Effective CISSP Questions

Your company develops and sells firewalls. Some models will be sent for evaluation based on the Common Criteria. Which of the following parties should develop the Security Target (ST)?
A. Your company
B. The government
C. The association of firewall vendors
D. The laboratory conducting the evaluation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Your company. 

Common Criteria Evaluation
Common Criteria Evaluation

Security Target (ST)

Vendors can specify their security functional requirements (SFRs) and security assurance requirements (SARs) in a Security Target (ST), typically developed based on Protection Profiles (PPs) as a baseline, to make claims about the security attributes of their products. Testing laboratories evaluate the products, or Targets of Evaluation (TOEs), to determine if they actually meet the claims.

Proposed Protection Profile Development Process

NIAP is currently working with industry, our customers, and the Common Criteria community to create Protection Profiles for each technology.  These Protection Profiles include assurance activities with the goal of achievable, repeatable and testable evaluation activities for each particular technology (see PPs in Development for a status of each PP). 

For those technologies where a PP does not yet exist or is not in development, NIAP will work with the vendor and/or customer to offer a path to evaluation.  Please see our Guidelines for When No PP Exists for more information.

Source: The National Information Assurance Partnership (NIAP)

Proposed Protection Profile Development Process
Proposed Protection Profile Development Process



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

貴公司開發和銷售防火牆。 某些型號的防火牆將根據通用標準(CC)發送評估。 以下哪方應制定安全目標(ST, Security Target)?
A. 貴公司
B. 政府
C. 防火牆供應商協會
D. 進行評估的實驗室


Leave a Reply