ANSI ISO IEC 15292-2001 Information technology Security techniques Protection Profile registration procedures (Adopted by INCITS)《信息技术.安全技术.被IMCITS采用的保护轮廓注册程序》.pdf

1、 Reference numberISO/IEC 15292:2001(E)ISO/IEC 2001INTERNATIONAL STANDARD ISO/IEC15292First edition2001-12-15Information technology Security techniques Protection Profile registration procedures Technologies de linformation Techniques de scurit Procdures denregistrement du profil de protection Adopte

2、d by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 8/29/02Published by American National Standards Institute,25 West 43rd Street, New York, New York 10036Copyright 2002 by Information Technology Industry Council (ITI).Al

3、l rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council(ITI). Not for resale. No part of this publi

4、cation may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 20005.Printed in the United States of AmericaISO/IEC 15292:2001(E) PDF di

5、sclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, partie

6、s accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to

7、 the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2001

8、 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the count

9、ry of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Printed in Switzerland ii ISO/IEC 2001 All rights reserved ISO/IEC 15292:2001(E) ISO/IEC 2001 All rights reserved iiiContents1 Scope 12 Norma

10、tive references . 13 Terms and definitions. 14 Abbreviations 35 Technical Specifications 35.1 Entry label 35.2 Technical definition (within a register entry) 36 The JTC 1 Registration Authority for PPs and packages . 46.1 Appointment. 46.2 Qualifications. 46.3 Contract 46.4 Duties 47 Criteria for el

11、igibility of applicants for registration . 58 Information to be included within an application for registration . 59 Steps involved in review and response to an application 79.1 Initial processing . 79.2 Validation 710 Criteria for rejection of applications for registration 811 Operation of the regi

12、ster 811.1 Notification of obsolescent entries . 811.2 Update of draft technical specifications . 811.3 Routine review of entries 811.4 Defect notification . 911.5 Other requests for update of entries . 911.6 Deletion of register entries. 1012 Maintenance of the register . 1013 Confidentiality of in

13、formation held within the register . 1014 Publication of the register 1015 Appeals procedure 12Annex A (informative) Benefits of registration. 13Annex B (informative) Lifecycle of a register entry 14Foreword ISO (the International Organization for Standardization) and IEC (the International Electrot

14、echnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical

15、 activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical

16、committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circula

17、ted to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this International Standard may be the subject of patent rights. ISO and IEC shall

18、not be held responsible for identifying any or all such patent rights. ISO/IEC 15292 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques. Annexes A and B of this International Standard are for information only. ISO/IEC 15292:2001(E

19、) iv ISO/IEC 2001 All rights reserved INTERNATIONAL STANDARD ISO/IEC 15292:2001(E)Information technology Security techniques Protection Profile registration procedures 1 Scope This International Standard defines the procedures to be applied by the JTC 1 Registration Authority appointed by the ISO an

20、d IEC councils to maintain a register of Protection Profiles and packages for the purposes of IT security evaluation. These Protection Profiles and packages are specified in accordance with criteria given in ISO/IEC 15408. 2 Normative references The following normative documents contain provisions w

21、hich, through reference in this text, constitute provisions of this International Standard. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply. However, parties to agreements based on this International Standard are encouraged to investigate the p

22、ossibility of applying the most recent editions of the normative documents indicated below. For undated references, the latest edition of the normative document referred to applies. Members of ISO and IEC maintain registers of currently valid International Standards. ISO 15408-1, Information technol

23、ogy Security techniques Evaluation criteria for IT security Part 1: Introduction and general model ISO 15408-2, Information technology Security techniques Evaluation criteria for IT security Part 2: Security functionality requirements ISO 15408-3, Information technology Security techniques Evaluatio

24、n criteria for IT security Part 2: Security assurance requirements Procedures for the technical work of ISO/IEC JTC 1 ISO/IEC/ITU ITSIG Guide for the use of IT in the development and delivery of standards 3 Terms and definitions For the purposes of this International Standard, the following terms an

25、d definitions apply. 3.1 applicant an entity (organisation, individual etc.) which requests the assignment of a register entry and entry label ISO/IEC 2001 All rights reserved 12 ISO/IEC 2001 All rights reserved 3.2certificatea declaration by an independent authority operating in accordance with ISO

26、 Guide 58, Calibration andtesting laboratory accreditation systems - General requirements for operation and recognition, confirmingthat an evaluation pass statement is valid3.3entry labelthe naming information that identifies a registered PP or package uniquely3.4evaluation pass statementa statement

27、 issued by an organisation that performs evaluations against ISO/IEC 15408 confirming that aPP has successfully passed assessment against the evaluation criteria given in clause 4 of Part 3 of thatInternational Standard3.5JTC 1 Registration Authorityan organisation appointed by the ISO and IEC counc

28、ils to register objects in accordance with a JTC 1procedural Standard3.6packagea reusable set of either functional or assurance components combined together to satisfy a set of identifiedsecurity objectives (from ISO/IEC 15408-1)3.7Protection Profilean implementation-independent set of security requ

