commoncriteria / mobile-device

Protection Profile for Mobile Device Fundamentals
The Unlicense
14 stars 3 forks source link

Undefined OE name in 4.3 #50

Open chapman-s opened 4 years ago

chapman-s commented 4 years ago

MDF PP 3.2 draft (2020-07-17):

Section 4.3 references OE.DATA_PROPER_USER, but OE.DATA_PROPER_USER doesn’t exist in section 4.2. Please define OE.DATA_PROPER_USER in section 4.2.

lewyble commented 3 years ago

Dianne - I added placeholder for OE.DATA_PROPER_USER. Please have tech writer complete this during consistency review.

jfisherbah commented 3 years ago

Proposed wording for OE.DATA_PROPER_USER to be committed with the next set of changes is as follows: "Actors in the Operational Environment take measures to ensure that mobile device users are adequately vetted against malicious intent and are made aware of the expectations for appropriate use of the device."

woodbe commented 3 years ago

I'm not sure I like the word "actors" here. I get what it means, but no where in the MDF is that used to describe anything. OE.CONFIG uses "TOE Administrators" which I think is better (maybe not completely accurate, but better than a generic "actor").

Either way, I think some use of administrator is better than actor here as it better matches with the phraseology that is used elsewhere.

jfisherbah commented 3 years ago

I didn't want to use "TOE administrators" since the people in charge of vetting MD users and making them aware of the acceptable usage policy within an organization could be people (e.g. HR) who have no relationship to those actually administering the mobile device. I'm open to alternative suggestions but I wanted to make it clear that this is an environmental objective specifically because it can happen completely separate from anyone who has direct responsibility for the TOE's configuration.

Though if there is no suitable alternative, we can just go with "TOE administrators" even if it's not necessarily accurate in the strictest sense.

woodbe commented 3 years ago

Some of the other OE.xxx just list "administrators" and elsewhere there is "Enterprise Administrators". I think just administrators would be fine. I completely get not wanting to say TOE administrators, but in one sense, they obviously are TOE admins if they are ensuring the proper usage of the environment.

My vote would just be "administrators" and leave it at that. I think that is both generic and clear as to who is expected to do this.

jfisherbah commented 3 years ago

change made to 'Administrators' per request - this will be visible in the next commit (current ETA is this afternoon or tomorrow as updates from other consistency review items are ongoing)