Re: Do we need explicitly stated IT security requirement for FPT_ STM?

[Magosányi Árpád <mag@bunuel.tii.matav.hu>]

2004-01-13, k keltezéssel YOKOTA HIROFUMI ezt írta:
[]
> I think, many would prefer to think time is TSF Data and to evaluate the
> reliable time.
> 
> But, developers (of the time server) may not think so.
> Because, reliable time is the very thing to be expected.
> It is the very purpose of the product.

This is why we take the following approach:
-there are 3 set of security functions, hence functional requirements:
	-requirements against the TOE in the classical sense
	-requirements against the environment
	-business requirements
-business requirements are defined like normal security functional
 requirements
-business requirements are requirements against the TOE
-business requirements of TOE A can be used as requirements against the
 environment in TOE B
-business requirements in an ST does not have to be fully defined, but
 the "owning" TOE should be suitable to be configured according to the
 possible assignments and/or selections, for multiple iterations of the
 requirement.
-business requirements cannot be refined in a TOE which not "owns" them
 beyond the scope of assignments and/or selections open in the ST of the
 "owning" TOE.

We call TOEs having business requirements/security functions as our
"IT security infrastructure".

-- 
GNU GPL: csak tiszta forrásból