Your company develops security products and competes in the market with the first-mover strategy. Time-to-market and third-party assurance, e.g., Common Criteria, are critical success factors. You lead the firewall development team. Which of the following is the least priority for the development of a new firewall model?
B. Management commitment
C. Assurance with a formal design
D. Selection of computer languages
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Assurance with a formal design.
CC Assurance Approach
The CC philosophy is to provide assurance based upon an evaluation (active investigation) of the IT product that is to be trusted. Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents. In aligning the existing approaches, the CC adopts the same philosophy. The CC proposes measuring the validity of the documentation and of the resulting IT product by expert evaluators with increasing emphasis on scope, depth, and rigour.
Source: Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components
Formal design is typically built upon mathematical models. It is too rigorous in this case and takes a vast amount of time and money to verify the formal design for assurance, e.g., CC EAL 7. It’s not aligned with the first-mover strategy and time-to-market.
The information in this question is not sufficient to identify the best EAL level that supports the first-mover strategy, but it’s certain that EAL7 is not a good option. Few products are evaluated against EAL7.
- Continuous and systematic compilation and processing of recorded information for the purpose of storage, classifying, retrieval, utilization or transmission. (ISO 15519-1:2010 Specification for diagrams for process industry — Part 1: General rules)
- Collection of documents related to a given subject. (ISO 29845:2011 Technical product documentation — Document types)
The validity of the documentation is typically part of the assurance evaluation.
The selection of computer languages significantly affects the efficiency of development and time-to-market. The learning curve of low-level languages, e.g., machine code or assembly, is steep. They are hard to maintain and prone to bugs.
- “A commitment refers to any action taken in the present that binds an organization to a future course of action.” (Sull, 2003)
- “A Management Commitment implies the direct participation by the highest level management (top management) in all specific and critically important aspects such as safety, quality, environment, security, etc., or programmes of an organisation. It is important that the responsibility for leadership and for creating the environment of continuous improvement belongs to all levels of management and members, but particularly to the highest.” (ThePD, 2015)
Every project or product needs management commitments to succeed.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.