Professional Documents
Culture Documents
Impact Analysis Report
Impact Analysis Report
Preparation Guidance
Version 1.11
February 2008
Table of Contents
1. Introduction.................................................................................................................................1
2. Glossary......................................................................................................................................2
3. Determination of Assurance Continuity Application..............................................................3
4. Impact Analysis Report Preparation........................................................................................5
(1) Introduction..............................................................................................................................5
(2) Description of Changes...........................................................................................................6
(3) Affected Developer Evidence..................................................................................................8
(4) Description of Developer Evidence Modifications...................................................................8
(5) Conclusion...............................................................................................................................9
(6) Appendix................................................................................................................................12
5. Examination of the Impact Analysis Report..........................................................................13
Bibliography..................................................................................................................................13
Addendum: Checklist for Assurance Continuity Application....................................................1
1. Introduction
This document should be used as a reference when considering application for
assurance continuity. It contains viewpoints in determining whether changes to TOE
are within the scope of assurance continuity, and cites examples of the contents of
an Impact Analysis Report necessary for assurance continuity application.
Please refer to Assurance Continuity Guideline for Information Technology
Security Certification for the meaning and process of assurance continuity, and to
Rules for Application Procedures for Information Technology Security Certification
(CCM-02) for the rules and procedures relating to the assurance continuity system.
Note that in this document, the description of the chapter composition of an
Impact Analysis report contains additions to the composition of a report described
in
Assurance
Continuity
Guideline
for
Information
Technology
Security
2. Glossary
The meanings of terms used in this guidance document are equivalent to those
used in Assurance Continuity Guideline for Information Technology Security
Certification. The following are the meanings of main terms:
Certified TOE
The TOE version which has been evaluated and for which a certificate
has already been issued.
Changed TOE
A version of TOE different from a certified TOE resulting from changes
being applied to a certified TOE.
Developer Documentation
All necessary items describing the content of changes of a changed TOE
with regard to a certified TOE. The items must be usable for verification.
are
sometimes
discerned
by
examining
the
implementation
are
not
applicable
for
assurance
continuity
by
JISEC.
Also,
1. Introduction
2. Description of Changes
3. Affected Developer Evidence
4.
Description
of
Developer
Evidence Modifications
5. Conclusion
6. Annex.
(Updated Developer
Documentation)
2007-12-11
Author:
Name of TOE:
Version of TOE:
Rev. 3
Developer:
C00XX
Name of Product:
Name of TOE:
Version of TOE:
Rev. 2
There is no PP to be conformed.
In the event that there are numerous small bug fixes that do not involve
specification changes, it is acceptable to describe the overall purpose in this
section
(boundary
value
issues
in
the
implementation,
performance
Type of
Change
Overview
Details
S2-1 Performance Improving auto The boot routine program was changed,
improveme
nt
event
of network
release
and
network
authentication
failures
descriptions
describe
changes
made
to
the
development
nt security
Changes to
equipment for
equipment
controlling
entry to the
development
environment
for
were
entry
no
control
changes
to
to
the
entry
procedures, etc.
d. Changes to the IT environment
Describe the changes to the IT environment for the certified TOE. This
environment includes hardware, firmware, and software requiring security
functions which are subject to evaluation such as external services that the
TOE depends on, among others. It also includes all hardware, firmware, and
software constituting the TOE operational environment.
E2- Operatin
1
Additions to
operating
hardwar
hardware
e
(3) Affected Developer Evidence
Identify all developer evidence that were used in evaluating the certified TOE
and which will require changes or additions. Developer evidence refers to all
elements used as useful input in assisting the evaluator in evaluating the
certified TOE. Specifically, it refers to documentation required to be submitted
or necessary for the implementation of developer action elements which are
identified in each assurance element of the security assurance components of
CC Part 3.
Developers shall determine which developer evidence to update according to
the changes made to the TOE and environment indicated in the previous
description of changes. This determination shall employ a systematic method
which considers the respective assurance components of certified TOE. This
section shall list only the identification of developer evidences to be updated.
The impact on each assurance component shall be determined with reference to
chapter 3 Performing Impact Analysis in the Assurance Continuity Guideline
for Information Technology Security Certification. For example, there are
methods such as identifying the details of developer evidence associated with
each developer action element as shown in the table below, and confirming
their impact.
