© Crown Copyright (2000) Module 3.2 Evaluation Management
You Are Here M3.1 Evaluation Process M3.2 Evaluation Management MODULE 3 - SCHEME RULES AND PROCEDURES
Evaluation Management Preparation Phase Conduct Phase Conclusion Phase
Evaluation Management Preparation Phase Conduct Phase Conclusion Phase
Preparation Phase - Inputs Definition of Target of Evaluation –Scope, boundaries, interfaces, composites, etc. What evaluation level is required ? Technical expertise required ? Evaluation Planning TOE
Preparation Phase - Suitability CLEF/CB may review ST for suitability Check Sponsor and Developer have full understanding of: –the evaluation process –the role of the CLEF –their responsibilities throughout evaluation
Preparation Phase - TIN May be combined with EWP Task Identification Sponsor and Developer Details Description of TOE Summary of Security Requirements Timescales Staffing Contacts
Preparation Phase - EWP May be combined with TIN Evaluation methodology –CEM/ITSEC –Interpretations Evaluation effort for each activity Constraints Limitations
Preparation Phase - UKSP06 Entry & CB Questionnaire UKSP06
Task Start-up Meeting Objective Attendees Timing Agenda
Preparation Phase - Outputs Evaluation Planning EWP TIN UKSP 06 Entry Security Target CB Questionnaire
Evaluation Management Preparation Phase Conduct Phase Conclusion Phase
Conduct Phase - Inputs Task Conduct TIN / EWP TOE Deliverables Security Target Deliverables Schedule
Conduct Phase - Reporting Progress Evaluation Progress Meeting (EPM) ETR Production –Draft annexes (activity reports, glossary, list of deliverables etc.) Observation Report Status Register
Evaluation Progress Meetings Objective Attendees Timing Agenda
Observation Report Status - 1 AGR - Corrective Action Agreed CAP - Certifier Action Pending CLR - Cleared FIX - Fix to be evaluated by CLEF ISS - Issued to the Certifier
Observation Report Status - 2 PRO - Corrective Action Proposed REJ - Corrective Action Rejected REL - Released to the Sponsor / Developer WDN - Problem Report Withdrawn
Conduct Phase - Observation Reports Content (Level 1 and Level 2) –Identifier –Severity Level –Evaluation Activity where raised –Observation –Organisation responsible for resolution –Timescale for resolution
Conduct Phase - Issues Maintain Independence Comply with UKAS Requirements Comply with Methodology Requirements
Conduct Phase - Outputs Task Conduct Work Package Reports Observation Reports Scheme Observation Reports
Evaluation Management Preparation Phase Conduct Phase Conclusion Phase
Conclusion Phase Evaluation Technical Report (ETR) Certificate and Certification Report Task Closedown
Assurance Maintenance (CMS) Additional Evaluation Task See Module 2.8 for more details
ITSEC v. CC Main difference is work breakdown ITSEM/UK SP 05 specify mandatory requirements CEM defines Work Units
Summary Three Phases to evaluation Management –Preparation Phase –Conduct Phase –Conclusion Phase Covers whole evaluation Terminology difference between ITSEC & CC
Further Reading UKSP 01 UKSP 04 Part 1 UKSP 05 Part 1 CEM Part 2, Chapter 2
Exercise - Planning Given the ITT on the handouts, please prepare a TIN and EWP for the task