CRISP Work package 4 Key Outcomes
-
Upload
crisp-project -
Category
Law
-
view
239 -
download
0
Transcript of CRISP Work package 4 Key Outcomes
WP4 Key OutcomesBerlin, 4th September 2015
Irene KamaraVrije Universiteit Brussel (LSTS)
2
Overview
Aims and structure of WP4Key findings of WP4 Input for next WPs
3
Aims of WP4
To identify and analyse the core issues associated with certification To come up with the requirements by which existing evaluation and
certification schemes could be used and possibly further developed, enhanced, adapted and integrated for the assessment and certification of products used for physical security of people and infrastructures (i.e. best practice).
Three deliverables & five tasks Other important elements:
Legal study for each of the four tasks STEFi – Security-Trust-Efficiency-Freedom Infringements S.W.O.T. analysis Three case studies: drones, alarm systems and CCTV
4
Key outcomes STEFi criteria repository (D.4.3) Legal demands for security PSS on four STEFi
dimensions (D.4.1) Best practices of existing security evaluation and
certification schemes (D.4.3) Key issues relating to certification (D.4.1, D.4.3) Shortcomings and threats of existing schemes (D.4.3) Risks for CRISP scheme and methodology (D.4.2) Recommendations for security certification schemes
(D.4.3) Potential impact of security PSS to freedoms and rights,
especially data protection & privacy (D.4.2)
5
1. Shortcomings of existing schemes Majority of schemes: no clauses on freedoms and rights Efficiency aspect usually not considered Limited availability of scheme documentation : lack of
transparency Schemes built on national or local regulations only
obstacle for harmonisation Lack of transparency regarding validity or renewal of
certificate
6
2. Recommendations
Open and transparent scope, rules and processes. Strong monitoring mechanisms to supervise the compliance
of the PSS with the certification rules and its normative references.
Accountability mechanisms: clear distribution of responsibilities Reliable normative references, such as European standards Governance which involves several stakeholders Multinational participation in the development process of the
scheme to guarantee its pan-European nature Differentiation of testing and evaluation levels for different security
functions/needs Open and transparent scope, rules and processes Thorough rules on documentation to ensure accuracy and
openness to the interested parties Publication of the revoked and expired certificates
7
3. Role of certification in enhancing end-user trust in security PSS
Trust both in terms of the PSS and the certification body/process
Certification that guarantees technical reliability and safety
Transparency obligations to the security product manufacturers
Certification that supports Privacy by Design Accountability Independence of the certification body Involvement of stakeholders Regular review of compliance and up-to-date auditing
procedures
8
4. Other key findings
Legal gap in regulating certification in Europe
Schemes not always stand-alone documents, but often complemented by other documentation (such as guidance, general rules, other scheme rules etc.)
“a minimum set of legal rules in the form of legal obligations could provide the market, and mainly the consumers of the certified products, with the legal certainty and boost the trust and confidence for the certified products”
“Fragmentation in scheme documentation has an impact on the comprehensiveness of the requirements they test”
9
5. STEFi requirements scoring in existing schemes
Security is the most addressed dimension as expected –risk management requirements score higher
Trust not directly addressed –mainly achieving trust by proving respect to rights and legislation Reliability and perception (observability) score higher Transparency and user/ scrutinised awareness score lower
Efficiency General efficiency indicators, unintended economic effects and
customisation of the PSS to the user needs score high Energy efficiency and interoperability score low
Fi: data protection & data security requirements addressed more often compared to other rights. But not all STEFi attributes fulfiled Location of data, equal treatment, profiling and automated decision
score higher Non-discrimination, presumption of innocence score lower
10
STEFi requirements scoring in existing schemes
Codes of conduct and normative parts tend to include some of the societal aspects
But: quite often the societal aspects are not audited – only as reference/recommendation
Standards and certification schemes: technical aspects Gap can be filled from CRISP scheme
Thank you