On Tuesday, 11/04/2008 at 09:43 EST, "A. Harry Williams" <[EMAIL PROTECTED]> wrote:
> My understanding is that it was also a measure of the processes in place > by the vendor to build and maintain a secure environment. The higher > the level, the more processes that must be documented and in place. > It's more of a validation that what the vendor claims to have, > and that they can back it up. Is that faulty understanding? I've > thought about it as "How serious is the vendor about security?" Maintaining and building a secure environment are required at relatively low EALs, but each EAL does introduce more rigorous design, development, testing, and delivery processes. Your "how serious?" comment is well said. The fees and the PYs can easily run you $1M for an evaluation of an operating system. And this assumes you don't have to spend a bunch of money adding function to meet the standard! Alan Altmark z/VM Development IBM Endicott