Developer
Action Elements
Developer Documentation
ASE_CCL.1
ATE_FUN.1
Of the developer evidences identified, this section calls for listing only those
which need to be updated as affected developer evidence. How these changes
are associated with the assurance scope of the certified TOE and what impacts
they have are described in the next section.
(4) Description of Developer Evidence Modifications
Describe an overview of the changes to all developer evidence identified in
(3) Affected Developer Evidence. While it is not necessary to provide a
detailed description of changes to developer evidence, describe clearly and
concisely what was changed, why, and how it was changed.
There are no common standards for judging how changes to certified TOE
affect TOE assurance. A minor change could affect every aspect of assurance.
Conversely, many modifications to a TOE may have minor impact on the
assurance of TOE. In updating identified developer evidence, developers can
judge what kinds of updates within the assurance scope of certified TOE are
necessary by considering the content and presentation elements which
correspond to these developer action elements. For example, AGD_PRE.1.2C
states that the preparative procedures shall describe all the steps necessary
for secure installation of the TOE and for the secure preparation of the
operational environment in accordance with the security objectives for the
operational environment as described in the ST. In other words, changes to the
applicable descriptions in ST are required to be consistent with TOE acceptance
and installation procedures. Regarding changes to certified TOE, developers can
systematically determine the assurance scope and impact, by considering how
to
update
developer
evidence
from
the
perspective
of
satisfying
the
No
Content of Changes
Number
S1-1(F)
Location of
Change
2.1.2
2.5
[4]
S2-1(F)
3.1.1
A.3
displayed
by
the
script
accurately
reflects
the
functional
There
are
no
operations
interrupted
ADV_FSP.2
2(G).1
AGD_OPE.1
during
the
time
from
service
Bibliography
1)
2)
Item
Items to be Checked
Numbe
Judgemen
1.1
EAL
1-4
1.2
Yes
No
1-4
1.3
Yes
No
If the TOE name has been changed, the name of the changed
TOE shall reflect the TOE functionality and evaluation scope
expected by consumers which are described in TOE Overview
and TOE Description in the ST for the certified TOE.
Yes
No
1-4
Item
Items to be Checked
Numbe
Judgemen
1.4
EAL
1-4
1-4
document.
2-4
1-4
configuration items.
3-4
1-4
No
1.5
Changes/additions
exist
in
the
ST
descriptions,
with
the
1-4
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
2.1
- Addendum 1 -
1-4
Item
Items to be Checked
Numbe
Judgemen
EAL
2-4
2-4
No
2.2
2-4
certified TOE:
No
2.3
certified TOE:
No
2.4
- Addendum 2 -
2-4
Item
Items to be Checked
Numbe
Judgemen
EAL
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
2.5
No
3.1
1-4
No
3.2
1-4
No
3.3
- Addendum 3 -
1-4
Item
Items to be Checked
Numbe
Judgemen
EAL
creation:
No
4.1
1-4
2-4
constituent items.
as
evaluation
evidence
for
certified
TOE
assurance requirements.
3-4
No
4.2
1-4
delivery
procedures
for
security
maintenance.
Yes
Changes
may
have
exceeded
continuity.
- Addendum 4 -
the
scope
of
assurance
Item
Items to be Checked
Numbe
Judgemen
t
No
4.3
EAL
3-4
development environment:
Control
of
physical
access
to
the
development
Responsible
persons
and
roles
of
security
measure
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
4.4
3-4
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
4.5
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
4.6
ALC_FLR
When
TOE security that had been evaluated for the certified TOE:
- Addendum 5 -
applicabl
e
Item
Items to be Checked
Numbe
Judgemen
EAL
Procedures
for
providing
users
with
information
of
Yes
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
5.1
1-4
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
5.2
1-4
No
6.1
1-4
Changes
may
have
exceeded
the
scope
of
assurance
continuity.
No
[Procedure 2]
Consider re-evaluation with reference to the supplementary explanations for the
relevant item numbers. If it is determined that re-evaluation is not necessary, keep in
mind to describe the analysis as the rationale for this claim in the Impact Analysis
Report, and resume procedure 1 checking.
