Security Target
Encyclopedia
In an IT product certification process according to the Common Criteria
(CC),
a Security Target (ST) is the central document, typically provided by the developer of the product,
that specifies security evaluation criteria to substantiate the vendor's claims for the product's security properties.
An ST defines information assurance
security requirements for the given information system product,
which is called the Target of Evaluation (TOE).
An ST is a complete and rigorous description of a security problem in terms of TOE description, threats, assumptions, security objectives, security functional requirements (SFRs), security assurance requirements (SARs), and rationales. The SARs are typically given as a number 1 through 7 called Evaluation Assurance Level
(EAL), indicating the depth and rigor of the security evaluation, usually in the form of supporting documentation and testing, that the product meets the SFRs.
An ST contains some (but not very detailed) implementation-specific information that demonstrates how the product addresses the security requirements.
It may refer to one or more Protection Profiles
(PPs). In such a case, the ST must fulfill the generic security requirements given in each of these PPs, and may define further requirements.
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
(CC),
a Security Target (ST) is the central document, typically provided by the developer of the product,
that specifies security evaluation criteria to substantiate the vendor's claims for the product's security properties.
An ST defines information assurance
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
security requirements for the given information system product,
which is called the Target of Evaluation (TOE).
An ST is a complete and rigorous description of a security problem in terms of TOE description, threats, assumptions, security objectives, security functional requirements (SFRs), security assurance requirements (SARs), and rationales. The SARs are typically given as a number 1 through 7 called Evaluation Assurance Level
Evaluation Assurance Level
The Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to...
(EAL), indicating the depth and rigor of the security evaluation, usually in the form of supporting documentation and testing, that the product meets the SFRs.
An ST contains some (but not very detailed) implementation-specific information that demonstrates how the product addresses the security requirements.
It may refer to one or more Protection Profiles
Protection Profile
A Protection Profile is a document used as part of the certification process according to the Common Criteria . As the generic form of a Security Target , it is typically created by a user or user community and provides an implementation independent specification of information assurance security...
(PPs). In such a case, the ST must fulfill the generic security requirements given in each of these PPs, and may define further requirements.