Frequently Asked Questions
Q: What is the scope of the audit?
A: The audit covers the entire lifecycle of the components that make up the system. This includes the following elements:
- Development Process
- Development Environment
- Equipment Manufacturing Environment
- Component Distribution to Operational Locations
- Distribution of System Secret Values to Operational Locations
- Component Initialization including Loading of System Secret Values
- Component Computer Security, Network Security, and Physical Security in each Operational Location
Q: What is the result of the audit?
A: The result is an evaluation of the robustness of each aspect of the system. The robustness levels are uniform and openly published. The content owners usually use the robustness levels in making their decision to approve/disapprove a given system for specific content.
Q: Does Merdan approve systems?
A: No, Merdan does not approve systems. Only the content owners approve systems and, even then, only for their specific content.
Q: What robustness level is needed to be approved by a 'studio'?
A: This is entirely determined by the 'studio'. In Merdan's experience, 'low value' content will usually be approved even with a relatively low robustness level (e.g. sophisticated hacking or even casual hacking). To receive approval for 'high value' content, the content owners have usually insisted on a system being robust at the University Challenge level and prefer the Criminal Enterprise level.
Q: Why does a Merdan audit focus on description and analysis rather than relying on hands-on testing?
A: The Merdan methodology is based on the security evaluation approach used by the United States National Security Agency. In this proven evaluation approach, testing is used to confirm the presence of security flaws identified through analysis or to provide evidence at the lowest levels of robustness. In terms of the Merdan Robustness Levels, this corresponds to the Malicious Hacking level.
Q: How long does an audit take?
A: Usually, an audit is performed in two phases. Phase I usually takes 45 calendar days for a mature, well-documented system. There is frequently a 15 to 30 calendar day gap between Phase I and Phase II for customer review and minor design changes to resolve 'security shortfalls' that become obvious during Phase I. Phase II usually takes 30 calendar days.
Q: Does Merdan make recommendations for 'improvements' in the audit results?
A: Merdan cannot make recommendations and still be able to perform an audit of the system. However, the form of the Phase II audit report is such that the cause of any shortfall (failure of a portion of a system to achieve the Criminal Enterprise level of robustness) will be obvious to any competent security expert who is also familiar with the system design.
Q: Can Merdan perform an audit of 'part' of a system?
A: There are several major cases as follows:
Case 1 -- The 'part' is an addition (i.e. new STB type) to a previously audited system. In this case, the audit is a relatively simple modification of the previous audit.
Case 2 -- The 'part' is a component of an unaudited system. In this case, the audit is either not feasible or would require construction of a 'synthetic' audit for the remainder of the system.