OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Trey F. Henefield (trey@SECULAB.com)
Date: Mon Oct 22 2001 - 12:24:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A Protection Profile is a document that specifies an set of IT security
    requirements and the intended environment for a general type of
    system/product (i.e. PKI Protection Profile).

    A Security Target is a document constructed similarly as the PP, yet
    directed towards a specific product (i.e. Entrust CA version x.x
    Security Target).

    If a PP currently exists that describes the requirements and environment
    needed for a specific product, then the Security Target of this product
    may comply with the Protection Profile and use its structure within the
    Security Target.
    This often helps ease the need for establishing a new profile for each
    product. A product may use the structure of a PP and then tailor the
    requirements to fit specifically fit the product.

    A TOE is merely a product that has been or is currently being evaluated.

    I hope this clears thing up a bit.

    -----Original Message-----
    From: Jeff Newton [mailto:Jeff_Newton@pmc-sierra.com]
    Sent: Tuesday, October 16, 2001 12:25 PM
    To: CISSPStudy_1@yahoogroups.com; cisspstudy@securityfocus.com
    Subject: Common Criteria - prospective needed

    I'm trying to get some perspective to better understand the practical
    uses of the Common Criteria.

    I could be wrong, but this is how I understand it:

    Using a practical example, a Protection Profile could be "Enterprise
    Firewall Security". The PP would comprise sets (packages or classes) of
    security functional requirements from Part 2 of the CC. A package
    example would be "Security Audit" which contains a number of functions
    including "Restricted Audit Trail Access". The Target of Evaluation
    (TOE) in this example could be a specific vendor's firewall product.
    Depending on the outcome of the independant evaluation, the product
    would be issued an Evaluation Assurance Level (EAL).

    The docs refer to Security Targets (ST) but as far as I can tell they
    are defined similarly to Protection Profiles (PP). If I am wrong, where
    do STs fit in?

    I know there is more to the CC than my simple example so perhaps someone
    can attempt to demystify the topic, using a different example?

    Cheers, 

    -- 
Jeff Newton