© Crown Copyright (2000)
Module 3.2
Evaluation Management
“You Are Here”
M3.1 Evaluation Process
M3.2 Evaluation Management
MODULE 3 - SCHEME RULES AND PROCEDURES
Evaluation Management
PreparationPhase
Conduct Phase
ConclusionPhase
Evaluation Management
PreparationPhase
Conduct Phase
ConclusionPhase
Preparation Phase - Inputs
• Definition of Target of Evaluation– Scope, boundaries, interfaces, composites, etc.
• What evaluation level is required ?
• Technical expertise required ?
Evaluation
PlanningTOE
Preparation Phase - Suitability
• CLEF/CB may review ST for suitability
• Check Sponsor and Developer have full understanding of:– the evaluation process– the role of the CLEF– their responsibilities throughout evaluation
Preparation Phase - TIN
• May be combined with EWP• Task Identification• Sponsor and Developer Details• Description of TOE• Summary of Security Requirements• Timescales• Staffing• Contacts
Preparation Phase - EWP
• May be combined with TIN
• Evaluation methodology– CEM/ITSEC– Interpretations
• Evaluation effort for each activity
• Constraints
• Limitations
Preparation Phase - UKSP06 Entry & CB Questionnaire
UKSP06
Task Start-up Meeting
• Objective
• Attendees
• Timing
• Agenda
Preparation Phase - Outputs
Evaluation
Planning
EWP
TIN
UKSP 06 Entry
Security Target
CB Questionnaire
Evaluation Management
PreparationPhase
Conduct Phase
ConclusionPhase
Conduct Phase - Inputs
Task Conduct
TIN / EWP
TOE Deliverables
Security Target
Deliverables Schedule
Conduct Phase - Reporting Progress
• Evaluation Progress Meeting (EPM)
• ETR Production– Draft annexes (activity reports, glossary, list of
deliverables etc.)
• Observation Report Status Register
Evaluation Progress Meetings
• Objective
• Attendees
• Timing
• Agenda
Observation Report Status - 1
• AGR - Corrective Action Agreed
• CAP - Certifier Action Pending
• CLR - Cleared
• FIX - Fix to be evaluated by CLEF
• ISS - Issued to the Certifier
Observation Report Status - 2
• PRO - Corrective Action Proposed
• REJ - Corrective Action Rejected
• REL - Released to the Sponsor / Developer
• WDN - Problem Report Withdrawn
Conduct Phase - Observation Reports
• Content (Level 1 and Level 2)– Identifier– Severity Level– Evaluation Activity where raised– Observation– Organisation responsible for resolution– Timescale for resolution
Conduct Phase - Issues
• Maintain Independence
• Comply with UKAS Requirements
• Comply with Methodology Requirements
Conduct Phase - Outputs
Task Conduct
Work Package Reports
Observation Reports
Scheme ObservationReports
Evaluation Management
PreparationPhase
Conduct Phase
ConclusionPhase
Conclusion Phase
• Evaluation Technical Report (ETR)
• Certificate and Certification Report
• Task Closedown
Assurance Maintenance (CMS)
• Additional Evaluation Task
• See Module 2.8 for more details
ITSEC v. CC
• Main difference is work breakdown
• ITSEM/UK SP 05 specify mandatory requirements
• CEM defines Work Units
Summary
• Three Phases to evaluation Management– Preparation Phase– Conduct Phase– Conclusion Phase
• Covers whole evaluation
• Terminology difference between ITSEC & CC
Further Reading
• UKSP 01
• UKSP 04 Part 1
• UKSP 05 Part 1
• CEM Part 2, Chapter 2
Exercise - Planning
• Given the ITT on the handouts, please prepare a TIN and EWP for the task