29、irements for a category of IT products or systems thatmeet specific consumer needs (adapted from ISO/IEC 15408-1)3.8registera set of files (electronic, or a combination of electronic and paper) containing entry labels and theirassociated definitions and related information3.9register entrythe inform

30、ation within a register relating to a specific PP or package3.10registrationthe process of assigning a register entry3.11Security Targeta set of security requirements and specifications to be used as the basis for evaluation of an identified ITproduct or system (adapted from ISO/IEC 15408-1)3.12spon

31、soran entity (organisation, individual etc.) responsible for the content of a register entryISO/IEC 15292:2001(E) ISO/IEC 2001 All rights reserved 34 AbbreviationsITTF Information Technology Task Force (of ISO/IEC)PP Protection ProfileRA Registration AuthoritySC JTC 1 SubcommitteeST Security Target5

32、 Technical Specifications5.1 Entry labelEvery PP or package registered in accordance with this International Standard shall have an entry labelassigned by the JTC 1 RA that uniquely identifies that PP or package within the register. The entry labelshall be made up of the following elements, separate

33、d by dashes:- Entry Type- Registration Year- Registration Number.The Entry Type shall be PP for a protection profile, AP for an assurance package or FP for a functionalpackage.The Registration Year shall be the four digit representation of the year when the entry was registered.The Registration Numb

34、er shall be a four digit sequentially assigned identification number, starting each yearfrom 0001.EXAMPLE PP-2001-0001.5.2 Technical definition (within a register entry)5.2.1 PPsEvery application for registration of a PP submitted for registration in accordance with this InternationalStandard shall

35、include a technical definition of the PP in question. This technical definition shall conform tothe content requirements for PPs contained within Annex B to ISO/IEC 15408-1 and shall conform to thestructural outline portrayed in Figure B.1 of ISO/IEC 15408-1.5.2.2 PackagesEvery application for regis

36、tration of a functional or assurance package submitted for registration inaccordance with this International Standard shall include a technical definition of the package. Thisdefinition shall contain:- a package overview that summarises the package in narrative form- a specification of a set of eith

37、er functional or assurance components.The package overview should be sufficiently detailed for a potential user of the package to determinewhether the package is of interest. It should be understandable without reference to the componentspecifications.ISO/IEC 15292:2001(E) 4 ISO/IEC 2001 All rights

38、reserved Components for functional packages shall be selected from ISO/IEC 15408-2 or shall be constructed andspecified in accordance with the specification requirements for functional components given within clause 2of ISO/IEC 15408-2.Components for assurance packages shall be selected from ISO/IEC

39、 15408-3 or shall be constructed andspecified in accordance with the specification requirements for assurance components given withinsubclause 2.1 of ISO/IEC 15408-3.The technical definition of a package may contain other descriptive information that might be relevant to theauthor of a PP or ST wish

40、ing to use or reference the package. This information shall be presented in theform of one or more named PP or ST sections as defined within Annexes B and C of ISO/IEC 15408-1. Theinformation should be suitable for direct incorporation within PPs or STs that make use of the package.6 The JTC 1 Regis

41、tration Authority for PPs and packages6.1 AppointmentThe JTC 1 RA for PPs and packages shall be appointed by the ISO and IEC councils in accordance with theprocedure for the appointment of JTC 1 Registration Authorities defined in the JTC 1 Directives.6.2 QualificationsAny organisation seeking appoi

42、ntment as the JTC 1 RA for PPs and packages shall demonstrate that itmeets the qualifications required of JTC 1 RAs as defined in the JTC 1 Directives, with the followingamendments:- it shall confirm its agreement to function as an RA for a minimum of 5 years;- it shall confirm that it has sufficien

43、t equipment resources and communication facilities to operate anInternet web site in support of this International Standard;- it shall confirm that on termination of its appointment, it will transfer its register and all supportingdocumentation at no cost to another organisation designated by the IS

44、O and IEC councils.6.3 ContractThe JTC 1 RA for PPs and packages shall operate under contract with the ITTF. Upon twelve-monthsnotice, either the RA or the ITTF may terminate the contract.NOTE The contract has no fixed time limit. Although the organisation appointed as the JTC1 RA will have committe

45、dto function as the RA for a minimum of 5 years from the date of first appointment, circumstances canchange. This subclause permits the RA to resign from its duties at any time, including before the 5 yearsis complete, provided that the twelve months notice is given.6.4 DutiesThe JTC 1 RA for PPs an

46、d packages shall:- receive applications for the registration of PPs and packages;ISO/IEC 15292:2001(E) ISO/IEC 2001 All rights reserved 5- review applications for the registration of PPs and packages;- assign unique entry labels to PPs and packages added to the register;- inform applicants for regis

47、tration of the results of their applications;- inform sponsors of the results of actions relating to their register entries;- maintain an accurate register;- make public access to all register entries available at no cost via the world wide web and provideprinted details of register entries on deman

48、d, in return for payment of a fee if required;- publish details of its fee structure, if it operates on such terms;- handle all aspects of the registration process in accordance with good business practice;- provide an annual summary report on its activities to JTC 1, ITTF and the SC responsible for thisInternational Standard;- adhere to the procedure for appeals contained within clause 15 of this International Standard;- maintain a copy of the register in the English language;- handle all correspondence relati