| RootPrompt [Rank 0] | Hidden starting point for the CC Toolbox Interview. |
| Answer list & Effects list | None: None |
| Child List | P99999, A999999, T99999 |
| Editorial | The Answer List, Effect List, and Prompt String fields of this record are not used by the CC Toolbox. Only the child list is relevant, and it must have the indicated value, namely P99999, A999999, T99999. |
| P99999 [Rank 1] | Do you wish to consider common organizational security policies that could apply to the TOE? |
| Answer list & Effects list | Yes: PC.Root
No: None |
| Child List | P00001 |
| Editorial |
|
| P00001 [Rank 2] | Do you wish to consider organizational security policies derived from public DoD policy sources? |
| Answer list & Effects list | Yes: PC.DoD
No: None |
| Child List | P00002, P00003, P00004, P00005, P00006, P00007, P00008, P00009, P00010, P00011 |
| Editorial |
|
| P00002 [Rank 3] | Does organizational security policy require that individuals be held accountable for their actions? |
| Answer list & Effects list | Yes: P.Accountability
No: None |
| Child List | |
| Editorial |
|
| P00003 [Rank 3] | Does organizational security policy require that appropriate authorities be immediately notified of any threats or vulnerabilities impacting systems that process their data? |
| Answer list & Effects list | Yes: P.Authorities
No: None |
| Child List | |
| Editorial |
|
| P00004 [Rank 3] | Does organizational security policy require that information be used only for its authorized purpose(s)? |
| Answer list & Effects list | Yes: P.Authorized_Use
No: None |
| Child List | |
| Editorial |
|
| P00005 [Rank 3] | Does organizational security policy require that information be available to satisfy mission requirements? |
| Answer list & Effects list | Yes: P.Availability
No: None |
| Child List | |
| Editorial |
|
| P00006 [Rank 3] | Does organizational security policy require that guidance documentation be provided for the secure installation and use of the system? |
| Answer list & Effects list | Yes: P.Guidance
No: None |
| Child List | |
| Editorial |
|
| P00007 [Rank 3] | Does organizational security policy require that only authorized individuals and processes access information? |
| Answer list & Effects list | Yes: P.Information_AC
No: None |
| Child List | |
| Editorial |
|
| P00008 [Rank 3] | Does organizational security policy require that information retain its content integrity? |
| Answer list & Effects list | Yes: P.Integrity
No: None |
| Child List | |
| Editorial |
|
| P00009 [Rank 3] | Does organizational security policy require that information systems security be an integral part of all system lifecycle phases? |
| Answer list & Effects list | Yes: P.Lifecycle
No: None |
| Child List | |
| Editorial |
|
| P00010 [Rank 3] | Does organizational security policy require that information be appropriately marked and labeled? |
| Answer list & Effects list | Yes: P.Marking
No: None |
| Child List | |
| Editorial |
|
| P00011 [Rank 3] | Does organizational security policy require that information be physically protected to prevent unauthorized disclosure, destruction, or modification? |
| Answer list & Effects list | Yes: P.Physical_Control
No: None |
| Child List | |
| Editorial |
|
| A999999 [Rank 1] | Do you wish to consider common assumptions of operation? |
| Answer list & Effects list | Yes: AC.Root
No: None |
| Child List | A000001, A000015, A000036, A000040, A000046, A000050 |
| Editorial |
|
| A000001 [Rank 2] | Are there System Administrators who will be responsible for secure configuration, maintenance, and upgrade? |
| Answer list & Effects list | Yes: AC.Admin
No: None |
| Child List | A000002, A000003, A000004, A000009 |
| Editorial |
|
| A000002 [Rank 3] | Are the System Administration staff authenticated? |
| Answer list & Effects list | Yes: A.Auth_Sys_Admin
No: None |
| Child List | |
| Editorial |
|
| A000003 [Rank 3] | Can administration functions be performed remotely? |
| Answer list & Effects list | Yes: A.Remote_Admin
