Cybersecurity Certification

4

jtsec : Beyond IT Security

—About usAbout UsWho We Are?jtsec was created with the idea of offering consulting services for security evaluation and certification according to the most recognized market standards (Common Cri-teria Consulting) at a price that allows businesses of all sizes to access this service.

jtsec is made up by a team of recognized professionals in the IT security sector with more than 30 years experience in this field. Most of our professionals have worked as evaluators in Spanish laboratories that offer the Common Criteria certification and endeavour to take the strengths of each laboratory in order to provide a higher qua-lity service.

5

About Us

Nosotros - jtsec

Javier Tallón: Expert consultant on different security assurance standards in the field of the information technology (Common Criteria, FIPS 140-2, LINCE, PCI-PTS, ISO 270011, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied na-tional and international companies in several certification processes.

He has been speaker in various cybersecurity congress (ICCC, Navaja Negra or Supersec) talking about Hacking techniques or certification. He is also Teacher at the Cyber Security Master of the UGR.

In 2015, he begins to build the foundations of jtsec. He currently works as Chief Operations Office (COO) at Granada site from where the company carries out most of the work. Recognized expert in various cybersecurity disciplines (reversing, exploi-ting, web, etc), he assumes the technical direction of most of the projects, managing the work of the team. He also leads the Research and Development area, encoura-ging the participation of the jtsec team in multiple congresses.

José Ruiz: Expert consultant on cybersecurity certifications standard with more than 10 years of experience. Jose has a wide background in security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, GP TEE or FIDO. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He is the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is reviewer of the European Commission for the group ERNCIP “IACS Cybersecurity certification”. Jose is the program director of some of the most prestigious congress in the cyberse-curity field (ICCC, ICMC and CISC).

In 2017 he founded with Javier jtsec. He is currently in charge of boosting the com-mercial expansion of the company from Madrid site as CTO. In addition, he repre-sents jtsec in various national and international forums.

6

jtsec : Beyond IT Security

2001

2007

—Our StoryOur Story

jtsec first members contactThe founder members of jtsec meet known each other while studying computer engineering at the University of Granada, in the south of Spain, where they share their passion for knowledge and security.

Meeting the Common Criteria worldTwo members of jtsec started working in the Common Criteria lab that will become one of the most famous labs in the world. They were the first evaluators in the lab and participated in more than 50 evaluations during the course of 5 years. They were also involved in obtaining the FIPS 140-2 accreditation in the lab

7

Our Story - jtsec

2012

2017

Different pathsOne of the members of jtsec leaves the lab to come back to Granada. From there, he will start his own adventure providing CC consultancy world-wide under the jtsec brand, whilst re-establishing contact with the University of Granada security investigation groups and learning about the Internet of Things and microcontrollers programming at Biotronic A.D.

The other team member joins one of the biggest labs in the world managing the CC service and leading some of the lab new accreditations as Global Platform TEE or FIDO.

Together againWith the experience accumulated over the years, the team gets together again to provide security services of high quality.

8

jtsec : Beyond IT Security

—ValuesValuesWhy choose us?

Technical ExcellenceWe have come to raise the baton of technical excellence. With the highest qualifica-tion we can certify the security of your products and systems. We are 100% commit-ted to a lifelong learning process.

Coomitment to our customersWe are determined to solve your problems, not to create new problems. Your pro-ject will be successful - there is no other option. We take the standard of excellence in dealing with clients to a new level.

Time To Market By doing our job on time, we can give a competitive advantage to our customers. If time is a constraint you can count on us. We put all our resources at your disposal to be not only the best but also the first.

9

Values - jtsec

10

jtsec : Beyond IT Security

—ServicesIT Services we offer

01Common Criteria ConsultingWe can help you overcome a Common Criteria evaluation, we know the standard perfectly and we can advise and support you saving time and money. Obtain a Com-mon Criteria Certification assisted by our experts.

02LINCE EvaluationA lightweight evaluation of your product provides security assurance in a timely manner. We take care of the LINCE evaluation process so that your security pro-duct can appear in the CPSTIC Catalogue. Our experts will make the process sim-ple and straightforward.

03Software Security & Penetration TestingWe are experts in the methodologies to be followed to discover and minimize the possible vulnerabilities. If you need a penetration test or security in your software you must call us as soon as possible.

11

IT Services We Offer - jtsec

05Security Norms ConsultingSOC2, ISO 27K, PCI-PTS, or TSP. We are aware of every security related norm. If you are about to undertake a security audit or evaluation call us.

06TrainingDo you need to build cybersecurity know-how into your company? We offer specia-lized courses in cybersecurity, secure development, certification (CC, FIPS 140-2...) and ethical hacking.

04Information Systems Audit & Ethical HackingOur tiger team of ethical hackers audit your systems to ensure their security. If you have special security requirements in your business or are afraid of what hackers can do with your data, you can contact us.

12

— Common Criteria ConsultingCommon Criteria Consulting

“The Common Criteria standard is the most internationally recognized standard for the evaluation of IT products.

