mailing list archives
Re: Can ISO15408 evaluated products be trusted?
From: HHikita <h_hikita () yahoo co jp>
Date: Sun, 22 May 2005 01:13:42 +0900
Nora Barrera wrote:
I was told that "internal risk" is not taken into
account in Japan. No employee would hack his own
The traditional employment system in Japan was "Shuushin Koyou".
You were basically assured your job until retirement.
So before there were any Information technology, 30years of your
annual income was enough to mitigate most threats.
There are still companies which do not take "internal risk" into
account, and you are able to read about their consequences
in the newspapers daily.
How can this be evaluated? The evaluation laboratory
says "Not clear, not understandable". And the guy who
wrote the description answers "you are too stupid to
understand it". What happens next?
The evaluator would at least have to specify where and/or what in the
that he finds to be "Not clear, not understandable". And the developer
is given a chance to
take action against these claims.
If the issue is not resolved at the end of the evaluation, then the
verdict would be
"fail" or "inconclusive".
You said it!
You would have to do some homework on the kind of product the PP or ST
Do You Yahoo!?
Upgrade Your Life
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/