Зарубежные нормативные документы и критерии на английском / cem-p2v10

C.1

Introduction

1887

The Common Evaluation Methodology Editorial Board (CEMEB) provides this

document to their sponsoring organisations for use within the IT security

evaluation community. However, it recognises that this use may motivate

observations and/or comments on the document for consideration in future

versions.

1888

This annex details a mechanism by which to comment on the CEM. This

mechanism consists of a report format, the CEM Observation Report (CEMOR),

to be used to articulate an observation. Any observations should be submitted

through the sponsoring organisations listed in the Foreword of the document.

1889

Any comments should be submitted in the CEMOR format provided. This will

allow the CEMEB to process all comments in a common and methodical way. All

reviewers should include, where possible, substitution text or a clear resolution for

any of the conceptual problems, inconsistencies or technical difficulties identified.

C.2

Format of a CEMOR

1890

A CEMOR shall contain all of the following fields, although one or more fields

may be empty. Each field shall begin with the ASCII character “ $”, followed by an

arabic number, followed by the ASCII character “ :”

$1:

Originator’s name

1891

Full name of the originator.

$2:

Originator organisation

1892

The originator’s organisation/affiliation.

$3:

Return address

1893

Electronic mail or other address to acknowledge receipt of the CEMOR and

request clarification, if necessary.

$4:

Date

1894

Submission date of observation YY/MM/DD.

August 1999

CEM-99/045

Page 371 of 373

Version 1.0

$5:

Originator’s CEMOR identifier

1895

This unique identifier is assigned to the CEMOR by the originator.

$6:

Observation type

1896

Possible types are “Editorial”, “Technical”, “Programmatic” or “Other”.

$7:

Title of the CEMOR

1897

A short descriptive title for this CEMOR.

$8:

CEM document reference

1898

The single reference to the affected area of the CEM. This field shall identify the

CEM version number, part number and Section number. Additionally, a paragraph

number (or, if no paragraph number is relevant, the work unit, table or figure

number) shall also be identified in this field.

$9:

Statement of observation

1899

Comprehensive description of the observation. There is no restriction regarding

the length of this field. However, it shall contain text only; no figures or tables

other than what can be achieved within the realm of ASCII shall be used.

$10:

Suggested solution(s)

1900

Proposed solution(s) for addressing the observation.

$$

End of CEMOR

1901

Required to mark the end of CEMOR relevant information.

C.2.1

Example observation

$1: Pat Smith

$2: CC Evals Laboratory

$3: psmith@cclab

$4: 1999/11/10

$5: CEMOR.psmith.comment.1

Page 372 of 373

CEM-99/045

August 1999

Version 1.0

$9: A verdict should be something that is the result of analysis. If a verdict is not

yet reached, it should be called something other than a verdict. An inconclusive

verdict could imply that the work was completed but questions remained (i.e., the

evaluator did not know whether it passed or failed.)

$10: Change the CEM to have two verdicts: pass and fail. Before a verdict is

reached should just be denoting as ‘awaiting verdict.’

$$

1902

Several CEMORs may be combined into a single submission. If this is done, fields

$1 through $4 need appear only once at the beginning. For each CEMOR

submitted, Fields $5 through $10 would appear next. The $$ shall appear

following the last CEMOR.

August 1999

CEM-99/045

Page 373 of 373

Version 1.0