Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007.

Slides:

Advertisements

Similar presentations

16 August 2010© Crown Copyright (2010)1 Module 2.8 Assurance Continuity and Composition.

Advertisements

© Crown Copyright (2000) Module 3.1 Evaluation Process.

© Crown Copyright (2000) Module 3.2 Evaluation Management.

SMALL BUSINESS SHOWCASE COACT, Inc. is a Service Disabled Veteran Owned Small Business (SDVOSB). Niche Areas: Certification & Accreditation (C&A) FIPS140.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

OVERVIEW & LIBRARY SUPPORT FOR DATA MANAGEMENT/SHARING Jim Van Loon, MSME/MLIS Science Librarian.

FAFSA ® Updates Applicant Products Team.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Software Quality Assurance Plan

IT Security Evaluation By Sandeep Joshi

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Minnesota Agricultural Water Quality Certification Program Senate Environment, Economic Development And Agriculture Finance Committee March 11, 2013.

NASBLA ERAC Terms and Definitions Project Next Steps Webinar July 15, :00 p.m. EDT

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

7th February PQG Supplier Auditor Certification and Training scheme Introduction to the scheme & implications of the changes David Mogg PQG Chairman.

Registration Teaching Council Induction Colm O’Leary Registration Officer.

Westminster City Council and Westminster Primary Care Trust Voluntary Sector Funding 2009/10 Voluntary Sector Funding Eligibility, Application Form Funding,

Fundamentals of ISO.

Community Services Programme Strand 1 & 3 Business Planning Re-contracting April 2014.

1 Anthony Apted/ James Arnold 26 September 2007 Has the Common Criteria Delivered?

Updates on Korean Scheme IT Security Certification Center, National Intelligence Service The 8 th ICCC in Rome, Italy.

Responsible Conduct of Research (RCR) What is RCR? New Requirements for RCR Who Does it Affect? When? Data Management What is the Institutional Plan? What.

Background. History TCSEC Issues non-standard inflexible not scalable.

FIPS Status and Schedules Allen Roginsky CMVP NIST September 28, 2005.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

U.S. Common Criteria Evaluation & Validation Scheme (CCEVS) Update 25 September 2007 Audrey M. Dale Director, NIAP CCEVS.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

12 Developing a Web Site Section 12.1 Discuss the functions of a Web site Compare and contrast style sheets Apply cascading style sheets (CSS) to a Web.

CMSC : Common Criteria for Computer/IT Systems

The TNI National Environmental Laboratory Accreditation Board Update Daniel Hickman, NELAP Board Chair.

Health eDecisions Use Case 2: CDS Guidance Service Strawman of Core Concepts Use Case 2 1.

Security consulting What about the ITSEC?. security consulting What about the ITSEC? Where it came from Where it is going How it relates to CC and other.

1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

NERC Project S ystem Protection Coordination - PRC-027 Presentation to the NSRS Conference Call April 20, 2015 Sam Francis Oncor Electric Delivery.

Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.

Purpose: The purpose of CMM Integration is to provide guidance for improving your organization’s processes and your ability to manage the development,

A+ certification 2012 Guidelines. CompTIA A+ certification validates the latest skills needed by today’s computer support professionals. It is an international,

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

© Copyright 2007 Corsec Security, Inc. Corsec Security, Inc. FIPS and Common Criteria Validation Consultants.

Configuration Management

IEEE P2600 Working Group CygnaCom Solutions Introduction Kris Rogers 25 April 2007.

Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

MEA Document Overview Slides 26 February About these slides This slide pack is designed to provide market participants with an introduction to.

Accident Investigation SGRP CD Slide # Meeting 1 Northern Ontario Safety Group.

9 th International Common Criteria Conference Report to IEEE P2600 WG Brian Smithson Ricoh Americas Corporation 10/24/2008.

WORKSHOP ON ACCREDITATION OF BODIES CERTIFYING MEDICAL DEVICES INT MARKET TOPIC 6 CH 5 ISO MANAGEMENT RESPONSIBILITY Philippe Bauwin Medical.

28 June 2016 | Proprietary and confidential information. © Mphasis 2013 Audit and its classifications Mar-2016 Internal Auditor Training.

Qualifications Wales Update. -To ensure that qualifications and the qualification system in Wales are effective for meeting the reasonable needs of learners.

A LOOK AT AMENDMENTS TO ISO/IEC (1999) Presented at NCSLI Conference Washington DC August 11, 2005 by Roxanne Robinson.

E-Learning Advisory Group Meeting

To the ETS – Accounts Setup and Preferences Online Training Course

The revised Periodic Reporting Questionnaires: general features Alessandra Borchi Policy and Statutory Meetings Section UNESCO World Heritage Centre.

Quality Workshop The Local Council Award Scheme is a great guide for good practice in our sector and a way for councils to build confidence in their.

ISO 9001:2015 Auditor / Registration Decision Lessons Learned

Transition ISO 9001:2008 to ISO 9001:2015

Introduction to CPD Quality Assurance

9th International Common Criteria Conference Report to IEEE P2600 WG

Ag.8 Extra-EU CCs currently in application, and CCs not yet applied

How did we do it? Case examples from AIC

Coordinate Operations Standard

To the ETS – Accounts Setup and Preferences Online Training Course

Supporting SEACs across the Province:

Engineering Processes

Overview of the recommendations on software updates

IEEE- P2600 PP Guidelines Suggested Format and Content

New Special Education Teacher Webinar Series

Presentation transcript:

Assurance Continuity: What and How? Nithya Rachamadugu September 25, 2007

© Copyright 2005 CygnaCom Solutions 2 Topics Introduction History Process Maintenance Path Re-evaluation Path Impact Analysis Report Input to Impact Analysis Report Output from Impact Analysis Report

