Which choice below is the BEST description of a Protection Profile (PP), as defined by the Common
Criteria (CC)?

A.
A reusable definition of product security requirements

B.
An intermediate combination of security requirement components

C.
A statement of security claims for a particular IT security product

D.
The IT product or system to be evaluated

Explanation:
The Common Criteria (CC) is used in two ways: As a standardized way to describe security
requirements for IT products and systems As a sound technical basis for evaluating the security
features of these products and systems The CC defines three useful constructs for building IT
security requirements: the Protection Profile (PP), the Security Target (ST), and the PackagE. The PP
is an implementation-independent statement of security needs for a set of IT security products. The
PP contains a set of security requirements and is intended to be a reusable definition of product
security requirements that are known to be useful and effectivE. APP gives consumers a means of
referring to a specific set of security needs and communicating them to manufacturers and helps
future product evaluation against those needs. Answer a defines the Security Target (ST). The ST is a
statement of security claims for a particular IT security product or system. The ST parallels the
structure of the PP, though it has additional elements that include product-specific detailed
information. An ST is the basis for agreement among all parties as to what security the product or
system offers, and therefore the basis for its security evaluation. *Answer “An intermediate
combination of security requirement components” describes the PackagE. The Package is an
intermediate combination of security requirements components. The package permits the
expression of a set of either functional or assurance requirements that meet some particular need,
expressed as a set of security objectives. *Answer “The IT product or system to be evaluated”
describes the Target of Evaluation (TOE). The TOE is an IT product or system to be evaluated, the
security characteristics of which are described in specific terms by a corresponding ST, or in more
general terms by a PP. This evaluation consists of rigorous analysis and testing performed by an
accredited, independent laboratory. The scope of a TOE evaluation is set by the Evaluation
Assurance Level (EAL) and other requirements specified in the ST. Part of this process is an
evaluation of the ST itself, to ensure that it is correct, complete, and internally consistent and can be
used as the baseline for the TOE evaluation. Source: Common Criteria Project.