© crown copyright (2000) module 3.2 evaluation management

© Crown Copyright (2000)

Module 3.2

Evaluation Management

“You Are Here”

M3.1 Evaluation Process

M3.2 Evaluation Management

MODULE 3 - SCHEME RULES AND PROCEDURES

Evaluation Management

PreparationPhase

Conduct Phase

ConclusionPhase

Evaluation Management

PreparationPhase

Conduct Phase

ConclusionPhase

Preparation Phase - Inputs

• Definition of Target of Evaluation– Scope, boundaries, interfaces, composites, etc.

• What evaluation level is required ?

• Technical expertise required ?

Evaluation

PlanningTOE

Preparation Phase - Suitability

• CLEF/CB may review ST for suitability

• Check Sponsor and Developer have full understanding of:– the evaluation process– the role of the CLEF– their responsibilities throughout evaluation

Preparation Phase - TIN

• May be combined with EWP• Task Identification• Sponsor and Developer Details• Description of TOE• Summary of Security Requirements• Timescales• Staffing• Contacts

Preparation Phase - EWP

• May be combined with TIN

• Evaluation methodology– CEM/ITSEC– Interpretations

• Evaluation effort for each activity

• Constraints

• Limitations

Preparation Phase - UKSP06 Entry & CB Questionnaire

UKSP06

Task Start-up Meeting

• Objective

• Attendees

• Timing

• Agenda

Preparation Phase - Outputs

Evaluation

Planning

EWP

TIN

UKSP 06 Entry

Security Target

CB Questionnaire

Evaluation Management

PreparationPhase

Conduct Phase

ConclusionPhase

Conduct Phase - Inputs

Task Conduct

TIN / EWP

TOE Deliverables

Security Target

Deliverables Schedule

Conduct Phase - Reporting Progress

• Evaluation Progress Meeting (EPM)

• ETR Production– Draft annexes (activity reports, glossary, list of

deliverables etc.)

• Observation Report Status Register

Evaluation Progress Meetings

• Objective

• Attendees

• Timing

• Agenda

Observation Report Status - 1

• AGR - Corrective Action Agreed

• CAP - Certifier Action Pending

• CLR - Cleared

• FIX - Fix to be evaluated by CLEF

• ISS - Issued to the Certifier

Observation Report Status - 2

• PRO - Corrective Action Proposed

• REJ - Corrective Action Rejected

• REL - Released to the Sponsor / Developer

• WDN - Problem Report Withdrawn

Conduct Phase - Observation Reports

• Content (Level 1 and Level 2)– Identifier– Severity Level– Evaluation Activity where raised– Observation– Organisation responsible for resolution– Timescale for resolution

Conduct Phase - Issues

• Maintain Independence

• Comply with UKAS Requirements

• Comply with Methodology Requirements

Conduct Phase - Outputs

Task Conduct

Work Package Reports

Observation Reports

Scheme ObservationReports

Evaluation Management

PreparationPhase

Conduct Phase

ConclusionPhase

Conclusion Phase

• Evaluation Technical Report (ETR)

• Certificate and Certification Report

• Task Closedown

Assurance Maintenance (CMS)

• Additional Evaluation Task

• See Module 2.8 for more details

ITSEC v. CC

• Main difference is work breakdown

• ITSEM/UK SP 05 specify mandatory requirements

• CEM defines Work Units

Summary

• Three Phases to evaluation Management– Preparation Phase– Conduct Phase– Conclusion Phase

• Covers whole evaluation

• Terminology difference between ITSEC & CC

Further Reading

• UKSP 01

• UKSP 04 Part 1

• UKSP 05 Part 1

• CEM Part 2, Chapter 2

Exercise - Planning

• Given the ITT on the handouts, please prepare a TIN and EWP for the task