The TOE is Metastorm BPM v9.1.1.3 provided by Metastorm, Inc. The TOE provides the ability to view and manage information, activities, and instructions that can be used to automate a business process, for example a manager approving a staff member’s form for a travel request. The TOE is an IT enabled Business Process Management (BPM) software product supported on Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. The TOE manages and tracks business processes flow and data in real time.
\r\nThe TOE uses the concept of an electronic folder in which all information relevant to a particular task is placed. These folders are routed electronically from user to user as team members complete assigned activities. All the information necessary is gathered into a single location and made available to the participants as the project reaches their respective desktops. The chance of losing important information is minimized and business processes move smoothly toward completion.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Metastorm BPM 9.1.1.3 (TOE) were judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the Metastorm BPM Release 9.1: Installation Prerequisites, June 2011; Metastorm BPM Release 9.1: Installation Guides, June 2011; Metastorm BPM Version 9.1.1.3 Release Notes; and Using Metastorm BPM in the Common Criteria Certification Configuration Documentation Addendum, November 2011 satisfies all of the security functional requirements stated in the Metastorm BPM 9.1 Security Target, Version 0.13, 9 January 2012. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in December 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10370-2012, dated 10 January 2012) prepared by CCEVS.
","environmental_strengths":"The TOE has been developed for an operating environment with a medium level of risk to identified assets and supports the following six security functions:
\r\nSecurity Audit – The TOE generates audit events as each component of the TOE performs actions on deployed projects. The records of audited events are saved by the TOE in the database for later retrieval and reviewed by administrative users through an audit trail form. This audit trail form presents records in a manner determined by a project’s designer and can be constructed to permit searching and/or sorting of audit records.
\r\nThe TOE provides administrators with a way to view audit records created by the TOE.
\r\nWhen a business process is designed, the designer chooses the users or roles that are permitted to have access to a given folder, form or field. ACLs are used to define permissions on folders and forms. Fields on a form are either visible or not, depending upon the ‘Visibility Depends On’ property of the field. If the field is visible the user has the ability to modify or use the field. Visibility can be restricted based upon role.
\r\nThe TOE ensures that only an administrator can login and perform administrative management function. The TOE recognizes several roles: a process designer, an administrator, a user, and designer-specified user roles.
\r\n