I'm trying to get some perspective to better understand the practical
uses of the Common Criteria.

I could be wrong, but this is how I understand it:

Using a practical example, a Protection Profile could be "Enterprise
Firewall Security". The PP would comprise sets (packages or classes) of
security functional requirements from Part 2 of the CC. A package
example would be "Security Audit" which contains a number of functions
including "Restricted Audit Trail Access". The Target of Evaluation
(TOE) in this example could be a specific vendor's firewall product.
Depending on the outcome of the independant evaluation, the product
would be issued an Evaluation Assurance Level (EAL).

The docs refer to Security Targets (ST) but as far as I can tell they
are defined similarly to Protection Profiles (PP). If I am wrong, where
do STs fit in?

I know there is more to the CC than my simple example so perhaps someone
can attempt to demystify the topic, using a different example?

Cheers,

-- 
Jeff Newton

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]