Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviated terms
5 Structure of this Technical Report
6 Technical approach
6.1 The nature of operational systems
6.2 Establishing operational system security
6.3 Security in the operational system life cycle
6.4 Relationship to other systems
7 Extending ISO/IEC 15408 evaluation concepts to operational
systems
7.1 Overview
7.2 General philosophy
7.3 Operational system assurance
7.4 Composite operational systems
7.5 Types of security controls
7.6 System security functionality
7.7 Timing of evaluation
7.8 Use of evaluated products
7.9 Documentation requirements
7.10 Testing activities
7.11 Configuration management
8 Relationship to existing security standards
8.1 Overview
8.2 Relationship to ISO/IEC 15408
8.3 Relationship to non-evaluation standards
8.4 Relationship to Common Criteria development
9 Evaluation of operational systems
9.1 Introduction
9.2 Evaluation roles and responsibilities
9.3 Risk assessment and determination of unacceptable
risks
9.4 Security problem definition
9.5 Security objectives
9.6 Security requirements
9.7 The system security target (SST)
9.8 Periodic reassessment
Annex A (normative) Operational system Protection Profiles
and Security Targets
A.1 Specification of System Security Targets
A.2 Specification of System Protection Profiles
Annex B (normative) Operational system functional control
requirements
B.1 Introduction
B.2 Class FOD: Administration
B.3 Class FOS: IT systems
B.4 Class FOA: User Assets
B.5 Class FOB: Business
B.6 Class FOP: Facility and Equipment
B.7 Class FOT: Third parties
B.8 Class FOM: Management
Annex C (normative) Operational system assurance requirements
C.1 Introduction
C.2 Class ASP: System Protection Profile evaluation
C.3 Class ASS: System Security Target evaluation
C.4 Class AOD: Operational system guidance document
C.5 Class ASD: Operational System Architecture,
Design and Configuration Documentation
C.6 Class AOC: Operational System Configuration
Management
C.7 Class AOT: Operational System Test
C.8 Class AOV: Operational System Vulnerability
Analysis
C.9 Class AOL: Operational system life cycle support
C.10 Class ASI: System security installation and
delivery
C.11 Class ASO: Records on operational system
Annex D (informative) Relationship to Common Criteria
development
Bibliography