Tuesday, January 30, 2018

Template of Impact Analysis Report


Impact Analysis Report
 
 
 
Version: draft
31st January,2018
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Table of Contents
 
1. Introduction............................................................................................................................ 2
2. Glossary................................................................................................................................. 2
3. Determination of Assurance Continuity Application............................................................ 2
4. Impact Analysis Report Preparation..................................................................................... 3
(1) Introduction......................................................................................................................... 4
(2) Description of Changes....................................................................................................... 4
(3) Affected Developer Evidence.............................................................................................. 6
(4) Description of Developer Evidence Modifications................................................................ 7
(5) Conclusion.......................................................................................................................... 8
(6) Appendix........................................................................................................................... 10
5. Examination of the Impact Analysis Report....................................................................... 11
 
 
 
 
 
 
 
 
 
 
 
 
 
 

1. Introduction

This document should be used as a reference when considering application for assurance continuity. It contains viewpoints in determining whether changes to TOE are within the scope of assurance continuity, and cites examples of the contents of an “Impact Analysis Report” necessary for assurance continuity application.
 

2. Glossary

The meanings of terms used in this guidance document are equivalent to those used in “Assurance Continuity Guideline for Information Technology Security Certification.” The following are the meanings of main terms:
Certified TOE
The TOE version which has been evaluated and for which a “certificate” has already been issued.
Changed TOE
A version of TOE different from a certified TOE resulting from changes being applied to a certified TOE.
Developer Documentation
All necessary items describing the content of changes of a changed TOE with regard to a certified TOE. The items must be usable for verification.

3. Determination of Assurance Continuity Application

“Changes” made to a certified TOE subject to assurance continuity are not intended to apply to new products and functions derived from a certified TOE. Within the scope of security function specifications that had been evaluated for the certified TOE, only those “changes” for which, without requiring a third-party evaluation, developers (applicants) on their own responsibility can verify and claim that assurance will not be adversely affected will be applicable for assurance continuity. Such changes would include corrections to software and guidance defects or operational environment additions which do not incur changes to TOE functions.
There are no absolute indicators for judging whether “changes” to a certified TOE have a major effect or minor effect on security, including examples mentioned herein. Basically, the conditions for assurance continuity are that the developer him/herself analyses that the assurance of a certified TOE is not changed and can declare as such along with the results of the analysis, and that the contents of documentation that had been employed in the evaluation of a certified TOE have not been changed semantically.
It is surmised that major impacts will arise from changes to security functions provided by TOE, security problem definitions and requirements on ST, and evaluated security procedures. On the other hand, it is thought that corrections of typographical errors in the guidance and object changes due to comment line additions which are not executed will have a minor impact. In many cases, however, the question of whether changes to a certified TOE have a major impact on security or a minor impact on security will be determined by developer analysis.
The determination of the impact that changes will have on security will be based on an understanding of the assurance scope of the certified TOE and claims based on developer analysis. If changes clearly do not affect the assurance scope of the certified TOE, the changed TOE will be applicable for assurance continuity. If changes clearly affect the assurance scope of the certified TOE, re-evaluation will be necessary if impact is major. If impact is minor, it will be necessary to make such a claim and compile an Impact Analysis Report. In all other cases (if impact of changes is not clear), developers should conduct impact analysis and judge the extent of impacts.
As a reference to determine whether changes adversely affect the assurance scope of the certified TOE, a “Checklist for Assurance Continuity Application” is provided as an addendum to this document. The checklist provides a general summary of the kinds of items that are evaluated and assured at each assurance level. Confirming the degree of relevance that changes have to the assurance scope before implementing a detailed impact analysis for each change will enable one decide on a re-evaluation without compiling an Impact Analysis Report or to focus on specific areas for in-depth analysis. Of course, when a re-evaluation is decided, since an Impact Analysis Report compiled by developers will be useful for evaluators, one can choose to compile an Impact Analysis Report irrespective of the scope of impact on security or application for assurance continuity.

