Re: Could ST authors free to craft the organisational security policies?

Subject: Re: Could ST authors free to craft the organisational security policies?
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Thu, 26 Dec 2002 10:45:58 -0500
Content-Type: multipart/alternative; boundary="=====================_7001984==.ALT"
In-Reply-To: <000f01c2ac44$52e072f0$0815a8c0@yokota>

The PP or ST author is free to postulate the organizational policies with which the TOE is to comply. This is required when the PP or ST is being written, not for a specific organization but for more general use. In the latter case, the PP or ST will present the policies that the PP/ST author feels are typically applied and that have been addressed in the development of the PP or ST.

When the PP or ST is written for an organization that has defined policies, then of course the PP/ST should reflect these policies in order to be appropriate for that organization.

Cheers,
Gary

At 01:48 PM 12/25/2002, YOKOTA HIROFUMI wrote:

CEM para.323 says:
--------------------------
The evaluator determines that organisational security policy statements
are made in terms of rules, practices or guidelines that must be followed
by the TOE or its environment, as laid down by the organisation
controlling the environment in which the TOE is to be used.
An example organisational security policy is a requirement for password
generation and encryption to conform to a standard stipulated
by a national government.
-----------------------

I do not see any hints here that ST authors can craft
organisational security policies arbitrarily by their own free will.
The policies should be derived from some existing rules, practices or
guidelines
of some existing organisations in which the TOE is to be used.
Am I right in this understanding?

Or, could ST authors free to craft the organisational security policies in
place of threats, irrespective of any rules, practices or guidelines
laid down by some organisations ?

Thanks for your help.

Regards,
Yokota

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20877-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
**************************************************************************

References:
- Could ST authors free to craft the organisational security policies?
  - From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>

Prev by Date: Re: FDP_IFC.1(Information flow control)
Next by Date: Re: FDP_IFC.1(Information flow control)
Prev by thread: Could ST authors free to craft the organisational security policies?
Next by thread: Re: Could ST authors free to craft the organisational security policies?

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov