Re: Do we need explicitly stated IT security requirement for FPT_ STM?
When we have a time server ( product) to evaluate the security functions, I
see two options for defining the TOE, since the use of time values are not
necessarily for security purposes.
One is the TOE that includes:
- an application that provides reliable time information.
- I&A security function.
- audit security function.
- user data (time values) protection function.
Another one could be the TOE that includes:
- time stamps security function that provide reliable time information.
( this might be expressed by using FPT_STM or the refinement, or
explicitly stated IT security requirement )
- other ( fringe ) security functions ( I&A, audit, user data protection )
Then, which TOE could be preferable for the evaluation?
Does this selection purely depend on the customers strategy?
Or, is this an area that scheme or evaluation lab can recommend?
I personally prefer the second one, but I am not sure if this is common
sense and if this is preferable to the second one.
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org