Validated Product - Knowledge Center Suite Version 6.5 with Service Pack 4Certificate Date: 21 December 2007 Validation Report Number: CCEVS-VR-VID10099-2007 Product Type: Miscellaneous Conformance Claim: EAL2 PP Identifiers: None CC Testing Lab: DSD Information Assurance Laboratory (DIAL)
PRODUCT DESCRIPTIONThe TOE, SupportSoft Knowledge Center and Platform, is a software-only web-based application that allows organizations to create, approve, and publish all types of content and make that content available to a large set of end-users and Support Analysts. The TOE is intended to be used as a knowledge base and end-user technical support solution. The SupportSoft Platform and SupportSoft Knowledge Center (KC) are both included in the SupportSoft Intelligent Assistance Suite. The Intelligent Assistance Suite allows users to develop, share, research, and resolve end-user technical support issues throughout an organization. It enables Administrators and Analysts to support technical issues surrounding end-point management. The TOE includes a management capability that allows authorized administrators to configure and maintain the web server, application interfaces, components and product features. These features include creating users and groups, setting permissions for applications and tools, configuring content filtering, and creating, editing and publishing content reports. The TOE provides Web interfaces via virtual directories to administrator systems (Support Administrator), analyst systems (Support), knowledge author systems (Author Center), and end user systems (User Center). SECURITY EVALUATION SUMMARYThe evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the SupportSoft TOE meets the security requirements contained in the Security Target. The criteria against which the SupportSoft TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. The DSD Information Assurance Laboratory (DIAL) determined that the evaluation assurance level (EAL) for the SupportSoft TOE is EAL 2. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. A Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by the The DSD Information Assurance Laboratory (DIAL). The evaluation was completed in October 2007. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10099-2007, dated 21 December 2007) prepared by CCEVS. ENVIRONMENTAL STRENGTHSThe SupportSoft TOE provides access control, access levels, audit, identification and authentication, security management, and protection of TOE function features as they relate to content management. As a software-only TOE, the product is dependent upon its environment for support of some services it provides and for some protections. Access Control - KC access levels are enforced when the Author Center interface is used. The TOE develops the logic required to enforce the access levels and sends that logic in the retrieval request to the DB (outside the evaluated configuration). Using the logic provided by the TOE, the DB retrieves only the requested content items to which the requesting user has access. Access Levels - KC assigns access levels (a defined set of permissions) to groups for each folder that will hold content. Access levels can also be assigned to the Contribution Content Type. KC manages all access levels and permissions. Audit - The TOE provides two different types of auditing. One is the ability to audit the following login events: successful logins, user resets, and failed login attempts due to supplying an incorrect password. (A user reset is performed when an administrator enables a disabled account.) The other is the ability to audit every state change to a content item. The possible states for all content types are Under Construction, Pending Approval, Published, Approved, Rejected, Expired, Delisted, Superseded. The generation of login audit records is provided by Platform. The generation of content item state change audit records is provided by KC. All audit events are time stamped by the database as they are stored in the DB. Therefore, the TOE relies on the IT environment (DB, OS, and hardware) to provide a reliable timestamp. To view login audit records, the Administrator can run a report. This functionality is provided by Platform. Generated reports are stored in the DB and can be deleted by the users with the appropriate permission or role. To view content item records, the Administrator, Author, Approver, and users with the appropriate permission can view the audit trail page for the content item. This functionality is provided by KC. Identification and Authentication - Users log into the TOE via one of the four TOE interfaces. The SupportSoft Platform requires that all users except anonymous users provide a user ID and password in order to access the TOE. In the evaluated configuration, anonymous users only have access to search published content. The user account information is stored in the database in the IT environment. The SupportSoft Platform makes the identification and authentication decisions based on the information input by the user and the information received from the database. Security Management - Platform provides the ability to perform general management functions, such as:
KC provides the ability to perform functions specific to content management, such as:
The SupportSoft Platform implements roles by assigning Platform permissions to groups in order to determine access to specific components. Protection of TOE functions - Logical protection of the TOE is required to ensure the TOE security services are not bypassed or tampered with. The TOE and the operating system, which is in the IT environment, work together to protect the TOE. |
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
