6.5 Information flow control policy (FDP_IFC)

Family behaviour

This family identifies the information flow control SFPs (by name) and defines the scope of control of the policies that form the identified information flow control portion of the TSP. This scope of control is characterised by three sets: the subjects under control of the policy, the information under control of the policy, and operations which cause controlled information to flow to and from controlled subjects covered by the policy. The criteria allows multiple policies to exist, each having a unique name. This is accomplished by iterating components from this family once for each named information flow control policy. The rules that define the functionality of an information flow control SFP will be defined by other families such as FDP_IFF and FDP_SDI. The names of the information flow control SFPs identified here in FDP_IFC are meant to be used throughout the remainder of the functional components that have an operation that calls for an assignment or selection of an "information flow control SFP."

The TSF mechanism controls the flow of information in accordance with the information flow control SFP. Operations that would change the security attributes of information are not generally permitted as this would be in violation of an information flow control SFP. However, such operations may be permitted as exceptions to the information flow control SFP if explicitly specified.

Component levelling

FDP_IFC.1 Subset information flow control requires that each identified information flow control SFPs be in place for a subset of the possible operations on a subset of information flows in the TOE.

FDP_IFC.2 Complete information flow control requires that each identified information flow control SFP cover all operations on subjects and information covered by that SFP. It further requires that all information flows and operations with the TSC are covered by at least one identified information flow control SFP. In conjunction with the FPT_RVM.1 component, this gives the "always invoked" aspect of a reference monitor.

Management: FDP_IFC.1, FDP_IFC.2

There are no management activities foreseen for this component.

Audit: FDP_IFC.1, FDP_IFC.2

There are no events identified that should be auditable if FAU_GEN Security audit data generation is included in the PP/ST.