On Tue, 4 Nov 2008 16:15:52 -0500 Alan Altmark said: > >Don't be deceived by the "EAL" number. It is a measure of the amount of >evidence (assurance) that the vendor has provided to the evaluator to >support the claims in the Security Target. It also measures the amount of >effort expended by the evaluator to assess the evidence. A higher >evaluation assurance level (EAL) does NOT mean it is "more secure".
My understanding is that it was also a measure of the processes in place by the vendor to build and maintain a secure environment. The higher the level, the more processes that must be documented and in place. It's more of a validation that what the vendor claims to have, and that they can back it up. Is that faulty understanding? I've thought about it as "How serious is the vendor about security?" > >And the "plus" at the end indicates that there is a mechanism to report, >track, fix, and deliver fixes to the security-relevant parts of the >system, a.k.a. "flaw remediation". > >Alan Altmark >z/VM Development >IBM Endicott /ahw
