| Type: Explanation/Clarification | Source: CANADA CB | Date: 06/14/1999 |
| Status: Closed | Source #: CA 02 | |
| CC Part #1 Reference: | ||
| CC Part #2 Reference: | ||
| CC Part #3 Reference: CC Part 3, Section 5.6 (ASE_REQ) | ||
| CEM Reference: | ||
| Reason: ongoing evaluation | ||
| Problem: The CC requires that the ST identify any security requirements for the IT environment, as appropriate. It would appear that security requirements need to be identified in order to map back to each of the security objectives for the IT environment. Thus, if a security objective can be classified as being related to the non-IT environment instead, then no security requirements need to be mapped to it. The question becomes one of when a security objective can be categorized as "non-IT". |
||
| Proposed Solution: A security objective may have IT characteristics, but it shouldn't be necessary to classify it as being related to the IT environment unless there it has a direct role in assisting the TOE with the performance of its security functions. Thus, if the TOE relies upon its environment for I&A, then a security objective on the IT environment is required. Alternatively, if there is a security objective that states that virus scanners be in use on the operating system underlying the TOE, then this is at best very indirect in its support of the TOE, and can be categorized as a security objective on the non-IT environment. |
||