Final Interpretation for RI # 27 - Events and actions

Date: 02/16/2001
Subject: Events and actions
CC Part #1 Reference: 
CC Part #2 Reference: 
CC Part #3 Reference: CC Part 3, Section 11.1 (AGD_ADM)
CEM Reference: 

Issue:

AGD_ADM.1.6C states:

The administrator guidance shall describe each type of security-relevant event relative to the administrative functions that need to be performed, including changing the security characteristics of entities under the control of the TSF.
AGD_ADM.1.1C stipulates that administrator functions must be defined. Is an event (AGD_ADM.1.6C) the same as a function (AGD_ADM.1.1C) or something different?



Interpretation

Security-relevant events and administrative functions are not identical.

Specific Changes

The following application note is added to AGD_ADM after paragraph 375:

AGD_ADM.1.6C requires that the administrator guidance describe the appropriate administrator's reactions to all security-relevant events. Although many security-relevant events are the result of performing administrative functions, this need not always be the case (e.g. the audit log fills up, an intrusion is detected). Furthermore, a security-relevant event may happen as a result of a specific chain of administrator functions or, conversely, several security-relevant events may be triggered by one function.

Rationale

N/A