Page 524 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 524
the areas of configuration management, delivery and operation,
development, guidance documents, and lifecycle support plus
assurance tests and vulnerability assessments. Covers the complete
range of security assurance checks and protects profiles as envisioned
in the CC evaluation process, with information on evaluation
assurance levels that describe how systems are designed, checked, and
tested.
Most important of all, the information that appears in these various
CC documents (worth at least a cursory read-through) are the
evaluation assurance levels commonly referred as EALs. Table 8.3
summarizes EALs 1 through 7. For a complete description of EALs,
consult the CC documents hosted at https://www.niap-ccevs.org/ and
view Part 3 of the latest revision.
TABLE 8.3 CC evaluation assurance levels
Level Assurance level Description
EAL1 Functionally tested Applies when some confidence in correct
operation is required but where threats
to security are not serious. This is of
value when independent assurance that
due care has been exercised in protecting
personal information is necessary.
EAL2 Structurally tested Applies when delivery of design
information and test results are in
keeping with good commercial practices.
This is of value when developers or users
require low to moderate levels of
independently assured security. IT is
especially relevant when evaluating
legacy systems.
EAL3 Methodically tested Applies when security engineering begins
and checked at the design stage and is carried through
without substantial subsequent
alteration. This is of value when
developers or users require a moderate
level of independently assured security,
