ДСТУ ISO/IEC 15408-3:2023 Информационные технологии. Кибербезопасность и защита конфиденциальности. Критерии оценки безопасности ИТ. Часть 3. Компоненты безопасности (ISO/IEC 15408-3:2022, IDT)



ДСТУ ISO/IEC 15408-3:2023
(ISO/IEC 15408-3:2022, IDT)

Інформаційні технології. Кібербезпека та захист конфіденційності. Критерії
оцінювання безпеки IT. Частина 3. Компоненти убезпечення

 

 
   
 
Не є офіційним виданням.
Офіційне видання розповсюджує національний орган стандартизації
(ДП «УкрНДНЦ» http://uas.gov.ua)

Contents

Foreword

Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Overview

5 Assurance paradigm

5.1 General

5.2 ISO/IEC 15408 series approach

5.3 Assurance approach

5.4 ISO/IEC 15408 series evaluation assurance scale

6 Security assurance components

6.1 General

6.2 Assurance class structure

6.3 Assurance family structure

6.4 Assurance component structure

6.5 Assurance elements

6.6 Component taxonomy

7 Class APE: Protection Profile (PP) evaluation

7.1 General

7.2 PP introduction (APE_INT)

7.3 Conformance claims (APE_CCL)

7.4 Security problem definition (APE_SPD)

7.5 Security objectives (APE_OBJ)

7.6 Extended components definition (APE_ECD)

7.7 Security requirements (APE_REQ)

8 Class ACE: Protection Profile Configuration evaluation

8.1 General

8.2 PP-Module introduction (ACE_INT)

8.3 PP-Module conformance claims (ACE_CCL)

8.4 PP-Module security problem definition (ACE_SPD)

8.5 PP-Module security objectives (ACE_OBJ)

8.6 PP-Module extended components definition (ACE_ECD)

8.7 PP-Module security requirements (ACE_REQ)

8.8 PP-Module consistency (ACE_MCO)

8.9 PP-Configuration consistency (ACE_CCO)

9 Class ASE: Security Target (ST) evaluation

9.1 General

9.2 ST introduction (ASE_INT)

9.3 Conformance claims (ASE_CCL)

9.4 Security problem definition (ASE_SPD)

9.5 Security objectives (ASE_OBJ)

9.6 Extended components definition (ASE_ECD)

9.7 Security requirements (ASE_REQ)

9.8 TOE summary specification (ASE_TSS)

9.9 Consistency of composite product Security Target (ASE_COMP)

10 Class ADV: Development

10.1 General

10.2 Security Architecture (ADV_ARC)

10.3 Functional specification (ADV_FSP)

10.4 Implementation representation (ADV_IMP)

10.5 TSF internals (ADV_INT)

10.6 Security policy modelling (ADV_SPM)

10.7 TOE design (ADV_TDS)

10.8 Composite design compliance (ADV_COMP)

11 Class AGD: Guidance documents

11.1 General

11.2 Operational user guidance (AGD_OPE)

11.3 Preparative procedures (AGD_PRE)

12 Class ALC: Life-cycle support

12.1 General

12.2 CM capabilities (ALC_CMC)

12.3 CM scope (ALC_CMS)

12.4 Delivery (ALC_DEL)

12.5 Developer environment security (ALC_DVS)

12.6 Flaw remediation (ALC_FLR)

12.7 Development Life-cycle definition (ALC_LCD)

12.8 TOE Development Artefacts (ALC_TDA)

12.9 Tools and techniques (ALC_TAT)

13 Class ATE: Tests

13.1 General

13.2 Coverage (ATE_COV)

13.3 Depth (ATE_DPT)

13.4 Functional tests (ATE_FUN)

13.5 Independent testing (ATE_IND)

13.6 Composite functional testing (ATE_COMP)

14 Class AVA: Vulnerability assessment

14.1 General

14.2 Application notes

14.3 Vulnerability analysis (AVA_VAN)

14.4 Composite vulnerability assessment (AVA_COMP)

15 Class ACO: Composition

15.1 General

15.2 Composition rationale (ACO_COR)

15.3 Development evidence (ACO_DEV)

15.4 Reliance of dependent component (ACO_REL)

15.5 Composed TOE testing (ACO_CTT)

15.6 Composition vulnerability analysis (ACO_VUL)

Annex A (informative) Development (ADV)

Annex В (informative) Composition (ACO)

Annex C (informative) Cross reference of assurance component dependencies

Bibliography