1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.

Slides:

Advertisements

Similar presentations

Module N° 4 – ICAO SSP framework

Advertisements

© Crown Copyright (2000) Module 3.1 Evaluation Process.

Module 1 Evaluation Overview © Crown Copyright (2000)

1.Quality-“a characteristic or attribute of something.” As an attribute of an item, quality refers to measurable characteristics— things we are able to.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

Software Quality Assurance Plan

Ensuring Better Services and Fair Value “Introduction and roadmap to implementation of ISO in Zambia’s water utilities” Kasenga Hara March 2015.

Common Criteria Richard Newman. What is the Common Criteria Cooperative effort among Canada, France, Germany, the Netherlands, UK, USA (NSA, NIST) Defines.

Effective Design of Trusted Information Systems Luděk Novák,

The Common Criteria for Information Technology Security Evaluation

IT Security Evaluation By Sandeep Joshi

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.

The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.

OASIS Reference Model for Service Oriented Architecture 1.0

Security Controls – What Works

The Demand for Audit and Other Assurance Services Chapter 1.

IS Audit Function Knowledge

PPA 502 – Program Evaluation

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

1 Copyright © 2014 M. E. Kabay. All rights reserved. Standards for Security Products CSH5 Chapter 51 “Security Standards for Products” Paul J. Brusil and.

Fraud Prevention and Risk Management

Introduction to Network Defense

Internal Auditing and Outsourcing

What is Business Analysis Planning & Monitoring?

1 Autumn 2008 TM8104 IT Security Evaluation Guide on the production of Protection Profiles Karin Sallhammar Q2S/NTNU 29/11/2003 Reference: ISO/IEC TR

Introduction to Software Quality Assurance (SQA)

Service Organization Control (SOC) Reporting Options and Information

Overview of existing assessment schemes Rolf Bienert, John Lin.

1 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

OpenSG Conformity IPRM Overview July 20, ITCA goals under the IPRM at a high level and in outline form these include: Organize the Test and Certification.

1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.

10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

4.3 Document control 4.4 Review of requests, tenders and contracts

Assessing the influence on processes when evolving the software architecture By Larsson S, Wall A, Wallin P Parul Patel.

CMSC : Common Criteria for Computer/IT Systems

IV&V Facility 26SEP071 Validation Workshop Dr. Butch Caffall Director, NASA IV&V Facility 26SEP07.

ISSAI 400 Compliance Auditing

Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.

Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.

Webinar FSSC audit report 7th september 2015

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

~ pertemuan 4 ~ Oleh: Ir. Abdul Hayat, MTI 20-Mar-2009 [Abdul Hayat, [4]Project Integration Management, Semester Genap 2008/2009] 1 PROJECT INTEGRATION.

Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University

Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.

ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.

Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.

Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.

WORKSHOP ON COMMON REQUIREMENTS FOR SERVICE PROVISION  Introduction to SESIS Guidance Material  Gerald Amar, SESIS Project Manager European Organisation.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

2002 ANSI Annual Conference The Value of Accreditation Robert H. King Jr. President and CEO, RAB.

The Common Criteria for Information Technology Security Evaluation

Software Quality Control and Quality Assurance: Introduction

The Demand for Audit and Other Assurance Services

Ch.18 Evaluating Systems - Part 2 -

Service Organization Control (SOC)

UNIT V QUALITY SYSTEMS.

MODULE 2 INTRODUCTION TO GOVERNANCE AUDIT

A Framework for Control

Presentation to sell assurance maps to senior management

James Arnold/ Jean Petty 27 September 2007

Canadian Auditing Standards (CAS)

IS4680 Security Auditing for Compliance

IBM GTS Storage Security and Compliance overview.

The Value of Accreditation

Presentation transcript:

1 Using Common Criteria Protection Profiles

2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner –Also used by users, developers, evaluators, and auditors o A system design document –Refines need through several levels into specific requirements o A consistent thread from ‘what’ to ‘how’ –Requirements match need in a manner the user can live with What is a Protection Profile (PP)?

