© Crown Copyright (2000) Module 3.1 Evaluation Process
Mar 28, 2015
© Crown Copyright (2000)
Module 3.1
Evaluation Process
“You Are Here”
M3.1 Evaluation Process
M3.2 Evaluation Management
MODULE 3 - SCHEME RULES AND PROCEDURES
People Involved
• Sponsor
• Developer
• Evaluator
• Certification Body
• Accreditor
Role of Sponsor
• Pay for the evaluation
• Sponsor may also be the developer
• Point of contact between CLEF and Developer
• Produce/Help in production of deliverables
• Resolution of Problem Reports
Role of Developer
• Provision of TOE
• Design/Development Documentation
• Guidance Documents
• Support during evaluator testing
• Support during Development Environment Assessment
• Resolution of Problem Reports
Role of Evaluator
• Assess evaluation deliverables to identify whether they meet criteria requirements
• Assess, through the deliverables provided for the appropriate level of assurance, whether the TOE meets the security requirements specified in the Security Target
Role of Certification Body
• Oversight of evaluations conducted under UK Scheme
• Guidance on evaluation methodology
• Provide Certification Report/Certificate
Role of Accreditor
• Responsibility for granting authority to operate a system processing protectively marked data
• Mandates security requirements of system and level of assurance required
• May use results of an evaluation on which to base decision to grant Accreditation
Evaluation Process
PreparationPhase
Conduct Phase
ConclusionPhase
Preparation Phase
• Inputs– Security Target– Certification Body Questionnaire – UKSP 06 Entry
• Task Start-Up Meeting
• Outputs– Acceptance into Scheme
Conduct Phase
• Inputs– Deliverables
• Evaluation Progress Meetings
• Outputs– Observation Reports– Work Package Reports
Conduct Phase - Deliverables
• Deliverables List
• Schedule
• Management– under configuration control– timescales and impact on evaluation
Conduct Phase - Evaluation Progress Meetings
• Standard Agenda
• Who attends
• Purpose:– discuss issues affecting evaluation progress or
results– keep all parties informed of progress
Conduct Phase - Observation Reports
• Types– Level 1
– Level 2
– Level 3
– Level 4
• Raised by Evaluators and sent to:– CB, Developer, Sponsor
• May force change to TOE or deliverables
Conduct Phase - Work Package Reports
• One for each Work Package (Activity)
• Results of evaluator actions– Evidence of why the conclusion was reached
• Observation Reports– identify where an observation report has been
raised– provide justification for satisfactory resolution
Conclusion Phase
• Evaluation Technical Report– includes Work Package Reports– main input into Certification process
• Certification Report/Certificate– summary of evaluation results– recommendations for use
• UKSP06 Entry– update to indicate result of evaluation
Certification Process
• Results from ETR– discuss any concerns/queries with CLEF
• Outstanding Observation Reports
• Constraints/Limitations of evaluation
• Report to Accreditor, if required
CLEF Quality Manual
• UKAS - Categories 0 and 1
• Procedures, minimum:– Review of evaluation outputs– Handling of evaluation items– Records– Handling of Complaints/Anomalies– Security (covered in later slide)– Site Testing
CLEF Security Manual
• Security Operating Procedures:– Task separation: need to know principle– Document security: Storage of deliverables and
results– Physical security: access to CLEF/Task Cells
Summary - 1
• Security Target - (Developer/Sponsor)
• Deliverables - (Sponsor/Developer)
• Observation Reports - (Evaluator)
• Evaluation Technical Report (Evaluator)
• Certification Report/Certificate (CB)
Further Reading
• UKSP 01
• UKSP 04 Part 1
• UKSP 05 Part 1
• CEM Part 2, Chapter 2