Compliant Product - Metastorm BPM 9.0
Certificate Date: 10 January 2012
Validation Report Number: CCEVS-VR-VID10370-2012
Product Type: Miscellaneous
Conformance Claim: EAL4 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The TOE is Metastorm BPM v184.108.40.206 provided by Metastorm, Inc. The TOE provides the ability to view and manage information, activities, and instructions that can be used to automate a business process, for example a manager approving a staff member’s form for a travel request. The TOE is an IT enabled Business Process Management (BPM) software product supported on Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. The TOE manages and tracks business processes flow and data in real time.
The TOE uses the concept of an electronic folder in which all information relevant to a particular task is placed. These folders are routed electronically from user to user as team members complete assigned activities. All the information necessary is gathered into a single location and made available to the participants as the project reaches their respective desktops. The chance of losing important information is minimized and business processes move smoothly toward completion.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Metastorm BPM 220.127.116.11 (TOE) were judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the Metastorm BPM Release 9.1: Installation Prerequisites, June 2011; Metastorm BPM Release 9.1: Installation Guides, June 2011; Metastorm BPM Version 18.104.22.168 Release Notes; and Using Metastorm BPM in the Common Criteria Certification Configuration Documentation Addendum, November 2011 satisfies all of the security functional requirements stated in the Metastorm BPM 9.1 Security Target, Version 0.13, 9 January 2012. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in December 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10370-2012, dated 10 January 2012) prepared by CCEVS.
The TOE has been developed for an operating environment with a medium level of risk to identified assets and supports the following six security functions:
Security Audit – The TOE generates audit events as each component of the TOE performs actions on deployed projects. The records of audited events are saved by the TOE in the database for later retrieval and reviewed by administrative users through an audit trail form. This audit trail form presents records in a manner determined by a project’s designer and can be constructed to permit searching and/or sorting of audit records.
The TOE provides administrators with a way to view audit records created by the TOE.
- User Data Protection – The TOE can control access to objects called forms and folders using ACLs specific to each form and folder. A business processes is comprised of folders that transition between stages through actions. A folder is a unique instance of a business process. A folder contains one or more forms. A form contains fields defining specific information that pertains to an instance of the business process.
When a business process is designed, the designer chooses the users or roles that are permitted to have access to a given folder, form or field. ACLs are used to define permissions on folders and forms. Fields on a form are either visible or not, depending upon the ‘Visibility Depends On’ property of the field. If the field is visible the user has the ability to modify or use the field. Visibility can be restricted based upon role.
- Identification and Authentication – The TOE defines users in terms of the security attributes user name, password, and role. The TOE provides its own username and password authentication mechanism that it uses to authenticate users. While the product supports the use of additional authentication mechanisms (e.g., LDAP, RADIUS), only the local, TOE-defined username/password mechanism is supported in the evaluated configuration. In order to access the TOE, a user account including a user name and password must be created for the user. The TOE maintains both administrator and user roles.
- Security Management – The TOE provides applications and web-based administration forms that can be used to manage the TSF. The applications and forms include those that can perform the following management functions:
- Design and deploying of business process projects,
- Management of subjects and authentication data,
- Management of objects, and
- Management of session inactivity settings.
The TOE ensures that only an administrator can login and perform administrative management function. The TOE recognizes several roles: a process designer, an administrator, a user, and designer-specified user roles.
- TSF Protection – The TOE restricts access to both its administrative and non-administrative interfaces. The TOE ensures that only an administrator can login and perform administrative management functions. The TOE also utilizes support in the environment (e.g., the database, the web server, and the operating system) to protect data stored in the database, to communicate with network entities, and to protect communications with users. This information is provided in support of the security assurance requirements, more specifically the architecture requirements for non-bypassability.
- TOE Access – The TOE can terminate inactive interactive user sessions. The TOE relies on a timestamp provided by the operating system in the environment in order to determine if a session has become inactive.