“Consorzio RES and IT Security Certifications”
description
Transcript of “Consorzio RES and IT Security Certifications”
“Consorzio RES and IT Security Certifications”
1/22
the Consorzio RES operates as
Consorzio RES originates in 1997 in response to the ICT market growing needs in the framework of
security processing and maintenance of electronic data
Security Evaluation Laboratory
(LVS) qualified by the OCSI (ISTICOM)
Evaluation Centre (CE.VA.) qualified by ANS (the
Italian National Security Authority)
Global Consultant in the physical, organizational and
ICT security
2/22
Scheme managed by OCSI,
the certification body for security Evaluation an
Certification of commercial
systems and products (DPCM of the 30/10/2003)
Scheme managed by ANS, the certification body for
security Evaluation and Certification of systems and
products dealing with classified information concerning the
National Security (DPCM of the 11/04/2002)
Consorzio RES is a laboratory qualified to perform Security Evaluation Processes according to
the following National Schemes
What is an Evaluation Process ?
3/22
An Evaluation Process is part of a Certification Process and has the purpose to produce a Final Evaluation Report. On the base of this report the Certification Body produces the Certification Report and, eventually,
the Certificate
So, the target seems to be achieving the
Security Certificate
…and this target
MUSTbe achieved…
in a while
with money savings
at high assurance level
4/22
… these are Customers usual requests!
?!
5/22
6/22
Our approach punctually answers to the
main problems of the ones who are disposed to engage a certification
process
Consequently Consorzio RES has consolidate an operative
metodology with certain benefits for the Customers
Experience taught us to respect the Customers needs
Why certify
What certify
How much spend
… and the presumptions of our Customers are…
7/22
Why certify
It is necessary to
sell our product…
Our direct competitor has just
achieved the security certificate
for his product…
We have some left-over money in
our project…
49%
49%
2%
8/22
All
We don’t know…
50%
50%
What certify
9/22
Few money
We have this available
amount…do what you
can!
50%
50%
How much spend
10/22
Consorzio RES intervention, since the Certification is only an hypothesis,
allows the Customers to resolve to their advantage the previous
problems
Analysis of these needs has driven the Consorzio RES in the
development of a working metodology that attends the Customers since before the Evaluation Process start-up
Followed approach answers to the Customers needs though
respecting all procedures of the reference scheme as well as
used security standard for the system/product evaluation
11/22
Why certify
Since before the starting of Evaluation Process, Consorzio RES
cooperates with the Customers in a clear definition of :
So that data requiring protection can be managed in a security context appropriate
to real environment
“
”
Real security needs
Most suitable operating
environment
Strictly necessary
countermeasures
12/22
What certifyOnly the components (HW/SW) that, implementing Security, are
effectively contrasting the supposed threats
“
”
One of the major activities of Consorzio RES is to support
Customers to clearly mark off the boundaries of :
Target of Evaluation
Everything else
Operating environment
items
13/22
How much spend
The bare minimum after having correctly answered to the
questions:Why certify?What certify? ”
“
14/22
It is frequent that Security Problem ambiguities are transposed in a cautionary extention of the boundaries of Target of Evaluation and its Operating Environment, as well as in the definition of Security
Procedures onerous for the workaday users operations
Confusion about true Security Objectives
Certification
time increasing
Certification
cost increasing
Rules/StandardsModifications
HW/SW Obsolescence
15/22
Evaluation Assistance
Phase
Evaluation Preparation
Phase
Evaluation Phase
Certificate Emission
certification
Evaluation Starting
Evaluation Ending
Consorzio RES Intervention Areas
16/22
Critical Success Factors (1/2)
Evaluation Assistance
Phase
Evaluation Phase
Evaluation Preparation
Phase
certification
17/22
Evaluation Preparation
Phase
Identification of Security Aspects strictly related to
the Security Problem
Evaluation Assistance
Phase
Very well written evaluation documents
compliant with referential Security Standard
Critical Success Factors (2/2)
18/22
Paying attention to these Critical Success Factors remarkably reduces the risk to
cumulate considerable delays
during a certification process, in behalf of
costs and operatives engagements for
system/product under certification
Evaluation Assistance
Phase
Evaluation Preparation
Phase
Evaluation Phase
Turn key solutions
Consorzio RES is able to offer all these services during a same certification process, having the availability of highly qualified personnel in a sufficient number to guarantee the independency
expected by national scheme
19/22
Every human resource of Consorzio-RES is also qualified, by both certification bodies, for the respective schemes, to hold the
Evaluator role during the evaluation process
Common Criteria v.3.1 (ISO/IEC 15408)
Every human resource of Consorzio RES is skilled according to the
most recent security standard, recognized by an international board:
20/22
the Customers trust has allowed us to achieve primacy goals
First Italian LVS to have completed an evaluation process according to the National Scheme managed by OCSI
First Italian laboratory to have completed several Common Criteria evaluation processes according to the National Scheme managed by Italian National Security Agency
First Italian LVS to obtain required qualification to carry out products/systems or protection profiles evaluation process according to the National Scheme managed by OCSI
...all unavoidable results of the care and the skills by which “Consorzio RES” answers to the Customers needs
21/22