No: None |
| Child List | |
| Editorial |
|
| A000004 [Rank 3] | Are System Administrator's motives a concern? |
| Answer list & Effects list | Yes: AC.Admin_Motive
No: None |
| Child List | A000005 |
| Editorial |
|
| A000005 [Rank 4] | Are System Administrators considered to be trusted, hostile, or negligent? |
| Answer list & Effects list | Trusted: A.Well_Behaved_Admin
Hostile: A.Hostile_Sys_Admin
Negligent: A.Negligent_Admin |
| Child List | |
| Editorial |
|
| A000009 [Rank 3] | Is the attitude/level of competence of System Administrators a factor? |
| Answer list & Effects list | Yes: AC.Admin_Attitude
No: None |
| Child List | A000010, A000014 |
| Editorial |
|
| A000010 [Rank 4] | Are System Administrators competent, improperly trained or error prone? |
| Answer list & Effects list | Competent: A.Competent_Admin
No Training: A.Poor_Trained_Admin
Error Prone: A.Admin_Errors |
| Child List | |
| Editorial |
|
| A000014 [Rank 4] | Are System Administrators trusted to be well-behaved and act constructively? |
| Answer list & Effects list | Yes: A.No_Abuse_By_Admin
No: None |
| Child List | |
| Editorial |
|
| A000015 [Rank 2] | Are users relied upon as part of ensuring the secure operation of the TOE? |
| Answer list & Effects list | Yes: AC.User
No: None |
| Child List | A000016, A000017, A000018, A000020, A000030, A000031, A000035 |
| Editorial |
|
| A000016 [Rank 3] | Is a cooperating secure IT environment needed? |
| Answer list & Effects list | Yes: A.Coop_User
No: None |
| Child List | |
| Editorial |
|
| A000017 [Rank 3] | Do users have the necessary privilege to access the information in the TOE? |
| Answer list & Effects list | Yes: A.User_Access
No: None |
| Child List | |
| Editorial |
|
| A000018 [Rank 3] | Can users access the TOE remotely? |
| Answer list & Effects list | Yes: A.Remote_Access
No: None |
| Child List | |
| Editorial |
|
| A000020 [Rank 3] | Are user's motives a concern? |
| Answer list & Effects list | Yes: AC.User_Motive
No: None |
| Child List | A000021 |
| Editorial |
|
| A000021 [Rank 4] | Are users considered to be competent, error prone, or hostile? |
| Answer list & Effects list | Trusted: A.Trusted_User
Error Prone: A.User_Mistakes
Hostile: A.Hostile_User |
| Child List | |
| Editorial |
|
| A000030 [Rank 3] | Are users able to bypass the security mechanisms? |
| Answer list & Effects list | Yes: A.No_Bypass_Security
No: None |
| Child List | |
| Editorial |
|
| A000031 [Rank 3] | How sophisticated are adversaries? |
| Answer list & Effects list | Highly: A.Outsider_Hi
Moderately: A.Outsider_Med
Low: A.Outsider_Low
No Adversaries: None |
| Child List | |
| Editorial |
|
| A000035 [Rank 3] | Are software viruses a concern? |
| Answer list & Effects list | Yes: A.User_Virus_Scan
No: None |
| Child List | |
| Editorial |
|
| A000036 [Rank 2] | Is access/modification of security data a concern? |
| Answer list & Effects list | Yes: AC.Data
No: None |
| Child List | A000037, A000038, A000039 |
| Editorial |
|
| A000037 [Rank 3] | Is access to passwords controlled? |
| Answer list & Effects list | Yes: A.Access_to_Passwords
No: None |
| Child List | |
| Editorial |
|
| A000038 [Rank 3] | Can System Administrators potentially modify data in transit? |
| Answer list & Effects list | Yes: A.Admin_Cor_Usr_Data
No: None |
| Child List | |
| Editorial |
|
| A000039 [Rank 3] | Is the modification of system data a concern? |
| Answer list & Effects list | Yes: A.Acc_Ovrwrit_SysData
No: None |
| Child List | |
| Editorial |
|
| A000040 [Rank 2] | Are procedural security measures important? |
| Answer list & Effects list | Yes: AC.Procedures
No: None |
| Child List | A000041, A000042, A000043, A000044, A000045 |
| Editorial |
|
| A000041 [Rank 3] | Can System Administrators review security logs? |
| Answer list & Effects list | Yes: A.Review_Audit_Log
No: None |
| Child List | |
| Editorial |
|
| A000042 [Rank 3] | Can System Administrators properly dispose of user data after access has been removed? |
