ДСТУ ISO/IEC 18045:2023 Информационные технологии. Кибербезопасность и защита конфиденциальности. Критерии оценки безопасности ИТ. Методология оценки безопасности ИТ (ISO/IEC 18045:2022, IDT)



ПІДТВЕРДЖУВАЛЬНЕ ПОВІДОМЛЕННЯ

Державне підприємство
«Український науково-дослідний і навчальний центр
проблем стандартизації, сертифікації та якості»
(ДП «УкрНДНЦ»)

Наказ від 17.08.2023 № 210

ISO/IEC 18045:2022

Information security, cybersecurity and privacy protection. Evaluation criteria for IT
security. Methodology for IT security evaluation

прийнято як національний стандарт
методом «підтвердження» за позначенням

ДСТУ ISO/IEC 18045:2023
(ISO/IEC 18045:2022, IDT)

Інформаційні технології. Кібербезпека та захист конфіденційності. Критерії
оцінювання безпеки ІТ. Методологія оцінювання безпеки ІТ

З наданням чинності від 2023-08-22

 

 
 
(ДП «УкрНДНЦ» http://uas.gov.ua )

Table of Contents

LIST OF FIGURES

LIST OF TABLES

FOREWORD

INTRODUCTION

1 SCOPE

2 NORMATIVE REFERENCES

3 TERMS AND DEFINITIONS

4 ABBREVIATED TERMS

5 TERMINOLOGY

6 VERB USAGE

7 GENERAL EVALUATION GUIDANCE

8 RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES

9 EVALUATION PROCESS AND RELATED TASKS

9.1 General

9.2 Evaluation process overview

9.3 Evaluation input task

9.4 Evaluation sub-activities

9.5 Evaluation output task

10 CLASS APE: PROTECTION PROFILE EVALUATION

10.1 General

10.2 Re-using the evaluation results of certified PPs

10.3 РР introduction (APE_INT)

10.4 Conformance claims (APE_CCL)

10.5 Security problem definition (APE_SPD)

10.6 Security objectives (APE_OBJ)

10.7 Extended components definition (APE_ECD)

10.8 Security requirements (APE_REQ)

11 CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION

11.1 General

11.2 PP-Module introduction (ACE_INT)

11.3 PP-Module conformance claims (ACE_CCL)

11.4 PP-Module Security problem definition (ACE_SPD)

11.5 PP-Module Security objectives (ACE_OBJ)

11.6 PP-Module extended components definition (ACE_ECD)

11.7 PP-Module security requirements (ACE_REQ)

11.8 PP-Module consistency (ACE_MCO)

11.9 PP-Configuration consistency (ACE_CCO)

12 CLASS ASE: SECURITY TARGET EVALUATION

12.1 General

12.2 Application notes

12.3 ST introduction (ASE_INT)

12.4 Conformance claims (ASE_CCL)

12.5 Security problem definition (ASE_SPD)

12.6 Security objectives (ASE_OBJ)

12.7 Extended components definition (ASE_ECD)

12.8 Security requirements (ASE_REQ)

12.9 TOE summary specification (ASE_TSS)

12.10 Consistency of composite product Security Target (ASE_COMP)

13 CLASS ADV: DEVELOPMENT

13.1 General

13.2 Application notes

13.3 Security Architecture (ADV_ARC)

13.4 Functional specification (ADV_FSP)

13.5 Implementation representation (ADV_IMP)

13.6 TSF internals(ADV_INT)

13.7 Formal TSF model (ADV_SPM)

13.8 TOE design (ADV_TDS)

13.9 Composite design compliance (ADV_COMP)

14 CLASS AGD: GUIDANCE DOCUMENTS

14.1 General

14.2 Application notes

14.3 Operational user guidance (AGD_OPE)

14.4 Preparative procedures (AGD_PRE)

15 CLASS ALC: LIFE-CYCLE SUPPORT

15.1 General

15.2 CM capabilities (ALC_CMC)

15.3 CM scope (ALC_CMS)

15.4 Delivery (ALC_DEL)

15.5 Development security (ALC_DVS)

15.6 Flaw remediation (ALC_FLR)

15.7 Life-cycle definition (ALC_LCD)

15.8 TOE Development Artifacts (ALC_TDA)

15.9 Tools and techniques (ALC_TAT)

15.10 Integration of composition parts and consistency check of delivery procedures (ALC_COMP)

16 CLASS ATE: TESTS

16.1 General

16.2 Application notes

16.3 Coverage (ATE_COV)

16.4 Depth (ATE_DPT)

16.5 Functional tests (ATE_FUN)

16.6 Independent testing (ATE_IND)

16.7 Composite functional testing (ATE_COMP)

17 CLASS AVA: VULNERABILITY ASSESSMENT

17.1 General

17.2 Vulnerability analysis (AVA_VAN)

17.3 Composite vulnerability assessment (AVA_COMP)

18 CLASS ACO: COMPOSITION

18.1 General

18.2 Application notes

18.3 Composition rationale (ACO_COR)

18.4 Development evidence (ACO_DEV)

18.5 Reliance of dependent component (ACO_REL)

18.6 Composed TOE testing (ACO_CTT)

18.7 Composition vulnerability analysis (ACO_VUL)

ANNEX A (INFORMATIVE) GENERAL EVALUATION GUIDANCE

ANNEX В (INFORMATIVE) VULNERABILITY ASSESSMENT (AVA)

ANNEX C (INFORMATIVE) EVALUATION TECHNIQUES AND TOOLS