Re: How to write assumptions

Subject: Re: How to write assumptions
From: "NIAP Interpretations Board" <ccevs-nib@nist.gov>
Date: Thu, 22 May 2003 15:22:46 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal
Reply-to: cc-cmt@nist.gov


The CC is lacking in specific guidance on what sorts of assumptions are to be 
used. Must the assumptions be restricted to those related to IT? Are they 
assumptions made about the TOE, or assumptions that the TOE makes (about its 
environment)? 

The NIB believes that the assumptions are not those about the TOE, because that 
is what gets verified as part of the evaluation. Therefore, the assumptions 
stated should only be those that the TOE makes about its environment.

The IT assumptions that the TOE makes about its environment would result in 
security objectives for the environment. 

The non-IT assumptions that the TOE makes about its environment are those that 
affect the stated threats, which are those that the TOE is designed to address.

Follow-Ups:
- Re: How to write assumptions
  - From: "Dr.Ir. D.J. Out" <out@itsef.tno.nl>

Prev by Date: =?GB2312?B?0ryw29Sy1/bBvdbWSVSy+sa3tPrA7Q==?= 9:49:55:596
Next by Date: Re: PP Problems: PP control of non-PP claims
Prev by thread: Re: How to write assumptions
Next by thread: Re: How to write assumptions

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov