|Title:||ISO/IEC TR 15446:2004 – Information technology -- Security techniques -- Guide for the production of Protection Profiles and Security Targets|
|Topic:||Technical Report (TR) containing guidelines for the construction of Protection Profiles (PPs) and Security Targets (STs) that are intended to be compliant with ISO/IEC 15408 (the "Common Criteria").
Note: PPs and STs are described in the TR as follows:
“The purpose of a Protection Profile (PP) is to state a security problem rigorously for a given collection of systems or products - known as the Target Of Evaluation (TOE) - and to specify security requirements to address that problem without dictating how these requirements will be implemented.
A Security Target (ST) is similar to PP, except that it contains additional implementation-specific information detailing how the security requirements are realised in a particular product or system.”
|Direct / indirect relevance||Indirect. The text is a resource for the definition of security concepts, but has no direct implications for RM/RA as such.|
|Scope:||Publicly available ISO TR, which can be voluntarily adhered to.|
|Legal force:||Nonbinding ISO TR.|
|Affected sectors:||Generic. The standard can be adhered to by any security professional involved in creating PPs and STs.|
|Relevant provision(s):||The standard describes how PPs and STs should be created, including a description of which information should be provided; and provides a number of practical examples of complaints PPs and STs.|
|Relevance to RM/RA:||The standard is predominantly used as a tool for security professionals to develop PPs and STs, but can also be used to assess the validity of the same (by using the TR as a yardstick to determine if its standards have been obeyed). Thus, it is a (nonbinding) normative tool for the creation and assessment of RM/RA practices.|