Effective CISSP Questions

Firewalls are one of your company’s product lines.  You submitted a new web application firewall (WAF) that supports large scale web traffic to an approved CC testing laboratory for certification as a Common Criteria (CC) Evaluation Assurance Level 4 (EAL4) product. You have sent the product as Target of Evaluation (TOE),  Security Target (ST), and related documentation to an approved CC testing laboratory for certification. Which of the following is least likely evaluated?
A. Security Target (ST)
B. Target of Evaluation (TOE)
C. Operational Environment
D. Guidance documents

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Operational Environment.

CC Evaluation Steps

In the CC an ST/TOE evaluation proceeds in two steps:

  • a) An ST evaluation: where the sufficiency of the TOE and the operational environment are determined;
  • b) A TOE evaluation: where the correctness of the TOE is determined. As said earlier, the TOE evaluation does not assess correctness of the operational environment.

Source: CC PART1 V3.1 R5


However, in the CC, no assurance is obtained regarding the correctness of the operational environment. Or, in other words, the operational environment is not evaluated.

As far as the evaluation is concerned, the operational environment is assumed to be a 100% correct instantiation of the security objectives for the operational environment.

Source: CC PART1 V3.1 R5



1 thought on “CISSP PRACTICE QUESTIONS – 20191114

  1. I gone through Wiki and understood Operational Environment not be accessed for EAL4. I think, if possible can you please come up with write up on CC. Which provides more clarity on various assurance level.

Leave a Reply