| Answer list & Effects list | Yes: A.Dispose_User_Data
No: None |
| Child List | |
| Editorial |
|
| A000043 [Rank 3] | Will System Administrators follow documented policies and procedures? |
| Answer list & Effects list | Yes: A.Admin_Docs
No: None |
| Child List | |
| Editorial |
|
| A000044 [Rank 3] | Is management of passwords a concern? |
| Answer list & Effects list | Yes: A.Password_Management
No: None |
| Child List | |
| Editorial |
|
| A000045 [Rank 3] | Are procedures established to protect against viruses? |
| Answer list & Effects list | Yes: A.Admin_Virus_Check
No: None |
| Child List | |
| Editorial |
|
| A000046 [Rank 2] | Are communications to/from the TOE protected? |
| Answer list & Effects list | Yes: AC.Communications
No: None |
| Child List | A000047, A000048, A000049 |
| Editorial |
|
| A000047 [Rank 3] | Is physical protection of the communications provided? |
| Answer list & Effects list | Yes: A.Acc_to_Comms
No: None |
| Child List | |
| Editorial |
|
| A000048 [Rank 3] | Can outsiders read data sent across communications lines? |
| Answer list & Effects list | Yes: A.Eavesdrop_by_Out
No: None |
| Child List | |
| Editorial |
|
| A000049 [Rank 3] | Is connectivity to other systems a concern? |
| Answer list & Effects list | Yes: A.Peer
No: None |
| Child List | |
| Editorial |
|
| A000050 [Rank 2] | Are there physical security constraints that are important to protecting your product or system? |
| Answer list & Effects list | Yes: AC.Physical
No: None |
| Child List | A000051, A000052, A000053, A000054, A000055 |
| Editorial |
|
| A000051 [Rank 3] | Can an unauthorized user (e.g., Hacker) gain physical access to the system? |
| Answer list & Effects list | Yes: A.Phys_Acs_to_Out
No: None |
| Child List | |
| Editorial |
|
| A000052 [Rank 3] | Is physical protection of TOE security functions ensured? |
| Answer list & Effects list | Yes: A.Protect_From_Out
No: None |
| Child List | |
| Editorial |
|
| A000053 [Rank 3] | Is the system protected against such natural disasters as fires and floods? |
| Answer list & Effects list | Yes: A.Prot_Against_Nature
No: None |
| Child List | |
| Editorial |
|
| A000054 [Rank 3] | Is the system protected against a sudden loss of power? |
| Answer list & Effects list | Yes: A.Prot_Agnst_Pwr_Fail
No: None |
| Child List | |
| Editorial |
|
| A000055 [Rank 3] | Is the system protected against a loss of communications? |
| Answer list & Effects list | Yes: A.Prot_of_Comm
No: None |
| Child List | |
| Editorial |
|
| T99999 [Rank 1] | Do you wish to consider threats that may be addressed via the TOE? |
| Answer list & Effects list | Yes: TC.Root
No: None |
| Child List | T00001, T00002, T00003, T00004, T00005, T00006 |
| Editorial |
|
| T00001 [Rank 2] | Do you wish to consider threats originating from those responsible for the administration of the TOE? |
| Answer list & Effects list | Yes: TC.Admin
No: None |
| Child List | T00007, T00008, T00009, T00022, T00027, T00037 |
| Editorial |
|
| T00007 [Rank 3] | Can an administrator commit errors that change the intended security policy of the system or application? |
| Answer list & Effects list | Yes: T.Admin_Err_Commit
No: None |
| Child List | |
| Editorial |
|
| T00008 [Rank 3] | Can the system administrator fail to perform some function essential to security? |
| Answer list & Effects list | Yes: T.Admin_Err_Omit
No: None |
| Child List | |
| Editorial |
|
| T00009 [Rank 3] | Can an administrator maliciously modify the system's configuration to allow security violations to occur? |
| Answer list & Effects list | Yes: T.Admin_Hostile_Modify
No: None |
| Child List | |
| Editorial |
|
| T00022 [Rank 3] | Can an authorized user, IT system, or hacker download and execute malicious code, which causes abnormal processes that violate the integrity, availability, or confidentiality of system assets? |
| Answer list & Effects list | Yes: T.Malicious_Code
No: None |
| Child List | |
| Editorial |
|
