|
|
Document
History
Version 4.0 was produced in July 2000 and relates to CC version 2.1
(and ITSEC). The training material has not (as at March 2006) been
updated to reflect the changes in CC or UKSPs implemented since
The mapping between the UKSPs as at July 2000 and March 2006 is as
follows:
| July 2000 version |
March 2006 version |
| UKSP01 |
UKSP01 |
| UPSP02 |
UKSP02 part
I, part II |
| UKSP04 part I |
UKSP03 |
| UKSP04 part II |
UKSP04 part
II |
| UKSP04 part III |
UKSP04 part III |
| UKSP05 part I |
UKSP02 part I, part II |
| UKSP05 part III |
UKSP05 part III |
| UKSP16 part I |
UKSP16 part I |
| UKSP16 part II |
UKSP16 part II |
In July 2003 additional guidance (module
2.6A (pdf)) was produced on vulnerability search and analysis.
This must be used in conjunction with module M2.6
Scope and Objective
The Evaluator Training Course is intended to cover all major aspects
of assurance criteria, scheme rules and procedure and general context,
for both ITSEC and CC evaluations. This includes assurance maintenance
and composition.
The primary focus is on the technical aspects of assurance. However,
this is supported by communication of evaluation context and the role
of scheme rules and procedures.
Format
The training material consists of the following components, for each
module of the course:
1. A set of PowerPoint slides. These are intended to be appropriate
for 'classroom' use.
2. A set of references to further reading material. (A consolidated
overview of key evaluation concepts is also provided with the training
material)
3. A set of illustrative examples and exercises. Note that:
- The trainer is expected to complement these with material from
specific evaluations undertaken by the CLEF conducting training.
4. Combined trainer and student notes. Note that:
- The notes are intended to serve both as an aid to the trainer,
and as a set of notes for students to take away after the module.
- The trainer notes are not exhaustive - trainers will need to
supplement them with illustrative examples based on their own
experience to complete the presentations.
- It is recommended that the student notes are not distributed
until the end of the module. This will remove the temptation for
students to read the notes during the module rather than listening
to what the trainer is saying. Furthermore, the notes present
or indicate appropriate answers to the various exercises, and
should not therefore be disclosed prematurely.
Structure
The course is broken down into the following three modules:
M1
Evaluation Overview
M2 Assurance
(ppt)
M3
Scheme Rules and Procedures
The following overview describes each in turn.
M1
Evaluation Overview)
Module M1 provides a background to IT security concepts and evaluation,
and introduces both assurance and scheme rules and procedures.
M1
should therefore normally be given before any other module.
M2 (Assurance)
M2 comprises nine modules, which cover all major assurance aspects.
M2.0
(ppt) is an introductory module, which relates the various assurance
aspects.
M2.1
to M2.8
then address the various aspects
as follows.
| Module |
Content |
M2.1
Security Requirements |
Content of the Security
Target and its evaluation
Styles of specification
Security Policy Models |
M2.2
Development Representations |
Representational levels
Refinement and traceability analysis
Styles of specification
Separation |
M2.3
Functional Testing |
Developer and evaluator
testing
Test coverage and depth
Sampling and additional tests |
M2.4
Development Environment |
Configuration management
Security of the development environment
Development tools
TOE development life-cycle issues |
M2.5
Operational Environment |
Operational guidance
TOE delivery procedures
Installation, configuration and start-up |
M2.6
Vulnerability Analysis |
Types of vulnerability
(known, potential, exploitable and non-exploitable)
Sources of vulnerabilities
Search for vulnerabilities
Analysis of impact of vulnerabilities |
M2.6A
(pdf)
Additional Guidance on Vulnerability Search Analysis |
This gives guidance on
how to initiate the process of identifying vulnerabilities in
conjunction with other evaluation activities. Particular focus
is given to the development representation evaluation activities
|
M2.7
Penetration Testing |
Planning, conduct and reporting
of penetration testing |
M2.8
Assurance Maintenance and Composition |
Re-evaluation
Certificate Maintenance Scheme
Evaluation of composite TOEs |
M3
(Scheme Rules and Procedures)
M3 comprises two modules.
These reinforce and supplement the awareness of scheme rules and procedures
gained from module M1
and on-the-job experience as follows.
| Module |
Content |
M3.1
Evaluation Process |
Roles and responsibilities
of interested parties (i.e. Sponsor, Developer, CLEF, CB, UKAS
and System Accreditor).
Inputs, activities and outputs associated with each evaluation
process phase. |
M3.2
Evaluation Management |
Revisits the evaluation
process from a task management perspective. |
Suggested Timings
The following timings are suggested for each module. Note that:
- The timings are based on the assumption that the module is
given in a 'classroom' setting. They may vary however according
to the setting, e.g. if a module is given as a 'one-to-one' tutorial.
- The suggested timings are for the presentation only. They do
not include time needed for student exercises or worked examples.
| Module |
Time |
| M1 |
Introduction |
1.5 hours |
| M2.1
|
Security Requirements |
1.5 hours |
| M2.2 |
Development Representations |
1 hour |
| M2.3
|
Functional Testing |
1 hour |
| M2.4
|
Development Environment |
45 mins |
| M2.5
|
Operational Environment |
45 mins |
| M2.6
|
Vulnerability Analysis |
1.5 hours |
| M2.7 |
Penetration Testing |
1 hour |
| M2.8
|
Assurance Maintenance and Composition |
1 hour |
| M3.1
|
Evaluation Process |
45 mins |
| M3.2 |
Evaluation Management |
1 hour |
Suggested Timings
All modules are of relevance to evaluators and certifiers.
The table below indicates the further potential target audience for
each module of the using the following key:
M
Management (developer or sponsor)
T
Technical Staff (developer or sponsor) - i.e. those responsible for
producing deliverables
T* Technical staff –
as above, although the module may not be comprehensive for this audience
P Purchasers – i.e. those interested in understanding
the process underpinning the evaluation results
| Module |
Target Audience |
| M1 |
Introduction |
M, T, P |
| M2.1
|
Security Requirements |
T* |
| M2.2 |
Development Representations |
T* |
| M2.3 |
Functional Testing |
- |
| M2.4 |
Development Environment |
T* |
| M2.5 |
Operational Environment |
- |
| M2.6 |
Vulnerability Analysis |
- |
| M2.7 |
Penetration Testing |
- |
| M2.8 |
Assurance Maintenance and Composition |
M, T |
| M3.1 |
Evaluation Process |
M, T |
| M3.2 |
Evaluation Management |
- |
Scheme Requirements for Evaluator Training
Formal scheme requirements for evaluator training and the relationship
of this to evaluator status are as specified in UKSP(s). However this
Evaluator Training Course has been developed in accordance with the
following principles.
1. The content of the powerpoint slides implicitly defines a training
syllabus.
2. The course has a modular structure which is intended to facilitate
initial evaluator training, but otherwise has appropriately flexibility.
In particular, each module can, if required, be given as a 'stand-alone'
training module within the context of an extended training programme
which encompasses on-the-job training.
- M1
and M3.1
are appropriate for initial evaluator training.
- Also a trainee evaluator would be expected to have completed
a given M2 module before performing such work in an actual evaluation.
- M3.2
will be most appropriate for an evaluator who has further familiarised
themself with the evaluation process through on-the-job training.
- An evaluator would be expected to be fully familiar with all
modules to support an application for Qualified status.
|
