ISO/IEC 21827
ISO/IEC 21827
ISO/IEC 21827
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>ISO</strong>/<strong>IEC</strong> <strong>21827</strong>:2002(E)<br />
7.6.1.2 Goals<br />
• The work products and processes clearly provide the evidence that the customer's security needs have been<br />
met.<br />
7.6.1.3 Base Practice List<br />
BP.06.01<br />
BP.06.02<br />
BP.06.03<br />
BP.06.04<br />
BP.06.05<br />
Identify the security assurance objectives.<br />
Define a security assurance strategy to address all assurance objectives.<br />
Identify and control security assurance evidence.<br />
Perform analysis of security assurance evidence.<br />
Provide a security assurance argument that demonstrates the customer's security needs are<br />
met.<br />
7.6.1.4 Process Area Notes<br />
Activities involved in building an assurance argument include managing the identification, planning, packaging, and<br />
presentation of security assurance evidence.<br />
7.6.2 BP.06.01 - Identify Assurance Objectives<br />
Identify the security assurance objectives.<br />
7.6.2.1 Description<br />
Assurance objectives as determined by the customer, identify the level of confidence needed in the system. The system<br />
security assurance objectives specify a level of confidence that the system security policy is enforced. Adequacy of the<br />
objectives is determined by the developer, integrator, customer, and those who will approve the operation of the system,<br />
if any.<br />
Identification of new, and modification to existing, security assurance objectives are coordinated with all security-related<br />
groups internal to the engineering organization and groups external to the engineering organization (e.g., customer,<br />
systems security certifier, user).<br />
The security assurance objectives are updated to reflect changes. Examples of changes requiring a modification in<br />
security assurance objectives include changes in the level of acceptable risk by the customer, system security certifier,<br />
or user, or changes in the requirements or interpretations of the requirements.<br />
Security assurance objectives must be communicated so as to be unambiguous. Applicable interpretations are included<br />
or developed if necessary.<br />
7.6.2.2 Example Work Products<br />
• statement of security assurance objectives - identifies the customer's requirements for the level of confidence<br />
needed in a system's security features.<br />
7.6.2.3 Notes<br />
In cases where a specific claim is not mandated, it is helpful if the assurance objectives can be stated or related to a<br />
specific assurance claim to be achieved or met. This helps to reduce misunderstandings and ambiguity.<br />
7.6.3 BP.06.02 - Define Assurance Strategy<br />
Define a security assurance strategy to address all assurance objectives.<br />
7.6.3.1 Description<br />
The purpose of a security assurance strategy is to plan for and ensure that the security objectives are implemented and<br />
enforced correctly. Evidence produced through the implementation of a security assurance strategy should provide an<br />
38 © <strong>ISO</strong>/<strong>IEC</strong> 2002 – All rights reserved