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/13.jpg)
Conduct Phase - Evaluation Progress Meetings
• Standard Agenda
• Who attends
• Purpose:– discuss issues affecting evaluation progress or
results– keep all parties informed of progress
![Page 14: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/14.jpg)
Conduct Phase - Observation Reports
• Types– Level 1
– Level 2
– Level 3
– Level 4
• Raised by Evaluators and sent to:– CB, Developer, Sponsor
• May force change to TOE or deliverables
![Page 15: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/15.jpg)
Conduct Phase - Work Package Reports
• One for each Work Package (Activity)
• Results of evaluator actions– Evidence of why the conclusion was reached
• Observation Reports– identify where an observation report has been
raised– provide justification for satisfactory resolution
![Page 16: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/16.jpg)
Conclusion Phase
• Evaluation Technical Report– includes Work Package Reports– main input into Certification process
• Certification Report/Certificate– summary of evaluation results– recommendations for use
• UKSP06 Entry– update to indicate result of evaluation
![Page 17: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/17.jpg)
Certification Process
• Results from ETR– discuss any concerns/queries with CLEF
• Outstanding Observation Reports
• Constraints/Limitations of evaluation
• Report to Accreditor, if required
![Page 18: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/18.jpg)
CLEF Quality Manual
• UKAS - Categories 0 and 1
• Procedures, minimum:– Review of evaluation outputs– Handling of evaluation items– Records– Handling of Complaints/Anomalies– Security (covered in later slide)– Site Testing
![Page 19: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/19.jpg)
CLEF Security Manual
• Security Operating Procedures:– Task separation: need to know principle– Document security: Storage of deliverables and
results– Physical security: access to CLEF/Task Cells
![Page 20: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/20.jpg)
Summary - 1
• Security Target - (Developer/Sponsor)
• Deliverables - (Sponsor/Developer)
• Observation Reports - (Evaluator)
• Evaluation Technical Report (Evaluator)
• Certification Report/Certificate (CB)
![Page 21: © Crown Copyright (2000) Module 3.1 Evaluation Process](https://reader036.vdocuments.mx/reader036/viewer/2022062511/5515f211550346cf6f8b548e/html5/thumbnails/21.jpg)
Further Reading
• UKSP 01
• UKSP 04 Part 1
• UKSP 05 Part 1
• CEM Part 2, Chapter 2