4. Impact Analysis Report Preparation

If the developer judges that the changes do not adversely affect the assurance scope of the certified TOE, the developer will conduct analysis of the content of changes, and will examine the impact on security. To apply for assurance continuity, the results of impact analysis must be compiled into a report. The minimum contents which must be included in the Impact Analysis Report are indicated in chapter 4 of “Assurance Continuity Guideline for Information Technology Security Certification.”
The Impact Analysis Report will not be published by the certification body. It is also possible to include non-public information. The “assurance continuity maintenance report” which is published information relating to assurance continuity will be prepared by the certification body based on this Impact Analysis Report.
Examples and points to keep in mind when preparing the Impact Analysis Report are shown below according to the composition of the Impact Analysis Report. Note that description formats other than the composition of the chapters can be arbitrary, and do not need to follow the examples.
Figure 1: Composition of Impact Analysis Report

(1) Introduction

The introduction shall describe identification information for requisite materials. It may also contain information for which developers have determined as particularly requiring caution, such as the handling of the report.
1.1 Impact Analysis Report Identification
Name of Document:         JISEC Ewallet Type C Impact Analysis Report
Version of Document:      1.0.1
Creation Date:                 2007-12-11
Author:                            JISEC Co., Ltd. Author Name 1, Author Name 2
1.2 TOE Identification
Name of Product:             JIEC Ewallet Type C
Name of TOE:                 JISEC Ewallet SecureTrade
Version of TOE:               Rev. 3
Developer:                       JISEC Co., Ltd.
1.3 Certified TOE Identification
Certification No.:             C00XX
Name of Product:             JISEC Ewallet Type C/D
Name of TOE:                  JISEC Ewallet SecureTrade
Version of TOE:               Rev. 2
Evaluation Assurance Level: EAL3
PP Conformance:             There is no PP to be conformed.

(2) Description of Changes

The description of changes shall describe all changes made to the certified TOE. Regarding changes to the assurance scope of the certified TOE, all changes including those judged not to affect security shall be described. It is not necessary to include those items (package design, etc.) which are clearly unrelated to the scope of the assurance level. However, this does not mean that impact analysis will be confined to the scope of the assurance level. If necessary, the impact on the assurance level of the certified TOE shall be examined through analysis which extends beyond the assurance level.
The reason for changes, changes to products including TOE, changes to the development environment, and changes to the IT environment shall be described in the description of changes.
a. Purpose of changes
The description of changes shall first explain the background for why changes to the TOE became necessary. This section shall describe an overview of the changes with regard to the certified TOE. The details of each change will be described in subsequent sections.
2.1 Purpose of Changes
Additions to the guidance documentation relating to new operating hardware, functional improvements, and flaw remediation have been performed. The following is an overview of these changes:
1)  Guidance modifications in response to new Type D additions to JISEC Ewallet on which TOE operates. There are no changes to the TOE program itself due to these additions.
2)  Program modifications to shorten boot time as automatic reboot was taking too long in the event of authentication failures.
3)  Program modifications in response to an implementation bug in which log information becomes empty when the audit log reaches the specified capacity during log information acquisition and file renaming is conducted.
 
In the event that there are numerous small bug fixes that do not involve specification changes, it is acceptable to describe the overall purpose in this section (boundary value issues in the implementation, performance improvement, etc.) and to describe the contents of each change in subsequent sections.
b. Changes to products
These descriptions relate to changes made to certified TOE. Regarding the level of detail of these descriptions, the information included shall have sufficient precision for a third party (certification body) to be able to understand the developer’s impact analysis claims, and in some situations, to call for the submission of additional documentation that shall be required for the judgement of applicability of assurance continuity.
Clearly describe in the descriptions of the assurance scope of the certified TOE, where the changes were made (whether to the source code or to the procedure manual, etc.), why these changes were made, and specifically how they were changed. If the assurance level of the certified TOE was EAL2, it is sufficient to describe changes at the level of functional specifications; descriptions at the module or source code level will not be called for.
No.
Type of Change
Overview
Details
S2-1
 
Performance improvement
Improving auto reboot time in the event of authentication failures
The boot routine program was changed, and verification of TSF parameter values, network release and network restructuring conducted during booting are skipped if authentication failure flag is set and the system error flag is not set.
c. Changes to the development environment
These descriptions describe changes made to the development environment. All changes falling within the scope of assurance requirements for the certified TOE including those points judged to have a minor impact shall be listed. All changes, for example, such as changes to versions of TOE configuration items in configuration management, changes to the method of identifying configuration items, and changes to configuration management procedures, among others.
D3-1
 
Development security
Changes to equipment for controlling entry to the development environment
Employee cards were updated, and the equipment for entry control to the development room was changed from authentication using old employee cards (magnetic) to authentication using new employee cards (contactless IC cards). There were no changes to entry procedures, etc.
d. Changes to the IT environment
Describe the changes to the IT environment for the certified TOE. This environment includes hardware, firmware, and software requiring security functions which are subject to evaluation such as external services that the TOE depends on, among others. It also includes all hardware, firmware, and software constituting the TOE operational environment.
E2-1
 
Operating hardware
Additions to operating hardware
Additional operating assurances for “ISEC SS V.7”, OEM version of the operating hardware “JISEC SecureSwitch 07”.

