[2600] Call for comments: minimum set of audit requirements for FoPPs
In the current (28a) draft of the FPP, auditing is required but there are
no specific events that are required. Instead, there is a list of
recommended items in a PP application note. Several CC people have
suggested that we should specify a minimum set of events that must be
audited, and then we can also recommend others if we want to.
This is particularly important in Environments A and B, because one of the
distinguishing features of Environment A is that it is intended for
situations where information may be subject to regulations like HIPAA.
In general, we have the following choices for specifying audit
requirements:
(1) We can choose one of the standard CC sets. They are "minimal",
"basic", and "detailed". I think that everyone will agree that "detailed"
is more than we want to specify for any of our environments, so the only
realistic choices are "minimal" or "basic". We would specify this choice
in the SFR FAU_GEN.1.1 and not make any further recommendations.
(2) We can choose one of those two standard sets, and make additional
requirements or recommendations for events that are not included in the
standard set. To make additional requirements, we would put them in
FAU_GEN.1.1. To make optional recommendations, we would put them in a PP
application note. As a practical matter, we would probably choose
"Minimal" as our standard set and choose additional requirements or
recommendations for events that appear in the "Basic" set.
(3) We can choose "Unspecified" in the FAU_GEN.1.1 SFR, make specific
requirements in FAU_GEN.1.1, and possibly make optional recommendations in
a PP application note. If we choose this option, we will probably be
choosing specific requirements and recommendations from the "Minimal" set.
HOWEVER, if I understand it correctly, the IPA said that if we put
"Unspecified" in our PP, then the ST author may need to justify why they
have not used one of the standard sets, and so we would probably want to
write that justification in the PP.
SO... Please refer to this spreadsheet:
http://grouper.ieee.org/groups/2600/presentations/Bellevue/audit-recommend
ations-28a.xls
The rows are for SFRs have items that represent events which might be
auditable. The first column identifies the SFR. The second and third
columns summarize the events that are recommended for "Minimal" and
"Basic" auditability, respectively. The remaining columns show which TOEs
contain the SFRs and in which environments they apply.
Note that when an SFR appears in an environment, that does not necessarily
mean that we must audit its events. In particular, we have decided that
Environment D will not have any audit requirements at all, and unless we
change that decision, none of the audit SFRs (including the one listed in
this spreadsheet) will be included in its FPP.
Please keep in mind that the audit requirements we choose will apply to
HCDs with or without disk storage, and so space for audit logs may be a
concern. Talk to your developers!
HERE IS MY REQUEST:
Please look at the choices (1) (2) and (3) above and think about which you
think would be best for each environment. If you think that we should make
some specific requirements or recommendations, decide which if any should
be required and which if any should be optional. It is OK to make
different choices for each environment, but please use the same basic
choice (1) (2) or (3) for all TOEs in a given environment. Send your
comments to me and I will try to collate them into some manageable form
for discussion at the Bellevue meeting.
My recommendations?
I haven't thought it all through, but perhaps we should consider Minimal/+
for A, Minimal for B, Unspecified/+ for C, and Unspecified/none for D.
Regards,
--
Brian Smithson
Project Manager
PMP, SSCP, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435