[Public Interpretations Database]

I-0388: What Is The Difference Between "Sort" And "Order"?

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0388
STATUS:               Sent to CCEVS Management and CCIMB for Review

TITLE:                What Is The Difference Between "Sort" And "Order"?

FIRST POST:            [cc-cmt 00255]

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 3.4 FAU_SAR.3
RELATED TO:           <None>

ISSUE:

What is the distinction between the terms "sorting" and "ordering"? Sometimes the words are used interchangeably.

STATEMENT

The terms "sorting" and "ordering" are often used interchangeably in IT system discussions. Though they have somewhat different meanings, this usually doesn't cause any confusion. In certain circumstances, however, the distinction must be made: when one sorts, one separates items into different kinds or classes; when one orders, one arranges the items in a particular order.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to CC v2.1: (Additions marked thusly; deletions marked thusly )

  • In part 2, section 6.6, "Information flow control functions (FDP_IFF)", add the following sentence to paragraph 198, "Family behavior":

    This demands that the term "ordering" be used in its strict mathematical sense for this family.

  • In part 2, section 3.4, "Security audit review (FAU_SAR)", insert the following new second paragraph after paragraph 111, "Family behavior":

    Although the terms "sorting" and "ordering" are sometimes used interchangeably in IT system discussions, they have somewhat different meanings. When one sorts, one groups items into kinds or classes; when one orders, one arranges the items in a particular sequence. So, for example, one might sort audit data so that all the audit records that contain information on a particular user are separated from all other audit data. On the other hand, one might order the audit data based on the date and time of the audit event in each audit record. Thus, technically, what is usually referred to as "bubble sorting" would more accurately be called "bubble ordering". In this family the two words will have their more strict meanings.

  • In Annex C, change the last sentence in paragraph 546:

    The traditional notion of a time-sortedtime- ordered list or "trail" of audited events may not be applicable in a global asynchronous network with arbitrarily many events occurring at once.

SUPPORT:

The Common Criteria does not provide a clear distinction between "sorting" and "ordering", particularly as used in the functional requirement FAU_SAR.3.1:

The TSF shall provide the ability to perform [selection: searches, sorting, ordering] of audit data based on [assignment: criteria with logical relations].

In developing this interpretation, the Oxford English Dictionary was consulted. Among the applicable definitions found were the following:

sort: To arrange (things, etc.) according to a kind or quality, or after some settled order or system; to separate and put into different sorts or classes.

order: The action of putting or keeping in order.

in order: In proper sequence or succession, according to rank, importance, seniority, size, position, date, affinity, etc.