Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. Network security solutions include devices like firewalls, IPS, SIEM, and so forth. Which of the following is the most helpful in the procurement decision and communication to the management?
A. Security Target (ST)
B. Evaluation Assurance Level (EAL)
C. Target of Evaluation (TOE)
D. Protection Profile (PP)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Evaluation Assurance Level (EAL).
A Target of Evaluation (TOE) is evaluated against the Security Target (ST) that is developed based on one or more Protection Profiles (PPs) as the baseline security requirements. After passing the evaluation, the TOE is graded an Evaluation Assurance Level (EAL).
Procurement decisions can be made between cases more comfortable if one product is a CC certified product while the other is not, or one product is a higher level product in terms of EAL while the other is lower.
An ST is a heavy technical document. It’s not appropriate to communicate with the management using ST. Evaluation Assurance Level (EAL) is about assurance and better than ST as a communication artifact with the management.