3 Who ‘owns’ a PP? o PP is fundamentally a statement of user need o Ideally the ‘using’ community should own the PP and –Drive PP development –Soliciting input from developers, evaluators, auditors, and regulators o User understands the mission/business and can state –what is expected of TOE –what is NOT expected of the TOE o Others however... –Vendors have a hard time stating what the product does NOT do –Security technical experts often fail to fully understand user needs

4 PP Outline o INTRODUCTION o TOE DESCRIPTION o SECURITY ENVIRONMENT o OBJECTIVES o REQUIREMENTS o RATIONALE

5 PP Outline (Continued) o Introduction –Executive summary (what the owner of the money needs to see) –Clear statement of the security problem to be addressed –As far into the PP as many decision makers will ever go o TOE Description –Adds greater detail to introduction –What is TOE and what is environment? –Targeted toward the technical manager

6 PP Outline (Continued) o Security Environment –Address user concerns and facilitate requirement definition –Assumptions made in the development of this PP Expectations on the environment that will not be addressed elsewhere Expectations on the nature of the TOE (e.g., built from COTS) Threats not covered due to explicit risk acceptance –Threats and organizational policies to be addressed Those that are significant in terms of developing requirements Those that PP users will want to see explicitly addressed –General level of assurance needed Refinement of rest of PP to this point Capture the gist of that is necessary to meet the PP goals

7 PP Outline (Continued) o Objectives –How policies and threats will be addressed in light of assumptions Nature of the requirements needed Degree of effectiveness expected Focus for efforts (prevent, detect, react, recover) –Relationship of objective to policy or threat One to one, One to many, Many to one Explicit and derived (implicit)

8 PP Outline (Continued) o Requirements –Functions to be provided Functions the TOE must provide Functions the TOE’s environment must provide –Especially other IT than the TOE (important for composability) Functions the TOE and its environment provide together –Some leeway in precisely what the TOE does –Desire to allow for some flexibility in the TOE design –Assurances that must be provided Assurance = Grounds for confidence Assurance = IT quality from a security perspective Evaluator (or auditor) measures using PP as the yardstick Ultimately assurance depends on the developer and operator

9 PP Outline (Continued) o Rationale –Often packaged as a separate document –Shows why the PP is complete, correct, and internally consistent

10 Determining PP Conformance o Formal CC Project Recognition o Private sector evaluation and validation o Private sector assessment and validation o Independent evaluation o Vendor assertion o Other...

11 PP Conformance (Continued) o Formal CC Project Recognition –PP, ST, and TOE all evaluated Nationally accredited laboratories Use internationally agree to evaluation methodology Subjected to national scheme oversight PP against CC, ST against PP, TOE against ST –Evaluated items receive national validation certificate o Private Sector Evaluation and Validation –PP, then ST and TOE evaluated Sector accredited laboratories (can be the national labs) Sector agreed to evaluation methodology Sector oversight –Sector issues validation certificate

12 PP Conformance (Continued) o Private sector assessment and validation –Sector determined assessment performed Perhaps audit verses evaluation PP might not be independently assessed Sector determined assessment methodology –Sector issues validation certificate o Independent evaluation –Sponsor selected laboratory (can be national lab) –Use methodology agree to between sponsor and lab o Vendor assertion –IT developer claims compliance

13 Example of ‘PP’ Use - CSPP o Use by Washington, Utah, and Minnesota o Specify requirements for ‘trustworthy IT’ portion of Certificate Authorities (CA) validation o Form of use: Private sector assessment and validation –States selected CSPP (NISTIR 6462) as the requirement set, determining it to be correct and useful –System audit conducted by commercial audit firm –Auditing firms, with state guidance, determine audit methodology and hence the precise meaning of ‘CSPP compliance’ o CSPP (NISTIR 6462) can be found at: