Family behaviour
The requirements of this family ensure that the TSF can determine that the TOE is started up without protection compromise and can recover without protection compromise after discontinuity of operations. This family is important because the start-up state of the TSF determines the protection of subsequent states.
Component levelling
FPT_RCV.1 Manual recovery, allows a TOE to only provide mechanisms that involve human intervention to return to a secure state.
FPT_RCV.2 Automated recovery, provides, for at least one type of service discontinuity, recovery to a secure state without human intervention; recovery for other discontinuities may require human intervention.
FPT_RCV.3 Automated recovery without undue loss, also provides for automated recovery, but strengthens the requirements by disallowing undue loss of protected objects.
FPT_RCV.4 Function recovery, provides for recovery at the level of particular SFs, ensuring either successful completion or rollback of TSF data to a secure state.
Management: FPT_RCV.1
The following actions could be considered for the management functions in FMT:
a) management of who can access the restore capability within the maintenance mode.
Management: FPT_RCV.2, FPT_RCV.3
The following actions could be considered for the management functions in FMT:
a) management of who can access the restore capability within the maintenance mode;
b) management of the list of failures/service discontinuities that will be handled through the automatic procedures.
Management: FPT_RCV.4
There are no management activities foreseen.
Audit: FPT_RCV.1, FPT_RCV.2, FPT_RCV.3
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP / ST:
a) Minimal: the fact that a failure or service discontinuity occurred;
b) Minimal: resumption of the regular operation;
c) Basic: type of failure or service discontinuity.
Audit: FPT_RCV.4
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP / ST:
a) Minimal: if possible, the impossibility to return to a secure state after failure of a security function;
b) Basic: if possible, the detection of a failure of a security function.