© Copyright 2005 CygnaCom Solutions 3 Topics (contd.) Guidance to Developers Developer Issues Scheme Questions/Issues Assurance Maintenance Statistics References Contact Information

© Copyright 2005 CygnaCom Solutions 4 Introduction “ The purpose of Assurance Continuity is to enable developers to provide assured products to the IT consumer community in a timely and efficient manner.” [From Assurance Continuity: CCRA Requirements v1.0 February 2004] Why? Keep certificate current Certificate to match the latest TOE, process and environment Certificate to address changes in company information Re-use evidence and results from previous evaluation

© Copyright 2005 CygnaCom Solutions 5 Introduction (contd.) Recognized by the CCRA members Valid for EAL1-EAL4 evaluations

© Copyright 2005 CygnaCom Solutions 6 History CC version 2.1, August AMA class Separate class Dependencies on class (ALC, ACM, AMA) Difficult to follow and understand CC version 2.2, January 2004 – AMA class dropped February 2004 –Assurance Continuity v1.0, with CC V2.3

© Copyright 2005 CygnaCom Solutions 7 Assurance Continuity Process Developer assesses the changes to the evaluated TOE Developer updates the affected documents Developer writes Impact Analysis Report listing the updated documents, description of changes and a verdict Developer ensures that changes have no adverse effect on the Security assurance of the changed TOE Scheme confirms Maintenance/Re-evaluation path Scheme updates the validated product list entry If applicable, scheme issues new certificate Impact Analysis Report is a scheme defined document listing the changes to the TOE and testing conducted by the developer.

© Copyright 2005 CygnaCom Solutions 8 Assurance Process [From Assurance Continuity: CCRA Requirements v1.0 February 2004]

© Copyright 2005 CygnaCom Solutions 9 Assurance continuity Types of Assurance Continuity Assurance Maintenance “Maintenance refers to the process of recognising that a set of one or more changes made to a certified TOE have not adversely affected assurance in that TOE.” Assurance Re-evaluation “ Re-evaluation refers to the process of recognising that changes made to a certified TOE require independent evaluator activities to be performed in order to establish a new assurance baseline. Re- evalution seeks to reuse results from a previous evalution.”

© Copyright 2005 CygnaCom Solutions 10 Assurance Maintenance Minor changes to TOE Assurance affirmed by developer No new certificate Examples - Minor updates to the product not related to security - Minor bug fixes - Process oriented changes - Company information changes

© Copyright 2005 CygnaCom Solutions 11 Assurance Re-evaluation Changes to TOE that are not minor Assurance Re-evaluated by an independent Lab New certificate Impact Analysis Report not required (but helps) Examples - Security related updates to the evaluated TOE - Bug fixes - Many small changes - New interfaces/ADV changes - Years since last certification - Upgrading EAL level

© Copyright 2005 CygnaCom Solutions 12 Impact Analysis Report Records the analysis of the impact of changes to the certified TOE Generated by the developer requesting a maintenance addendum Submitted to the Scheme Impact Analysis Report forrmat - Introduction - Description of changes - Developer evidence changed (identify) - Description of evidence changed - Conclusion with verdict - Annex: Updated evidence

© Copyright 2005 CygnaCom Solutions 13 Input to Assurance Continuity Impact Analysis Report (optional but recommended) Updated ST Updated evidence documents Updated ETR (Re-evaluation) From previous evaluation: - Certificate - Certification report - ETR - ST

© Copyright 2005 CygnaCom Solutions 14 Output from Assurance Continuity Scheme report - Maintenance Report - Certification Report (Re-evaluation path) Updated certificate (Re-evaluation only) Updated Validated Product List Updated ST (posted on the web) Certified TOE

© Copyright 2005 CygnaCom Solutions 15 Guidance to Developers Build maintenance process during initial evaluation Keep good documentation on changes to the product Update all related evidence as TOE changes Conduct some testing before submitting Impact Analysis Report Not all products need to be re-evaluated, check with the scheme Often Labs write the IAR

© Copyright 2005 CygnaCom Solutions 16 Developer Issues [US experience based] Dilemma on the choice of the continuity path Scheme may disagree with developer’s verdict Cost/effort before scheme’s decision Maintenance/re-evaluation decision is subjective Re-evaluation by the same Lab Unpredictable cost Every case is different Assurance Continuity for higher levels not available

© Copyright 2005 CygnaCom Solutions 17 Scheme Questions/Issues Changes to crypto: Maintenance or Re-evaluation? Assurance Continuity from the same scheme Certificate update to EAL5 or higher - not under MRA Scheme variations on Maintenance/Re-evaluation How much is too much? [% change?] Assurance Continuity when PP gets out dated Assurance Continuity for products evaluated under v2.x (ST format, Assurance requirement changes in v3.x) Effect of new scheme Policies on re-evaluations

© Copyright 2005 CygnaCom Solutions 18 CCEVS Statistics on Assurance Continuity [US Scheme based] 217 evaluated products (Dec Aug. 2007) 23 Assurance Continuity : 10 EAL2, 2 EAL3, 11 EAL4 First evaluation – Dec First Assurance Continuity evaluation completed- July products went through Assurance Continuity Some products had multiple revisions Product types: Firewall, IDS/IPS, Switch, Router, Network Management, Web Server, Sensitive Data Protection

© Copyright 2005 CygnaCom Solutions 19 CC References Common Criteria FOR Information Technology Security Evaluation - Part 3 Security Assurance Requirements, August 1999, version 2.1 Assurance Continuity: CCRA Requirements v1.0 –February 2004

© Copyright 2005 CygnaCom Solutions 20 Questions : ??? Thank you! Contact: Nithya Rachamadugu Director, CygnaCom CCTL