1 Scope
This Technical Specification provides a guideline for preparation and evaluation of security requirements specifications, referred
to as Protection Profiles (PP) in the ISO/IEC 15408 series and in ISO/IEC TR 15446. By a Protection Profile (PP) is meant a set of security requirements for a category of products or
systems that meet specific needs. A typical example would be a PP for On-Board Equipment (OBEs) to be used in an EFC system.
This Technical Specification should be read in conjunction with the underlying standards
ISO/IEC 15408 and ISO/IEC TR 15446. Although a layman could read the first part of the document to have an overview
on how to prepare a Protection Profile for EFC equipment, the annexes, in particular A.4 and A.5, require that the
reader be familiar with ISO/IEC 15408. The document uses an OBE with an integrated circuit(s) card (ICC) as an example to describe both the structure
of the PP as well as the proposed content.
Figure 1 shows how this document fits in the overall picture of EFC security architecture.
The shaded boxes are the aspects mostly related to the preparation of PPs for EFC
systems.
The main purpose of a PP is to analyse the security environment of a subject and then
to specify the requirements meeting the threats that are the output of the security
environment analysis. The subject studied is called the target of evaluation (TOE). In this document, an OBE with an ICC is used as an example of the TOE.
The preparatory work of EFC/PP consists of the steps shown in Figure 2 (in line with the contents described in Clause 5).
A PP may be registered publicly by the entity preparing the PP in order to make it
known and available to other parties that may use the same PP for their own EFC systems.
By a Security Target (ST) is meant a set of security requirements and specifications to be used as the basis
for evaluation of an identified TOE. While the PP could be looked upon as the EFC operator requirements the ST could be looked upon as the documentation of a supplier as for the compliance with
and fulfilment of the PP for the TOE, e.g. an OBE.
Figure 3 shows a simplified picture and example of the relationships between the EFC operator,
the EFC equipment supplier and an evaluator. For an international registry organization,
i.e. Common Criteria Recognition Arrangement (CCRA) and current registered PPs, please
refer to Annex D.
The ST is similar to the PP, except that it contains additional implementation-specific
information detailing how the security requirements are realised in a particular product
or system. Hence, the ST includes the following parts not found in a PP:
-
— a TOE summary specification that presents the TOE-specific security functions and assurance measures;
-
— an optional PP claims the portion that explains PPs with which the ST is claimed to be conformant (if any);
-
— a rationale containing additional evidence establishing that the TOE summary specifications ensure satisfaction of the implementation-independent requirements, and that claims about PP conformance are satisfied;
-
— actual security functions of EFC products will be designed based on this ST; see example in Figure 4.
TOE for EFC is limited to EFC specific roles and interfaces shown in Figure 5. Since the existing financial security standards and criteria are applicable to other
external roles and interfaces, they are assumed to be outside the scope of TOE for EFC.
The security evaluation is performed by assessing the security related properties
of roles, entities and interfaces defined in STs, as opposed to assessing complete
processes which often are distributed over more entities and interfaces than those
covered by the TOE of this CEN/ISO Technical Specification.
NOTE Assessing security issues for complete processes is a complimentary approach, which may well be beneficial to apply when evaluating the security of a system.
In Annex A, the guideline for preparing EFC/PP is described by using an OBE as an example of EFC products. The crucial communication link (between the OBE and the RSE) is based on DSRC.




