标准编号:ISO/IEC TR 15443-2:2005
中文名称:信息技术-安全技术 IT安全的评价标准 第2部分: (质量)保证方法
英文名称:Information technology — Security techniques — A framework for IT security assurance — Part 2: Assurance methods
发布日期:2005-09
标准范围
1.1 PurposeThis part of ISO/IEC TR 15443 provides a collection of assurance methods including those not unique to ICTsecurity as long as they contribute to overall ICT security. It gives an overview as to their aim and describestheir features, reference and standardization aspects.In principle, the resultant ICT security assurance is the assurance of the product, system or service inoperation. The resultant assurance is therefore the sum of the assurance increments obtained by each of theassurance methods applied to the product, system or service during its life cycle stages. The large number ofavailable assurance methods makes guidance necessary as to which method to apply to a given ICT field togain recognized assurance.Each item of the collection presented in this part of ISO/IEC TR 15443 is classified in an overview fashionusing the basic assurance concepts and terms developed in ISO/IEC TR 15443-1.Using this categorization, this part of ISO/IEC TR 15443 guides the ICT professional in the selection, andpossible combination, of the assurance method(s) suitable for a given ICT security product, system, or serviceand its specific environment.1.2 Field of ApplicationThis part of ISO/IEC TR 15443 gives guidance in a summary and overview fashion. It is suitable to obtain fromthe presented collection a reduced set of applicable methods to choose from, by way of exclusion ofinappropriate methods.The summaries are informative to provide the basics to facilitate the understanding of the analysis withoutrequiring the source standards.Intended users of this part of ISO/IEC TR 15443 include the following:1. acquirer (an individual or organization that acquires or procures a system, software product or softwareservice from a supplier);2. evaluator (an individual or organization that performs an evaluation; an evaluator may, for example, be atesting laboratory, the quality department of a software development organization, a governmentorganization or a user);3. developer (an individual or organization that performs development activities, including requirementsanalysis, design, and testing through acceptance during the software life cycle process);4. maintainer (an individual or organization that performs maintenance activities);5. supplier (an individual or organization that enters into a contract with the acquirer for the supply of asystem, software product or software service under the terms of the contract) when validating softwarequality at qualification test;6. user (an individual or organization that uses the software product to perform a specific function) whenevaluating quality of software product at acceptance test;7. security officer or department (an individual or organization that perform a systematic examination of thesoftware product or software services) when evaluating software quality at qualification test.1.3 LimitationsThis part of ISO/IEC TR 15443 gives guidance in an overview fashion only. ISO/IEC TR 15443-3 providesguidance to refine this choice for better resolution of assurance requirements enabling a review of theircomparable and synergetic properties.The regulatory infrastructure to support verification of an assurance approach and the personnel to performverification is outside the scope of this part of ISO/IEC TR 15443.
立即下载标准文件