An assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated in order to determine the level of protection required and provided by the system.
Common Criteria
The Common Criteria is a framework within which users specify their security requirements and vendors make claims about how they satisfy those requirements, and independent labs can verify those claims.
Under the Common Criteria model, an evaluation is carried out on a product and it is assigned an Evaluation Assurance Level (EAL). The thorough and stringent testing increases in detailed-oriented tasks as the assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1, where functionality testing takes place, to EAL7, where thorough testing is performed and the system design is verified. The different EAL packages are
-
EAL1 Functionally tested
-
EAL2 Structurally tested
-
EAL3 Methodically tested and checked
-
EAL4 Methodically designed, tested, and reviewed
-
EAL5 Semi-formally designed and tested
-
EAL6 Semi-formally verified design and tested
-
EAL7 Formally verified design and tested‘
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:3.6 系统评估方法