1. © Crown Copyright (2000) Module 3.1 Evaluation Process

2. You Are Here M3.1 Evaluation Process M3.2 Evaluation Management MODULE 3 - SCHEME RULES AND PROCEDURES

3. People Involved Sponsor Developer Evaluator Certification Body Accreditor

4. Role of Sponsor Pay for the evaluation Sponsor may also be the developer Point of contact between CLEF and Developer Produce/Help in production of deliverables Resolution of Problem Reports

5. Role of Developer Provision of TOE Design/Development Documentation Guidance Documents Support during evaluator testing Support during Development Environment Assessment Resolution of Problem Reports

6. Role of Evaluator Assess evaluation deliverables to identify whether they meet criteria requirements Assess, through the deliverables provided for the appropriate level of assurance, whether the TOE meets the security requirements specified in the Security Target

7. Role of Certification Body Oversight of evaluations conducted under UK Scheme Guidance on evaluation methodology Provide Certification Report/Certificate

8. Role of Accreditor Responsibility for granting authority to operate a system processing protectively marked data Mandates security requirements of system and level of assurance required May use results of an evaluation on which to base decision to grant Accreditation

9. Evaluation Process Preparation Phase Conduct Phase Conclusion Phase

10. Preparation Phase Inputs –Security Target –Certification Body Questionnaire –UKSP 06 Entry Task Start-Up Meeting Outputs –Acceptance into Scheme

11. Conduct Phase Inputs –Deliverables Evaluation Progress Meetings Outputs –Observation Reports –Work Package Reports

12. Conduct Phase - Deliverables Deliverables List Schedule Management –under configuration control –timescales and impact on evaluation

13. Conduct Phase - Evaluation Progress Meetings Standard Agenda Who attends Purpose: –discuss issues affecting evaluation progress or results –keep all parties informed of progress

14. Conduct Phase - Observation Reports Types –Level 1 –Level 2 –Level 3 –Level 4 Raised by Evaluators and sent to: –CB, Developer, Sponsor May force change to TOE or deliverables

15. Conduct Phase - Work Package Reports One for each Work Package (Activity) Results of evaluator actions –Evidence of why the conclusion was reached Observation Reports –identify where an observation report has been raised –provide justification for satisfactory resolution

16. Conclusion Phase Evaluation Technical Report –includes Work Package Reports –main input into Certification process Certification Report/Certificate –summary of evaluation results –recommendations for use UKSP06 Entry –update to indicate result of evaluation

17. Certification Process Results from ETR –discuss any concerns/queries with CLEF Outstanding Observation Reports Constraints/Limitations of evaluation Report to Accreditor, if required

18. CLEF Quality Manual UKAS - Categories 0 and 1 Procedures, minimum: –Review of evaluation outputs –Handling of evaluation items –Records –Handling of Complaints/Anomalies –Security (covered in later slide) –Site Testing

19. CLEF Security Manual Security Operating Procedures: –Task separation: need to know principle –Document security: Storage of deliverables and results –Physical security: access to CLEF/Task Cells

20. Summary - 1 Security Target - (Developer/Sponsor) Deliverables - (Sponsor/Developer) Observation Reports - (Evaluator) Evaluation Technical Report (Evaluator) Certification Report/Certificate (CB)

21. Further Reading UKSP 01 UKSP 04 Part 1 UKSP 05 Part 1 CEM Part 2, Chapter 2