Exam CISSP topic 1 question 190 discussion

The Common Criteria process is based on two key elements: protection profiles and security targets. Protection profiles (PPs) specify for a product that is to be evaluated (the TOE) the security requirements and protections, which are considered the security desires, or the “I want,” from a customer. Security targets (STs) specify the claims of security from the vendor that are built into a TOE. STs are considered the implemented security measures, or the “I will provide,” from the vendor.

A formal document that expresses an implementation-independent set of security requirements is called: C. Protection Profile (PP) A Protection Profile (PP) defines security requirements for a specific type of product or system without specifying how those requirements should be implemented. It serves as a baseline set of security requirements that can be used to evaluate and compare products or systems.

A Protection Profile (PP) is a vendor-neutral document that defines a set of security requirements common to a specific class of IT products or systems. PPs provide a baseline to evaluate security features or functions of any IT product or system within that class. PPs specify a set of security objectives, threats and countermeasures, whereas a Security Target (ST) is specific to an implementation of an IT product or system and includes implementation-specific details.

A Protection Profile (PP) is a document that specifies security requirements for a particular class of information technology products or systems, and can be used as the basis for product or system evaluations. In contrast, a Security Target (ST) is a formal document that expresses a set of security requirements for a specific product or system, and is implementation-dependent. Therefore, the correct answer to the question is B, Security Target (ST).

Protection profiles (PPs) specify for a product that is to be evaluated (the TOE) the security requirements and protections, which are considered the security desires or the “I want” from a customer. Security targets (STs) specify the claims of security from the vendor that are built into a TOE

The Security Target (ST) is a formal document that expresses an implementation-independent set of security requirements in the common criteria. It specifies the security functionality and assurance requirements of a Target of Evaluation (TOE), which is the product or system being evaluated. The ST is used as a reference for evaluating the security capabilities of the TOE and ensuring that it meets the specified security requirements. It is one of the key components of the common criteria evaluation process, along with the Protection Profile (PP) and the Evaluation Assurance Level (EAL). The PP is a document that specifies the security functional and assurance requirements for a particular class of TOEs, while the EAL is a measure of the depth and rigor of the security evaluation conducted on the TOE.

C is correct

A Protection Profile (PP) is an implementation-independent set of security requirements for a class of Targets of Evaluation (TOEs) that meet specific consumer needs https://www.cisa.gov/uscert/bsi/articles/best-practices/requirements-engineering/the-common-criteria

C is correct, as PP is implementation independent and ST is product specific

protection profile (pp) is defined as: A minimal, baseline set of requirements targeted at mitigating well defined and described threats. The term Protection Profile refers to NSA/NIAP requirements for a technology and does not imply or require the use of Common Criteria as the process for evaluating a product.

Shouldn't it be B based on this link? https://en.wikipedia.org/wiki/Common_Criteria Reference Text: Security Target (ST) – the document that identifies the security properties of the target of evaluation

C is correct

C is correct

D. Target of Evaluation (TOE)