(3) Affected Developer Evidence

Identify all developer evidence that were used in evaluating the certified TOE and which will require changes or additions. Developer evidence refers to all elements used as useful input in assisting the evaluator in evaluating the certified TOE. Specifically, it refers to documentation required to be submitted or necessary for the implementation of “developer action elements” which are identified in each assurance element of the security assurance components of CC Part 3.
Developers shall determine which developer evidence to update according to the changes made to the TOE and environment indicated in the previous description of changes. This determination shall employ a systematic method which considers the respective assurance components of certified TOE. This section shall list only the identification of developer evidences to be updated. The impact on each assurance component shall be determined with reference to chapter 3 “Performing Impact Analysis” in the “Assurance Continuity Guideline for Information Technology Security Certification.” For example, there are methods such as identifying the details of developer evidence associated with each developer action element as shown in the table below, and confirming their impact.
Developer
Action Elements
Developer Documentation
ASE_INT.1
JISEC SmartModule Security Target Version3.1
ST introduction
ASE_CCL.1
JISEC SmartModule Security Target Version3.1
Conformance claims
ATE_FUN.1
JISEC SmartModule Functional testing

Of the developer evidences identified, this section calls for listing only those which need to be updated as affected developer evidence. How these changes are associated with the assurance scope of the certified TOE and what impacts they have are described in the next section.

(4) Description of Developer Evidence Modifications

Describe an overview of the changes to all developer evidence identified in “(3) Affected Developer Evidence”. While it is not necessary to provide a detailed description of changes to developer evidence, describe clearly and concisely what was changed, why, and how it was changed.
There are no common standards for judging how changes to certified TOE affect TOE assurance. A minor change could affect every aspect of assurance. Conversely, many modifications to a TOE may have minor impact on the assurance of TOE. In updating identified developer evidence, developers can judge what kinds of updates within the assurance scope of certified TOE are necessary by considering the “content and presentation elements” which correspond to these developer action elements. For example, AGD_PRE.1.2C states that “the preparative procedures shall describe all the steps necessary for secure installation of the TOE and for the secure preparation of the operational environment in accordance with the security objectives for the operational environment as described in the ST.” In other words, changes to the applicable descriptions in ST are required to be consistent with TOE acceptance and installation procedures. Regarding changes to certified TOE, developers can systematically determine the assurance scope and impact, by considering how to update developer evidence from the perspective of satisfying the corresponding “content and presentation elements,” and not by relying on experience or speculation.
In this section, describe the content of the changes in appropriate units such as for each assurance component, each change item, or each updated developer evidence, along with their references.
JISEC EasyLAN Functional Specifications
Section Number
No
Content of Changes
Location of Change
S1-1(F)
1
In response to not supporting FDDI:
removed FDDI from installation menu
2.1.2
2
removed FDDI message for error number [4]
2.5
S2-1(F)
1
Added verification logic for the code for IPA to the license key CD verification program.
3.1.1
A.3
In updating developer evidence, it is necessary to confirm that functions of the certified TOE other than those changed operate correctly (regression test). Similarly, if an assurance component from the AVA class is included in the assurance components, confirm that there were no impacts with regard to vulnerability. These will be confirmed by re-performing the tests, etc. that had been conducted when evaluating the certified TOE. Even if there are no major changes to security functions, there may be cases where new tests will be required. In such cases, it is necessary the developer include in the Impact Analysis Report what tests were additionally implemented and for what purpose. Also, countermeasures to new vulnerabilities after the evaluation of the certified TOE are not included in the assurance continuity scope. It is necessary they be “re-evaluated” to be included in the scope of assurance.

