ISO/IEC 21827
ISO/IEC 21827
ISO/IEC 21827
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>ISO</strong>/<strong>IEC</strong> <strong>21827</strong>:2002(E)<br />
acceptable level of confidence that the system security measures are adequate to manage the security risk. Effective<br />
management of the assurance related activities is achieved through the development and enactment of a security<br />
assurance strategy. Early identification and definition of assurance related requirements is essential to producing the<br />
necessary supporting evidence. Understanding and monitoring the satisfaction of customer assurance needs through<br />
continuous external coordination ensures a high quality assurance package.<br />
7.6.3.2 Example Work Products<br />
• security assurance strategy - describes the plan for meeting the customer's security assurance objectives and<br />
identifies the responsible parties.<br />
7.6.3.3 Notes<br />
The security assurance strategy is coordinated with all affected internal engineering groups and external groups (e.g.,<br />
customer, systems security certifier, or user) as defined in PA09 Coordinate Security.<br />
7.6.4 BP.06.03 - Control Assurance Evidence<br />
Identify and control security assurance evidence.<br />
7.6.4.1 Description<br />
Security assurance evidence is gathered as defined in the security assurance strategy through interaction with all<br />
security engineering process areas to identify evidence at various levels of abstraction. This evidence is controlled to<br />
ensure currency with existing work products and relevancy with security assurance objectives.<br />
7.6.4.2 Example Work Products<br />
• security assurance evidence repository (e.g., database, engineering notebook, test results, evidence log) -<br />
stores all evidence generated during development, testing, and use. Could take the form of a database,<br />
engineering notebook, test results, or evidence log.<br />
7.6.4.3 Notes<br />
Assurance work products can be developed from the system, architecture, design, implementation, engineering<br />
process, physical development environment, and physical operational environment.<br />
7.6.5 BP.06.04 - Analyse Evidence<br />
Perform analysis of security assurance evidence.<br />
7.6.5.1 Description<br />
Assurance evidence analysis is conducted to provide confidence that the evidence that is collected meets the security<br />
objectives, thus satisfying the customer's security needs. An analysis of the assurance evidence determines if system<br />
security engineering and security verification processes are adequate and complete enough to conclude that the<br />
security features and mechanisms are satisfactorily implemented. Additionally, the evidence is analysed to ensure that<br />
the engineering artifacts are complete and correct with respect to the baseline system. In the event of insufficient or<br />
inadequate assurance evidence, this analysis may necessitate revisions to the system, security work products and<br />
processes that support the security objectives.<br />
7.6.5.2 Example Work Products<br />
• assurance evidence analysis results - identifies and summarizes the strengths and weaknesses of evidence in<br />
the repository.<br />
7.6.5.3 Notes<br />
Some assurance evidence can only be generated from a consolidation of other system engineering artifacts or inferred<br />
© <strong>ISO</strong>/<strong>IEC</strong> 2002 – All rights reserved 39