Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

Published byGriffin Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner."— Presentation transcript:

1 1 Using Common Criteria Protection Profiles

2 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner –Also used by users, developers, evaluators, and auditors o A system design document –Refines need through several levels into specific requirements o A consistent thread from ‘what’ to ‘how’ –Requirements match need in a manner the user can live with What is a Protection Profile (PP)?

3 3 Who ‘owns’ a PP? o PP is fundamentally a statement of user need o Ideally the ‘using’ community should own the PP and –Drive PP development –Soliciting input from developers, evaluators, auditors, and regulators o User understands the mission/business and can state –what is expected of TOE –what is NOT expected of the TOE o Others however... –Vendors have a hard time stating what the product does NOT do –Security technical experts often fail to fully understand user needs

4 4 PP Outline o INTRODUCTION o TOE DESCRIPTION o SECURITY ENVIRONMENT o OBJECTIVES o REQUIREMENTS o RATIONALE

5 5 PP Outline (Continued) o Introduction –Executive summary (what the owner of the money needs to see) –Clear statement of the security problem to be addressed –As far into the PP as many decision makers will ever go o TOE Description –Adds greater detail to introduction –What is TOE and what is environment? –Targeted toward the technical manager

6 6 PP Outline (Continued) o Security Environment –Address user concerns and facilitate requirement definition –Assumptions made in the development of this PP Expectations on the environment that will not be addressed elsewhere Expectations on the nature of the TOE (e.g., built from COTS) Threats not covered due to explicit risk acceptance –Threats and organizational policies to be addressed Those that are significant in terms of developing requirements Those that PP users will want to see explicitly addressed –General level of assurance needed Refinement of rest of PP to this point Capture the gist of that is necessary to meet the PP goals

7 7 PP Outline (Continued) o Objectives –How policies and threats will be addressed in light of assumptions Nature of the requirements needed Degree of effectiveness expected Focus for efforts (prevent, detect, react, recover) –Relationship of objective to policy or threat One to one, One to many, Many to one Explicit and derived (implicit)

8 8 PP Outline (Continued) o Requirements –Functions to be provided Functions the TOE must provide Functions the TOE’s environment must provide –Especially other IT than the TOE (important for composability) Functions the TOE and its environment provide together –Some leeway in precisely what the TOE does –Desire to allow for some flexibility in the TOE design –Assurances that must be provided Assurance = Grounds for confidence Assurance = IT quality from a security perspective Evaluator (or auditor) measures using PP as the yardstick Ultimately assurance depends on the developer and operator

9 9 PP Outline (Continued) o Rationale –Often packaged as a separate document –Shows why the PP is complete, correct, and internally consistent

10 10 Determining PP Conformance o Formal CC Project Recognition o Private sector evaluation and validation o Private sector assessment and validation o Independent evaluation o Vendor assertion o Other...

11 11 PP Conformance (Continued) o Formal CC Project Recognition –PP, ST, and TOE all evaluated Nationally accredited laboratories Use internationally agree to evaluation methodology Subjected to national scheme oversight PP against CC, ST against PP, TOE against ST –Evaluated items receive national validation certificate o Private Sector Evaluation and Validation –PP, then ST and TOE evaluated Sector accredited laboratories (can be the national labs) Sector agreed to evaluation methodology Sector oversight –Sector issues validation certificate

12 12 PP Conformance (Continued) o Private sector assessment and validation –Sector determined assessment performed Perhaps audit verses evaluation PP might not be independently assessed Sector determined assessment methodology –Sector issues validation certificate o Independent evaluation –Sponsor selected laboratory (can be national lab) –Use methodology agree to between sponsor and lab o Vendor assertion –IT developer claims compliance

13 13 Example of ‘PP’ Use - CSPP o Use by Washington, Utah, and Minnesota o Specify requirements for ‘trustworthy IT’ portion of Certificate Authorities (CA) validation o Form of use: Private sector assessment and validation –States selected CSPP (NISTIR 6462) as the requirement set, determining it to be correct and useful –System audit conducted by commercial audit firm –Auditing firms, with state guidance, determine audit methodology and hence the precise meaning of ‘CSPP compliance’ o CSPP (NISTIR 6462) can be found at: http://csrc.nist.gov/publications/nistir/index.html

Download ppt "1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
© Crown Copyright (2000) Module 3.1 Evaluation Process.

© Crown Copyright (2000) Module 3.1 Evaluation Process.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
1.Quality-“a characteristic or attribute of something.” As an attribute of an item, quality refers to measurable characteristics— things we are able to.

1.Quality-“a characteristic or attribute of something.” As an attribute of an item, quality refers to measurable characteristics— things we are able to.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Software Quality Assurance Plan

Software Quality Assurance Plan
Ensuring Better Services and Fair Value “Introduction and roadmap to implementation of ISO 17025 in Zambia’s water utilities” Kasenga Hara March 2015.

Ensuring Better Services and Fair Value “Introduction and roadmap to implementation of ISO in Zambia’s water utilities” Kasenga Hara March 2015.
Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
The Common Criteria for Information Technology Security Evaluation

The Common Criteria for Information Technology Security Evaluation
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
Manage Quality marta.sanz@ua.es.

Manage Quality
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
Security Controls – What Works

Security Controls – What Works
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
IS Audit Function Knowledge

IS Audit Function Knowledge
PPA 502 – Program Evaluation

PPA 502 – Program Evaluation
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google