Transcript Module 3.2 Evaluation Management

Module 3.2
Evaluation Management
© Crown Copyright (2000)
“You Are Here”
MODULE 3 - SCHEME RULES AND
PROCEDURES
M3.1 Evaluation Process
M3.2 Evaluation Management
Evaluation Management
Preparation
Phase
Conduct
Phase
Conclusion
Phase
Evaluation Management
Preparation
Phase
Conduct
Phase
Conclusion
Phase
Preparation Phase - Inputs
• Definition of Target of Evaluation
– Scope, boundaries, interfaces, composites, etc.
• What evaluation level is required ?
• Technical expertise required ?
Evaluation
TOE
Planning
Preparation Phase - Suitability
• CLEF/CB may review ST for suitability
• Check Sponsor and Developer have full
understanding of:
– the evaluation process
– the role of the CLEF
– their responsibilities throughout evaluation
Preparation Phase - TIN
•
•
•
•
•
•
•
•
May be combined with EWP
Task Identification
Sponsor and Developer Details
Description of TOE
Summary of Security Requirements
Timescales
Staffing
Contacts
Preparation Phase - EWP
• May be combined with TIN
• Evaluation methodology
– CEM/ITSEC
– Interpretations
• Evaluation effort for each activity
• Constraints
• Limitations
Preparation Phase - UKSP06
Entry & CB Questionnaire
Task Start-up Meeting
•
•
•
•
Objective
Attendees
Timing
Agenda
Preparation Phase - Outputs
TIN
EWP
Evaluation
Planning
Security Target
UKSP 06 Entry
CB Questionnaire
Evaluation Management
Preparation
Phase
Conduct
Phase
Conclusion
Phase
Conduct Phase - Inputs
TIN / EWP
Security Target
Deliverables Schedule
TOE Deliverables
Task
Conduct
Conduct Phase - Reporting
Progress
• Evaluation Progress Meeting (EPM)
• ETR Production
– Draft annexes (activity reports, glossary, list of
deliverables etc.)
• Observation Report Status Register
Evaluation Progress Meetings
•
•
•
•
Objective
Attendees
Timing
Agenda
Observation Report Status - 1
•
•
•
•
•
AGR - Corrective Action Agreed
CAP - Certifier Action Pending
CLR - Cleared
FIX - Fix to be evaluated by CLEF
ISS - Issued to the Certifier
Observation Report Status - 2
•
•
•
•
PRO - Corrective Action Proposed
REJ - Corrective Action Rejected
REL - Released to the Sponsor / Developer
WDN - Problem Report Withdrawn
Conduct Phase - Observation
Reports
• Content (Level 1 and Level 2)
–
–
–
–
–
–
Identifier
Severity Level
Evaluation Activity where raised
Observation
Organisation responsible for resolution
Timescale for resolution
Conduct Phase - Issues
• Maintain Independence
• Comply with UKAS Requirements
• Comply with Methodology Requirements
Conduct Phase - Outputs
Work Package Reports
Task
Conduct
Observation Reports
Scheme Observation
Reports
Evaluation Management
Preparation
Phase
Conduct
Phase
Conclusion
Phase
Conclusion Phase
• Evaluation Technical Report (ETR)
• Certificate and Certification Report
• Task Closedown
Assurance Maintenance (CMS)
• Additional Evaluation Task
• See Module 2.8 for more details
ITSEC v. CC
• Main difference is work breakdown
• ITSEM/UK SP 05 specify mandatory
requirements
• CEM defines Work Units
Summary
• Three Phases to evaluation Management
– Preparation Phase
– Conduct Phase
– Conclusion Phase
• Covers whole evaluation
• Terminology difference between ITSEC &
CC
Further Reading
•
•
•
•
UKSP 01
UKSP 04 Part 1
UKSP 05 Part 1
CEM Part 2, Chapter 2
Exercise - Planning
• Given the ITT on the handouts, please
prepare a TIN and EWP for the task