|
|
Document History
Version 4.0 was produced in July 2000 and relates to CC version
2.1 (and ITSEC). The training material has not (as at March
2006) been updated to reflect the changes in CC or UKSPs implemented
since
The mapping between the UKSPs as at July 2000 and March 2006
is as follows:
| July 2000 version |
March 2006 version |
| UKSP01 |
UKSP01
|
| UPSP02 |
UKSP02
part I, part II |
| UKSP04 part
I |
UKSP03 |
| UKSP04 part
II |
UKSP04
part II |
| UKSP04 part III |
UKSP04 part III |
| UKSP05 part I |
UKSP02 part I, part
II |
| UKSP05 part III |
UKSP05 part III |
| UKSP16 part I |
UKSP16 part I |
| UKSP16 part II |
UKSP16 part II |
|
In July 2003 additional guidance (module
2.6A (pdf)) was produced on vulnerability search and analysis.
This must be used in conjunction with module M2.6
Scope and Objective
The Evaluator Training Course is intended to cover all major
aspects of assurance criteria, scheme rules and procedure
and general context, for both ITSEC and CC evaluations. This
includes assurance maintenance and composition.
The primary focus is on the technical aspects of assurance.
However, this is supported by communication of evaluation
context and the role of scheme rules and procedures.
Format
The training material consists of the following components,
for each module of the course:
1. A set of PowerPoint slides. These are intended to be appropriate
for 'classroom' use.
2. A set of references to further reading material. (A consolidated
overview of key evaluation concepts is also provided with
the training material)
3. A set of illustrative examples and exercises. Note that:
- The trainer is expected to complement these with material
from specific evaluations undertaken by the CLEF conducting
training.
4. Combined trainer and student notes. Note that:
- The notes are intended to serve both as an aid to the
trainer, and as a set of notes for students to take away
after the module.
- The trainer notes are not exhaustive - trainers will
need to supplement them with illustrative examples based
on their own experience to complete the presentations.
- It is recommended that the student notes are not distributed
until the end of the module. This will remove the temptation
for students to read the notes during the module rather
than listening to what the trainer is saying. Furthermore,
the notes present or indicate appropriate answers to the
various exercises, and should not therefore be disclosed
prematurely.
Structure
The course is broken down into the following three modules:
M1 Evaluation Overview
M2 Assurance (ppt)
M3 Scheme Rules and Procedures
The following overview describes each in turn.
M1 Evaluation Overview)
Module M1 provides a background to IT security concepts and evaluation, and introduces both assurance and scheme rules and procedures.
M1 should therefore normally be given before any other module.
M2 (Assurance)
M2 comprises nine modules, which cover all major assurance
aspects.
M2.0 (ppt) is an introductory module, which relates the various assurance aspects.
M2.1
to M2.8
then address the various aspects
as follows.
| Module |
Content |
M2.1
Security Requirements |
Content of the Security
Target and its evaluation
Styles of specification
Security Policy Models |
M2.2
Development Representations |
Representational
levels
Refinement and traceability analysis
Styles of specification
Separation |
M2.3
Functional Testing |
Developer and evaluator
testing
Test coverage and depth
Sampling and additional tests |
M2.4
Development Environment |
Configuration management
Security of the development environment
Development tools
TOE development life-cycle issues |
M2.5
Operational Environment |
Operational guidance
TOE delivery procedures
Installation, configuration and start-up |
M2.6
Vulnerability Analysis |
Types of vulnerability
(known, potential, exploitable and non-exploitable)
Sources of vulnerabilities
Search for vulnerabilities
Analysis of impact of vulnerabilities |
M2.6A (pdf)
Additional Guidance on Vulnerability Search Analysis |
This gives guidance
on how to initiate the process of identifying vulnerabilities
in conjunction with other evaluation activities. Particular
focus is given to the development representation evaluation
activities |
M2.7
Penetration Testing |
Planning, conduct
and reporting of penetration testing |
M2.8
Assurance Maintenance and Composition |
Re-evaluation
Certificate Maintenance Scheme
Evaluation of composite TOEs |
M3
(Scheme Rules and Procedures)
M3 comprises two modules.
These reinforce and supplement the awareness of scheme rules
and procedures gained from module M1
and on-the-job experience as follows.
| Module |
Content |
M3.1
Evaluation Process |
Roles and responsibilities
of interested parties (i.e. Sponsor, Developer, CLEF,
CB, UKAS and System Accreditor).
Inputs, activities and outputs associated with each evaluation
process phase. |
M3.2
Evaluation Management |
Revisits the evaluation
process from a task management perspective. |
Suggested Timings
The following timings are suggested for each module. Note
that:
- The timings are based on the assumption that the module
is given in a 'classroom' setting. They may vary however
according to the setting, e.g. if a module is given as a
'one-to-one' tutorial.
- The suggested timings are for the presentation only. They
do not include time needed for student exercises or worked
examples.
| Module |
Time |
| M1 |
Introduction |
1.5 hours |
| M2.1
|
Security Requirements |
1.5 hours |
| M2.2 |
Development Representations |
1 hour |
| M2.3
|
Functional Testing |
1 hour |
| M2.4
|
Development Environment |
45 mins |
| M2.5
|
Operational Environment |
45 mins |
| M2.6
|
Vulnerability Analysis |
1.5 hours |
| M2.7 |
Penetration Testing |
1 hour |
| M2.8
|
Assurance Maintenance and Composition |
1 hour |
| M3.1
|
Evaluation Process |
45 mins |
| M3.2 |
Evaluation Management |
1 hour |
Suggested Timings
All modules are of relevance to evaluators and certifiers.
The table below indicates the further potential target audience for each
module of the using the following key:
M Management (developer or sponsor)
T Technical Staff (developer or sponsor) - i.e. those
responsible for producing deliverables
T* Technical staff – as above, although the module
may not be comprehensive for this audience
P Purchasers – i.e. those interested in understanding
the process underpinning the evaluation results
| Module |
Target Audience |
| M1 |
Introduction |
M, T, P |
| M2.1
|
Security Requirements |
T* |
| M2.2 |
Development Representations |
T* |
| M2.3 |
Functional Testing |
- |
| M2.4 |
Development Environment |
T* |
| M2.5 |
Operational Environment |
- |
| M2.6 |
Vulnerability Analysis |
- |
| M2.7 |
Penetration Testing |
- |
| M2.8 |
Assurance Maintenance and Composition |
M, T |
| M3.1 |
Evaluation Process |
M, T |
| M3.2 |
Evaluation Management |
- |
Scheme Requirements for Evaluator Training
Formal scheme requirements for evaluator training and
the relationship of this to evaluator status are as specified in UKSP(s).
However this Evaluator Training Course has been developed in accordance
with the following principles.
1. The content of the powerpoint slides implicitly defines a training
syllabus.
2. The course has a modular structure which is intended to facilitate
initial evaluator training, but otherwise has appropriately
flexibility. In particular, each module can, if required, be
given as a 'stand-alone' training module within the context
of an extended training programme which encompasses on-the-job
training.
- M1
and M3.1
are appropriate for initial evaluator training.
- Also a trainee evaluator would be expected to have completed a given
M2 module before performing such work in an actual evaluation.
- M3.2
will be most appropriate for an evaluator who has further familiarised
themself with the evaluation process through on-the-job training.
- An evaluator would be expected to be fully familiar with all modules
to support an application for Qualified status.
|