- Addendum 6 -
Item
Numbe
r
1.1
TOE for which more than 5 years have passed since certification are not
applicable for JISEC assurance continuity.
1.2
If the names and versions for the certified TOE and the changed TOE are
different or there are operation platform additions, it is necessary that
consumer understandable descriptions relating to points of change is
possible. For example, in the following cases, it is necessary to consider
actions such as changing the versions of certified TOE and changed TOE or
providing means of identification:
Although
there
are
additions
to
the
TOE
operation
1.4
- Addendum 7 -
Item
Numbe
r
or on assurance, return to Procedure 1 to resume checking and conduct a
more detailed check.
1.5
Consistency with the ST is also essential to the changed TOE. Although TOE
name changes and identifiers and update information in accordance with ST
updates in many cases do not affect security items, if changes are made to
assumptions,
threats,
OSP,
functional
requirements,
and
assurance
- Addendum 8 -
Item
Numbe
r
2.1
2.2
2.3
- Addendum 9 -
Item
Numbe
r
modules may differ due to algorithm and implementation changes (change
from local variables to global variables), even if the functions realised are
the same.
Even for changes to modules claimed as non-SFR-enforcing, re-evaluation
will be necessary to determine that they are evaluated as non-SFRenforcing.
2.4
2.5
3.1
3.2
- Addendum 10 -
Item
Numbe
r
and to detect unsecure situations.
In the event of changes to management command usage conditions, user
procedures during resource access, policies relating to backup frequency
and password quality which are required for secure TOE utilisation; changes
to various messages and default values of configuration files of the security
interfaces necessary for the management and the secure use of resources;
and changes to the safe mode operations required when failures or securityrelated events occur and to account management of personnel who have
left, it will be necessary to evaluate whether this content is clearly and
rationally explained to users in guidance documents, etc. and that they are
consistent
with
the
operation
environment
described
in
functional
Providing TOE identification will assure that consumers are using appropriate
TOE (evaluated TOE). If this means is changed, evaluation to assure use of
appropriate TOE will be required.
Identification and management (traceability) of each element constituting
the TOE assures that the development and modification procedures for TOE
are appropriate. For example, if a modified source code becomes a
component of a TOE version different from the previous version, and
procedures and privileges for managing components are clear, and TOE is
operated accordingly such that the which TOE the component constitutes
could be traced, unintended design implementations could be prevented
from slipping in during the development process.
Regarding identification of evaluation evidence of assurance requirements,
based on assurance requirements employed for the certified TOE, functional
specifications, source code, tools used in development, security flaw report
records, etc. will be subject.
With respect to any of these changes, changes to the identifiers of relevant
elements are evaluated processes and are not problematic. Furthermore, if
changes to tools involve bug-fixing, etc., analysis shall be conducted to
confirm that those modifications have no impact.
4.2
- Addendum 11 -
Item
Numbe
r
seals to enable consumers to confirm the presence/absence of tampering,
and methods to maintain confidentiality involve encrypting data, and
sending a key to consumers through a separate route. If these procedures,
means, or functions are changed, re-evaluation will be necessary to confirm
that procedures necessary to maintain the security of changed TOE are
provided.
However, if changes to applied means consist of security seal designs and
verification tool versions, and no substantial changes to procedures and
means (functions) exist, analysis shall be conducted to confirm that changes
do
not
have
an
impact.
Furthermore,
note
that
responsibility
of
4.4
- Addendum 12 -
Item
Numbe
r
4.5
4.6
Certified TOE provides assurance that, in the event that a security problem
is discovered in the TOE, developers are able to share and trace details and
response status, and procedures are established to provide necessary
related information to users. If changes exist in these procedures, it shall be
determined
that
assurance
is not
maintained,
and
re-evaluation
is
necessary.
For example, if user notifications relating to bug fixes are changed from
direct mail to Web publication, re-evaluation will be necessary to confirm
that procedures, guidance etc. to ensure that users obtain this information
are appropriate.
Note that this check will only be applicable if assurance class ALC_FLR is
claimed as the assurance scope for the certified TOE.
- Addendum 13 -
Item
Numbe
r
5.1
5.2
6.1
- Addendum 14 -