| T00027 [Rank 3] | Can an attacker write software or modify protocol information in transit to trick users into interacting with spurious system services? |
| Answer list & Effects list | Yes: T.Spoofing
No: None |
| Child List | |
| Editorial |
|
| T00037 [Rank 3] | Can an administrator learn or disclose user identities in violation of a privacy policy? |
| Answer list & Effects list | Yes: T.Admin_UserPriv
No: None
There is no privacy policy: None |
| Child List | |
| Editorial |
|
| T00002 [Rank 2] | Do you wish to consider threats that originate from those who are not authorized to access the TOE? |
| Answer list & Effects list | Yes: TC.Hacker
No: None |
| Child List | T00014, T00015, T00016, T00017, T00018, T00019, T00020, T00021, T00022, T00027 |
| Editorial |
|
| T00014 [Rank 3] | Can missing, weak and/or incorrectly implemented access control allow a hacker to gain undetected access to the system causing potential violations of integrity, confidentiality, or availability? |
| Answer list & Effects list | Yes: T.Hack_AC
No: None |
| Child List | |
| Editorial |
|
| T00015 [Rank 3] | Can a hacker execute commands, send data, or performs other operations that make system resources unavailable to system users? Resources that may be denied to users include bandwidth, processor time, memory, and data storage. |
| Answer list & Effects list | Yes: T.Hack_Avl_Resource
No: None |
| Child List | |
| Editorial |
|
| T00016 [Rank 3] | Can an outsider obtain user data by eavesdropping on communications lines? |
| Answer list & Effects list | Yes: T.Hack_Comm_Eavesdrop
No: None |
| Child List | |
| Editorial |
|
| T00017 [Rank 3] | Can a hacker perform cryptoanalysis on encrypted data in order to recover message content? |
| Answer list & Effects list | Yes: T.Hack_Crypto
No: None |
| Child List | |
| Editorial |
|
| T00018 [Rank 3] | Can a hacker masquerade as an authorized user to perform operations that will be attributed to the authorized user or a system process? |
| Answer list & Effects list | Yes: T.Hack_Masq
No: None |
| Child List | |
| Editorial |
|
| T00019 [Rank 3] | Can a hacker modify information that he intercepts from a communication link between two unsuspecting entities before passing it on to the intended recipient? |
| Answer list & Effects list | Yes: T.Hack_Msg_Data
No: None |
| Child List | |
| Editorial |
|
| T00020 [Rank 3] | Can a hacker physically damage the IT system, leading to loss of ability to enforce the system security policy (TSP), possibly accompanied by loss of availability, incorrect processing of data, or exposure of system-resident data? |
| Answer list & Effects list | Yes: T.Hack_Phys
No: None |
| Child List | |
| Editorial |
|
| T00021 [Rank 3] | Can a hacker use social engineering techniques to gain information about system entry, system use, system design or system operation? |
| Answer list & Effects list | Yes: T.Hack_Social_Engineer
No: None |
| Child List | |
| Editorial |
|
| T00003 [Rank 2] | Do you wish to consider threats that originate from natural disasters such as fire, flood, earthquake, unplanned power disruptions, etc? |
| Answer list & Effects list | Yes: TC.Physical_Environment
No: None |
| Child List | T00010, T00023 |
| Editorial |
|
| T00010 [Rank 3] | Can failure of one or more system components result in the loss of system-critical functionality? |
| Answer list & Effects list | Yes: T.Component_Failure
No: None |
| Child List | |
| Editorial |
|
| T00023 [Rank 3] | Can a human or environmental agent disrupt power causing the system to lose information or security protection? |
| Answer list & Effects list | Yes: T.Power_Disrupt
No: None |
| Child List | |
| Editorial |
|
| T00004 [Rank 2] | Do you wish to consider threats that originate from the TOE developer, both accidental and intentional? |
| Answer list & Effects list | Yes: TC.System_Developer
No: None |
| Child List | T00010, T00012 |
| Editorial | Deleted T00011, as it is no longer in the GFI database |
