9.4 Unobservability (FPR_UNO)

Family behaviour

This family ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used.

Component levelling

FPR_UNO.1 Unobservability requires that users and/or subjects cannot determine whether an operation is being performed.

FPR_UNO.2 Allocation of information impacting unobservability requires that the TSF provide specific mechanisms to avoid the concentration of privacy related information within the TOE. Such concentrations might impact unobservability if a security compromise occurs.

FPR_UNO.3 Unobservability without soliciting information requires that the TSF does not try to obtain privacy related information that might be used to compromise unobservability.

FPR_UNO.4 Authorised user observability requires the TSF to provide one or more authorised users with a capability to observe the usage of resources and/or services.

Management: FPR_UNO.1, FPR_UNO.2

The following actions could be considered for the management functions in FMT:

a)    the management of the behaviour of the unobservability function.

Management: FPR_UNO.3

There are no management activities foreseen for these components.

Management: FPR_UNO.4

The following actions could be considered for the management functions in FMT:

a)    the list of authorised users that are capable of determining the occurence of operations.

Audit: FPR_UNO.1, FPR_UNO.2

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP / ST:

a)    Minimal: The invocation of the unobservability mechanism.

Audit: FPR_UNO.3

There are no actions identified that should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST.

Audit: FPR_UNO.4

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP / ST:

a)    Minimal: The observation of the use of a resource or service by a user or subject.