Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation."— Presentation transcript:

1 COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation

2 Assessment for PKI Assessment: Prescribed procedure for determining whether a system or one of its components satisfies defined criteria for trustworthiness and quality.

3 Assessment for PKI Assessment: Creates favorable legal presumptions. Legal status. Stronger presumptions for non-repudiation. Necessary for licensing and accreditation. Potential formal requirement for PKI interoperation. This is the motivating example. Creates public relations bonus and generates acceptance. Helps in risk assessment and management. Might be required for insurance purposes.

4 Assessment for PKI Assessment is used by: Service subscribers. Relying parties. Policy management authorities. Certification and registration authorities. Licensing and regulatory authorities.

5 Assessment for PKI Formal qualification of Assessors Some laws require assessors to be Certified Public Accountants. Others specify required years of work in the security profession. Material qualifications of Assessors Independence. Quality assurance for assessment work. Educational and training qualifications.

6 Assessment for PKI Assessment targets: (System-level) The overall PKI environment. Systems and Subsystems. Discrete Components. PKI cryptomodules. (Entity) Primary certification authority controls. Key and device management console. Certificate life-cycle controls.

7 Assessment for PKI Attributes of successful assessment criteria Appropriateness. Develop threat model first. Objectivity. Clarity. Ubiquity. general acceptance. Extensibility. Criteria can be updated for future developments.)

8 Assessment for PKI Self-assessment. Internal audit. External audit.

9 System Assessment Criteria Formal criteria have evolved: U.S. Trusted Computer System Evaluation Criteria (TCSEC) 1985. Orange Book. Focused on confidentiality to protect national security secrets. European Information Technology Security Evaluation Criteria (ITSEC) 1991.

10 System Assessment Criteria Common CriteriaITSECTCSEC EAL1: Functionality testedE0D: Minimal protection. EAL2: Structurally testedE1C1: Discretionary security protection EAL3: Methodically tested and checked.E2C2: Controlled access protection EAL4: Methodically designed, tested and reviewed. E3B1: Labeled security protection. EAL5: Semiformal designed and tested.E4B2: Structured protection. EAL6: Semiformal verified design and testing. E5B3: Security domains. EAL7: Formally verified design and testing. E6A1: Verified design

11 Assessment & Accreditation Schemes Australia, Gatekeeper: Australian government effort to enhance secure service delivery, streamline secure intragovernmental transactions, establish a “rational voluntary mechanism for the implementation of PKI by government agencies.” Gatekeeper is also used to provide interoperationality among PKI providers. Mandatory for vendors of PKI services for government. Gatekeeper has two levels of authentication: Entry-level Full accreditation

12 System Assessment Criteria Canada: Government of Canada PKI Allows links via cross-certification. Expert teams establish tables of concordance between requester’s Certificate Policy (CP) and GoC PKI.

13 System Assessment Criteria US: Light Touch State legislation influenced by Utah and Washington. Reciprocity agreements (e.g. Minnesota, Utah, Washington)

14 System Assessment Criteria HIPAA Requires security controls to ensure the integrity and confidentiality of Internet communications.

Download ppt "COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation."

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
Quality assurance in higher education at the sport sector : Portuguese polytechnics case. José Rodrigues President of the External Assessment Team, for.

Quality assurance in higher education at the sport sector : Portuguese polytechnics case. José Rodrigues President of the External Assessment Team, for.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.
Subset of presentations to the Provincial Forestry Forum in 2012-2013.

Subset of presentations to the Provincial Forestry Forum in
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Models and Architecture

Security Models and Architecture
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.

Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.
Security Controls – What Works

Security Controls – What Works
EMS Auditing Definitions

EMS Auditing Definitions
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Similar presentations

Ads by Google