| T00012 [Rank 3] | Can a system or applications developer deliver code that does not perform according to specifications or contains security flaws? |
| Answer list & Effects list | Yes: T.Dev_Flawed_Code
No: None |
| Child List | |
| Editorial |
|
| T00005 [Rank 2] | Do you wish to consider threats that originate in software or hardware flaws? |
| Answer list & Effects list | Yes: TC.System_HW_SW
No: None |
| Child List | T00010, T00013, T00022, T00023 |
| Editorial |
|
| T00013 [Rank 3] | Can failure of a component that is part of a distributed system cause other parts of the distributed system to malfunction or provide unreliable results? |
| Answer list & Effects list | Yes: T.Failure_DS_Comp
No: None |
| Child List | |
| Editorial |
|
| T00006 [Rank 2] | Do you wish to consider threats that originate with authorized users of the TOE |
| Answer list & Effects list | Yes: TC.User
No: None |
| Child List | T00022, T00024, T00025, T00026, T00027, T00028, T00029, T00030, T00031, T00032, T00033, T00034, T00035, T00036 |
| Editorial |
|
| T00024 [Rank 3] | Can the recipient of a message deny receiving the message to avoid accountability for receiving the message and for subsequent action or inaction? |
| Answer list & Effects list | Yes: T.Repudiate_Receive
No: None |
| Child List | |
| Editorial |
|
| T00025 [Rank 3] | Can the sender of a message deny sending the message to avoid accountability for sending the message and for subsequent action or inaction? |
| Answer list & Effects list | Yes: T.Repudiate_Send
No: None |
| Child List | |
| Editorial |
|
| T00026 [Rank 3] | Can a participant in a transaction deny participation in the transaction to avoid accountability for the transaction and for subsequent action or inaction? |
| Answer list & Effects list | Yes: T.Repudiate_Transact
No: None |
| Child List | |
| Editorial |
|
| T00028 [Rank 3] | Can a user collect sensitive or proprietary information and remove it from the system, either by putting it on a disk or by transmitting it outside the organization? |
| Answer list & Effects list | Yes: T.User_Abuse_Conf
No: None |
| Child List | |
| Editorial |
|
| T00029 [Rank 3] | Can a user abuse granted authorizations to improperly collect sensitive or security-critical data? |
| Answer list & Effects list | Yes: T.User_Collect
No: None |
| Child List | |
| Editorial |
|
| T00030 [Rank 3] | Can a user commit errors of use that cause information to be delivered to the wrong place or wrong person? |
| Answer list & Effects list | Yes: T.User_Err_Conf
No: None |
| Child List | |
| Editorial |
|
| T00031 [Rank 3] | Can a user accidentally delete user data or change system data rendering user data inaccessible? |
| Answer list & Effects list | Yes: T.User_Err_Inaccess
No: None |
| Child List | |
| Editorial |
|
| T00032 [Rank 3] | Can a user commit errors of use that induce erroneous statements or actions by the system and/or its users? |
| Answer list & Effects list | Yes: T.User_Err_Integrity
No: None |
| Child List | |
| Editorial |
|
| T00033 [Rank 3] | Can a user commit errors of use that cause the system or one of its applications to undermine the system's security features?, e.g., by giving the user privileges for which he is not authorized. |
| Answer list & Effects list | Yes: T.User_Err_Slf_Protect
No: None |
| Child List | |
| Editorial |
|
| T00034 [Rank 3] | Can a users unauthorized use of resources causes undue burden on an affected resource? |
| Answer list & Effects list | Yes: T.User_Misuse_Avl_Resc
No: None |
| Child List | |
| Editorial |
|
| T00035 [Rank 3] | Can a user abuse granted authorizations to improperly change or destroy sensitive or security-critical data? |
| Answer list & Effects list | Yes: T.User_Modify
No: None |
| Child List | |
| Editorial |
|
| T00036 [Rank 3] | Can a user abuse granted authorizations to improperly send sensitive or security-critical data? |
| Answer list & Effects list | Yes: T.User_Send
No: None |
| Child List | |
| Editorial |
|