ISO/IEC TECHNICAL REPORT TR 15443-1 Second edition 2012-11-15 Information technology Security techniques Security assurance framework - Part 1: Introduction and concepts Technologies de I'information - Techniques de sécurité - Assurance delasecuritecadre- Partie 1: Introduction et concepts Reference number ISO/IEC TR 15443-1:2012(E) ISo IEC @ISO/IEC2012 THS under Not for Resale ISO/IEC TR15443-1:2012(E) COPYRIGHTPROTECTEDDOCUMENT ?ISO/IEC2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either isO at the address below or isO's memberbody in the country of the requester. ISO copyright office Case postale 56 . CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland @ ISO/IEC 2012 - All rights reserved itted without license from IHS Not for Resale ISO/IEC TR 15443-1:2012(E) Contents Page Foreword Introduction. .vi 1 Scope 2 Normative references.. 3 Terms and definitions. 4 Abbreviated Terms.... .6 5 Concepts of security assurance. 5.1 Security assurance... 5.2 Assurance is distinguishable from confidence . 9 5.3 The need for security assurance ... 5.4 Security assurance is intangible . 10 5.5 Security assurance reduces security risk .... 5.6 Security assurance provided is related to the effort expended 10 5.7 Security assurance does not improve the product 5.8 Security assurance stakeholders 5.8.1 Those requiring confidence in SAcA results. 1 5.8.2 Approval and assurance authorities ........ 5.9 Securityassurancepervasiveness. 12 5.9.1 Pass-through security assurance.. 14 5.9.2 Boundaries of deliverables .... 14 5.9.3 Transfer of deliverables ... 5.10 Organisational aspects of SAcA 18 6 Thestructureofsecurityassurance 19 6.1 Security assurance requirements specification 20 6.2 20 6.2.1 Developing a security assurance case .... 21 6.2.2 Communicating a security assurance case ... 21 6.3 Security assurance evidence ...... 21 6.4 Security assurance claims ... 6.5 Security assurance arguments. 22 7 SACA techniques 23 7.1 Techniques... 23 7.1.1 Effectiveness (or evaluation) ..... .24 7.1.2 Correctness (or conformance)... 7.1.3 Predictive assurance.... 24 7.2 Selecting security assurance techniques.. 24 7.2.1 Optimisation considerations...... 8 SACA methods 26 8.1 Security Assurance Conformity Assessment (SAcA) Methods.. 26 8.1.2 The composition of a security assurance conformance assessment method 27 8.1.3 Methods specific to security assurance..... 28 8.1.4 Methods not specific to security assurance 8.2 Approaches of SAcA methods.. 29 8.2.1 Approach types .. 29 8.2.2 Combining approaches. 8.3 Coverage of life cycle phases. 31 8.3.1 Security assurance conformity assessors 32 8.3.2 Efficiency of a SACA method... 32 CopyrightInternational Oganizatnfrstandardization All rightsreserved ili se from IHS Not for Resale