(5) Conclusion

Describe the judgements of whether the changes have a major impact or a minor impact on developer evidence together with the rationale for these judgements.
a. Impact of each change
Describe the impact of each change to developer evidence on the assurance of certified TOE. Also with regard to the rationales for these claims, outline the developer’s impact analysis results in relation to “(2) Description of Changes” and “(4) Description of Developer Evidence Modifications.”
Developers shall analyse the impacts of these changes across a broad range and at sufficient depth. To confirm that the certified assurance scope is not affected, analysis at a deeper level than the assurance level for the certified TOE will be necessary. In the event that changes to the source code of a given module does not involve direct changes to the external interface but may affect the error code of an indirectly called security function, a review of the source code is more efficient than confirming with a regression test using all error patterns as parameters. From this perspective, it is desirable that analysis of the specific impact of changes should be performed by a developer possessing technical knowledge of the changed TOE, and that analysis of how the results affect assurance be supported by a developer possessing knowledge of CC. TOE engineers understand the need to be aware that even small changes to the start-up script will affect the start-up timing and processing time assumed for other functions. CC engineers also understand the need to determine not only whether the message displayed by the script accurately reflects the functional specifications, but also that they are appropriate representations in the preparative procedures for conducting a secure installation.
Based on the results of the analysis of the impact of changes, developers shall determine whether these changes have a major impact or a minor impact, and shall report it along with their rationales. There is no general method for identifying whether impacts are major or minor. Refer to the addendum of the “Assurance Continuity Guideline for Information Technology Security Certification” for a general guideline.
[S3-3] Revision of the time-out period in the event of client communication disconnections
This is a program change relating to error processing of a post-processing process for service authentication of a security function which involves impacts to specifications and administrator guidance. However, it is judged as follows that there are no direct impacts to the interface relating to security function behaviour and secure management by the administrator, and that the impacts of these changes are minor.
S3-3(F).1
 
In the specifications for “service authentication functions” in “Flow Manager Utility functions specifications,” the affects of post-processing are as follows:
1) There are no changes to the post-processing call method or to parameters.
2) During post-processing,
      There are no interactions with the users or other modules.
      There are no operations interrupted (including during the shortened 7 seconds)
3) At the completion of post-processing,
      There is no change to the error number returned. In other words, there is no change in the specification with regard to the error number [7] of error processing of the service authentication function.
      There are no other processes which are dependent on post-processing timing.
      Although message timing displayed on the administrator interface will be 7 seconds earlier, the impact is minor as described in S3-2(G).1.
The impact from changes to “Flow Manager Utility functions specifications” is judged to be minor.
ADV_FSP.2
S3-2(G).1
 
Impacts of the change to the descriptions relating to time until error message display (“approx.10 seconds later” → “3 seconds later”) in “Service authentication” of “Flow Manager Utility Guidance” are as follows:
1) There are no security management items involved during the time from service authentication start-up until error message display.
2) There are no changes to the content of the displayed error message, nor any changes to the actions to be taken by the administrator after message confirmation.
Therefore, impacts from the change to “Flow Manager Utility Guidance” are judged to be minor.
AGD_OPE.1
Furthermore, describe the results of confirming (through regression tests) that security functions operate similarly for the changed TOE as they do for the certified TOE. It is not necessary to describe test procedures and detailed information in the Impact Analysis Report. The developer shall describe the perspective from which the test was implemented to confirm maintenance of assurance.
b. Overall impact
While changes may have little impact individually, they may have a major impact on a TOE through accumulation or interaction. Developers shall analyse each individual change as well as the overall impact on the TOE as a result of these changes. This section shall determine significance of the impact from the analysis results, and shall describe it along with its rationale.
S1-F and S2-F are changes to processing during installation and during operation respectively. As there is no interaction between them, TOE operation is not affected due to their combination. Furthermore, the guidance documents which reflect the respective changes consist of a procedure manual used at the preparation stage, and a guidance document used during operation. They are meant to be read by the administrator at different, independent phases and are contextually unrelated. Therefore, their combination will have no impact on TOE assurance.

(6) Appendix

Describe the identifications and list of items of the developer evidences updated by the changes.
a. List of updated developer evidences
Describe the information necessary to identify developer evidence for the changed TOE as a list including developer evidence name, issue date, and version, among others.
b. List of updated items of developer evidences
Describe the information necessary to identify changed items; that is, a list of the changed items and changed areas of each updated developer evidence. It is not necessary to include minor changes which are not related to the impact analysis (for example, the approval date for revisions).



 

5. Examination of the Impact Analysis Report


The certification body will determine the impact that each change has on assurance based on the submitted Impact Analysis Report. The Impact Analysis Report need not describe the detailed steps of impact analysis or test procedures. However, in the event the Impact Analysis Report contains non-technical analysis and enumeration of subjective claims such as “it is thought not to have an impact” or contains contradictory analysis results, and the certification body judges it necessary to confirm the content of changes and rationale of the analysis, the developer may be requested to provide development evidence or a detailed impact analysis evidence. Impact analysis evidence may be submitted in any format, provided the analysis process to derive the results of each impact analysis can be understood.

No comments:

Post a Comment

add comment here