INTERNATIONAL ISO/IEC STANDARD 15408-2 Fourth edition 2022-08 Information security, cybersecurity and privacy protection Evaluation criteria for IT security - Part 2: Security functional components Sécurite de I'information, cyberseécurite et protection de la vie privée - Criteres d'évaluation pour la sécurité des technologies de l'information Partie 2: Composants fonctionnels de sécurité Reference number IS0/IEC 15408-2:2022(E) ISO @ IS0/IEC 2022 IS0/IEC 15408-2:2022(E) COPYRIGHTPROTECTED DOCUMENT @IS0/IEC2022 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either Iso at the address below or Iso's memberbody inthe country of the requester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 0111 Email: [email protected] Website: www.iso.org Published in Switzerland ii IS0/IEC2022-Allrightsreserved IS0/IEC 15408-2:2022(E) Contents Page Foreword XV Introduction ..xvii 1 Scope. 2 Normative references ..1 3 Terms and definitions ..1 4 Abbreviated terms. .3 5 Overview. .4 5.1 General. ..4 5.2 Organization of this document. 4 6 Functional requirements paradigm .5 7 Security functional components .9 7.1 Overview. .9 7.1.1 General .9 7.1.2 Class structure. .9 7.1.3 Family structure 10 7.1.4 Component structure .11 7.2 Component catalogue 13 8 Class FAU: Security audit .14 8.1 Class description 14 8.2 Security audit automatic response (FAU_ARP) 15 8.2.1 Familybehaviour 15 8.2.2 Components leveling and description 15 8.2.3 Management of FAU_ARP.1. .15 8.2.4 AuditofFAU_ARP.1 15 8.2.5 FAU_ARP.1 Security alarms 15 8.3 Security audit data generation (FAU_GEN) .15 8.3.1 Family behaviour .15 8.3.2 Components leveling and description 15 8.3.3 Management of FAU_GEN.1, FAU_GEN.2 16 8.3.4 Audit of FAU_GEN.1, FAU_GEN.2. 16 8.3.5 FAU_GEN.1 Audit data generation 16 8.3.6 FAU_GEN.2 User identity association 16 8.4 Security audit analysis (FAU_SAA) 17 8.4.1 Family behaviour. 17 8.4.2 Components leveling and description 17 8.4.3 Management of FAU_SAA.1 17 8.4.4 Management of FAU_SAA.2. 18 8.4.5 Management of FAU_SAA.3 18 8.4.6 Management of FAU_SAA.4 18 8.4.7 Audit of FAU_SAA.1, FAU_SAA.2, FAU_SAA.3, FAU_SAA.4 18 8.4.8 FAU_SAA.1 Potential violation analysis. 18 8.4.9 FAU_SAA.2 Profile based anomaly detection 18 8.4.10 FAU_SAA.3 Simple attack heuristics. 19 8.4.11 FAU_SAA.4 Complex attack heuristics 19 8.5 Security audit review (FAU_SAR) 20 8.5.1 Family behaviour 20 8.5.2 Components leveling and description 20 8.5.3 Management of FAU_SAR.1 20 8.5.4 Management of FAU_SAR.2, FAU_SAR.3 20 8.5.5 Audit of FAU_SAR.1 20 8.5.6 Audit of FAU_SAR.2 21 @ IS0/IEC 2022 - All rights reserved ii IS0/IEC 15408-2:2022(E) 8.5.7 Audit of FAU_SAR.3 .21 8.5.8 FAU_SAR.1 Audit review. .21 8.5.9 FAU_SAR.2 Restricted audit review. 21 8.5.10 FAU_SAR.3 Selectable audit review. 21 8.6 Security audit event selection (FAU_SEL) .22 8.6.1 Family behaviour. 22 8.6.2 Components leveling and description 22 8.6.3 Management of FAU_SEL.1 .22 8.6.4 Audit of FAU_SEL.1. 22 8.6.5 FAU_SEL.1 Selective audit 22 8.7 Security audit data storage (FAU_STG) 22 8.7.1 Family behaviour .22 8.7.2 Components leveling and description .23 8.7.3 Management of FAU_STG.1 23 8.7.4 Management of FAU_STG.2 .23 8.7.5 Management of FAU_STG.3 .23 8.7.6 Management of FAU_STG.4 .23 8.7.7 Management of FAU_STG.5 23 8.7.8 Audit of FAU_STG.1 24 8.7.9 Audit of FAU_STG.2, FAU_STG.3 .24 8.7.10 Audit of FAU_STG.4 .24 8.7.11 Audit of FAU_STG.5. .24 8.7.12 FAU_STG.1 Audit data storage location .24 8.7.13 FAU_STG.2 Protected audit data storage .24 8.7.14 FAU_STG.3 Guarantees of audit data availability .25 8.7.15 FAU_STG.4 Action in case of possible audit dataloss 25 8.7.16 FAU_STG.5 Pre