WP4 Key OutcomesBerlin, 4th September 2015

Irene KamaraVrije Universiteit Brussel (LSTS)

2

Overview

Aims and structure of WP4Key findings of WP4 Input for next WPs

3

Aims of WP4

To identify and analyse the core issues associated with certification To come up with the requirements by which existing evaluation and

certification schemes could be used and possibly further developed, enhanced, adapted and integrated for the assessment and certification of products used for physical security of people and infrastructures (i.e. best practice).

Three deliverables & five tasks Other important elements:

Legal study for each of the four tasks STEFi – Security-Trust-Efficiency-Freedom Infringements S.W.O.T. analysis Three case studies: drones, alarm systems and CCTV

4

Key outcomes STEFi criteria repository (D.4.3) Legal demands for security PSS on four STEFi

dimensions (D.4.1) Best practices of existing security evaluation and

certification schemes (D.4.3) Key issues relating to certification (D.4.1, D.4.3) Shortcomings and threats of existing schemes (D.4.3) Risks for CRISP scheme and methodology (D.4.2) Recommendations for security certification schemes

(D.4.3) Potential impact of security PSS to freedoms and rights,

especially data protection & privacy (D.4.2)

5

1. Shortcomings of existing schemes Majority of schemes: no clauses on freedoms and rights Efficiency aspect usually not considered Limited availability of scheme documentation : lack of

transparency Schemes built on national or local regulations only

obstacle for harmonisation Lack of transparency regarding validity or renewal of

certificate

6

2. Recommendations

Open and transparent scope, rules and processes. Strong monitoring mechanisms to supervise the compliance

of the PSS with the certification rules and its normative references.

Accountability mechanisms: clear distribution of responsibilities Reliable normative references, such as European standards Governance which involves several stakeholders Multinational participation in the development process of the

scheme to guarantee its pan-European nature Differentiation of testing and evaluation levels for different security

functions/needs Open and transparent scope, rules and processes Thorough rules on documentation to ensure accuracy and

openness to the interested parties Publication of the revoked and expired certificates

7

3. Role of certification in enhancing end-user trust in security PSS

Trust both in terms of the PSS and the certification body/process

Certification that guarantees technical reliability and safety

Transparency obligations to the security product manufacturers

Certification that supports Privacy by Design Accountability Independence of the certification body Involvement of stakeholders Regular review of compliance and up-to-date auditing

procedures

8

4. Other key findings

Legal gap in regulating certification in Europe

Schemes not always stand-alone documents, but often complemented by other documentation (such as guidance, general rules, other scheme rules etc.)

“a minimum set of legal rules in the form of legal obligations could provide the market, and mainly the consumers of the certified products, with the legal certainty and boost the trust and confidence for the certified products”

“Fragmentation in scheme documentation has an impact on the comprehensiveness of the requirements they test”

9

5. STEFi requirements scoring in existing schemes

Security is the most addressed dimension as expected –risk management requirements score higher

Trust not directly addressed –mainly achieving trust by proving respect to rights and legislation Reliability and perception (observability) score higher Transparency and user/ scrutinised awareness score lower

Efficiency General efficiency indicators, unintended economic effects and

customisation of the PSS to the user needs score high Energy efficiency and interoperability score low

Fi: data protection & data security requirements addressed more often compared to other rights. But not all STEFi attributes fulfiled Location of data, equal treatment, profiling and automated decision

score higher Non-discrimination, presumption of innocence score lower

10

STEFi requirements scoring in existing schemes

Codes of conduct and normative parts tend to include some of the societal aspects

But: quite often the societal aspects are not audited – only as reference/recommendation

Standards and certification schemes: technical aspects Gap can be filled from CRISP scheme

Thank you