The Common Criteria construct which allows prospective consumers or developers to create
standardized sets of security requirements to meet there needs is
A.
a Protection Profile (PP).
B.
a Security Target (ST).
C.
an evaluation Assurance Level (EAL).
D.
a Security Functionality Component Catalog (SFCC).
Explanation:
Protection Profiles: The Common Criteria uses protection profiles to evaluate
products. The protection profile contains the set of security requirements, their meaning and
reasoning, and the corresponding EAL rating. The profile describes the environmental
assumptions, the objectives, and functional and assurance level expectations. Each relevant
threat is listed along with how it is to be controlled by specific objectives. It also justifies the
assurance level and requirements for the strength of each protection mechanism. The protection
profile provides a means for the consumer, or others, to identify specific security needs;p this is
the security problem to be conquered.
EAL: An evaluation is carried out on a product and is assigned an evaluation assurance level
(EAL) The thoroughness and stringent testing increases in detailed-oriented tasks as the levels
increase. The Common Criteria has seven aassurance levels. The ranges go from EAL1, where
the functionality testing takes place, to EAL7,where thorough testing is performed and the system
is verified.
All-In-One CISSP Certification Exam Guide by Shon Harris pg. 262
Note:”The Common Criteria defines a Protection Profile (PP), which is an implementationindependent specification of the security requirements and protections of a product that could be
built. The Common Criteria terminology for the degree of examination of the product to be tested is
the Evaluation Assurance Level (EAL). EALs range from EA1 (functional testing) to EA7 (detailed
testing and formal design verification). The Common Criteria TOE [target of evaluation] refers to
the product to be tested. A Security Target (ST) is a listing of the security claims for a particular IT
security product.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 266-267