Re: How to write assumptions
- Subject: Re: How to write assumptions
- From: "NIAP Interpretations Board" <email@example.com>
- Date: Thu, 22 May 2003 15:22:46 -0700
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
- Reply-to: firstname.lastname@example.org
The CC is lacking in specific guidance on what sorts of assumptions are to be
used. Must the assumptions be restricted to those related to IT? Are they
assumptions made about the TOE, or assumptions that the TOE makes (about its
The NIB believes that the assumptions are not those about the TOE, because that
is what gets verified as part of the evaluation. Therefore, the assumptions
stated should only be those that the TOE makes about its environment.
The IT assumptions that the TOE makes about its environment would result in
security objectives for the environment.
The non-IT assumptions that the TOE makes about its environment are those that
affect the stated threats, which are those that the TOE is designed to address.
Date Index |
Thread Index |
Problems or questions? Contact email@example.com