On 12/1/06, Ron Teitelbaum Ron@usmedrec.com wrote:
Tim could you explain this in more detail?
You get EAL2 just for showing up at the meetings is what I hear. :)
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
""" EAL2: Structurally Tested
EAL2 requires the cooperation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time. EAL2 is therefore applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems """
Basically, EAL2 says "It works and there's at least some evidence provided that it was designed," i.e., the developer showed up at the meetings. EAL1 says "It works but nobody showed it works on purpose," i.e., the developer didn't show any design documentation, or didn't have any design documents to show.
EAL3 and 4 are where the stringency takes hold.
-- Tim