Is It Possible to Use CC to Show CB/ITSEF Security Measures Are Sufficient? (B22a)
Both CBs and ITSEFs have to implement Technical and Organizational Measures (TOMs) that together sufficiently protect both developer and evaluator information such as TOE details and evaluation reports. But what is sufficient? With one exception the requirements (e.g. ISO17025, ISO17065, EU legislation) are not specific while the exception, the Minimum Site Security Requirements (MSSR), is related to AVA_VAN.5 only. Therefore the question remains: What is sufficient for the non MSSR levels. In this talk the presenter will propose an idea on how the Common Criteria standard itself might enable CBs/ITSEFs to assess whether (and if successful explain why) their TOMs together are sufficient.