A Common Criteria certification is an internationally recognized guarantee that can be availed of in most countries of the world, thanks to the Mutual Recognition Agreement (CCRA) and, at European level, through the SOGIS agreement.”

13

Common Criteria Consulting - jtsec

— Common Criteria Consulting

At jtsec we are Common Criteria evaluators and we know the process per-fectly. In order to avoid unnecessary costs, contact us as soon as possible for our Common Criteria Consultancy service.

Gap Analysis

If you have doubts and are not sure if you will be able to achieve a CC certification, a CC gap analysis will solve your doubts. Our CC experts will analyse the current sta-tus of your product, documentation and will find any deficiencies proposing the most suitable solution for your case. Gap Analysis allows customer to understand the CC process and what they need to achieve the CC certificate.

Security Target

We develop the suitable Security Target for your needs. Our great experience in very different kind of products allow us to define the ST you need to speed up the evalua-tion time and negotiate a fair evaluation price with the different labs.

Documentation Development

We amend the documentation you have or write from scratch with regard to con-tent and format needed to overcome CC certification. CC Documentation develop-ment may be pricey in terms of money and time for organizations that are not used to CC evaluations.

Training

Does your team need to gain more knowledge in Common Criteria? We can provide you a customized training depending on your needs. We have provided adapted trai-nings to different labs, developers and schemes. After this training, your team will be able to survive in CC world.

Evaluation Management

We are experts in Common Criteria certification. We can manage relations with the Certification Body and the Laboratory so that you must only focus on your business.

Preassesment

If time is a key factor for obtaining a CC certification, we can perform an initial informal assessment to reduce time spent in the laboratory and ensure a smooth evaluation.

What we offer?

14

jtsec : Beyond IT Security

— CCGENCCGEN

The main features of CCGen are the following:A web based tool using the most advanced state-of-the-art web technologies like HTML5, CSS3 and AngularJS.

Designed for team working.

Allows claiming conformance to one or several Protection Profiles (including the collaborative ones)

Automatic validation of the consistency of the CC documentation

Available online or at your corporate network

Friendly Integrated advanced editor

Integrated CM system

Don’t send your documentation to evaluate until it has been validated by CCGen! Discover the advantages that CCGen can bring to your work! Generate the Common Criteria documentation of your project in the simplest way!

For more information contact us!

CCGen is a new cloud ready freemium tool to aid in the genera-tion of CC compliant product documentation. With a wizard like approach, CCGen will guide you step by step, taking care of every possible inconsistency in the documentation process, accompanied by expert commentary, tips and hints regarding how to easily meet the CC norm.

01

0203

04050607

15

CCGEN - jtsec

16

jtsec : Beyond IT Security

ISO 27K, FIPS 140-2, SOC 2 or PCI PTS. We are aware of every secu-rity related norm. If you are about to undertake a security audit or evaluation call us.

— Security Norms ConsultingSecurity Norms Consulting

Security NormsThere are many norms that promise to guarantee the security of a product or system by implementing various controls or by specific audits.

We are familiar with all of them and can help you to attain the certification that is required by your company.

We are experts in risk analysis and can help you to achieve success by giving you access to our expertise.

Whatever your problem, do not hesitate to contact us to see how we can help you.

17

Security Norms Consulting - jtsec

— Security Norms Consulting

AICPA SOC2

A SOC2 (Service Organization Control) report focuses on the service organization controls relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. These controls are defined by the AICPA (American Institute of Certified Pu-blic Accountants). There are two kinds of SOC2 reports, na-med Type I and Type II, depending on whether the existence of records demonstrating the actual implementation of the described controls is required. SOC2 guides are widely used nowadays to certify the security of cloud service providers. We are experts in SOC2 consultancy.

ISO 27001

ISO 27001 is an ISO norm (International Organization for Standardization) that allows the establishment, implemen-tation, maintenance and continuous improvement of an In-formation Security Management System (ISMS) to keep the confidentiality, integrity and availability of the information managed inside an organization. To achieve this, it is required to perform a risk analysis and the treatment of the identified risks. The appropiate treatment of the risks using the control objectives described in the norm, will allow us to keep the risk under control. We offer professional ISO 27001 Consulting services. With our help, your business will be able to pass the ISO 27001 audit. We will help you to design and implement the required ISO 27001 controls that will be reviewed by an ISO 27001 Auditor. If you need an ISO 27001 Certification, call us now.

FIPS 140-2

FIPS 140-2 is a norm for the validation of software and hard-ware cryptographic modules. Conformance with this norm implies the correct implementation of a set of a cryptogra-phic algorithms chosen in accordance with the CMVP (Cryp-tographic Module Validation Program) and with the CAVP (Cryptographic Algorithm Validation Program) NIST criteria for key sizes and approved security functions. The norm usua-lly requires the presence of a role based access and a correct key management. FIPS 140-2 defines four security levels and takes into account a lot of requirements to protect the module against physical access. Ask us about our FIPS 140-2 Consul-ting service.

18

jtsec : Beyond IT Security

FIDO

The FIDO (“Fast IDentity Online”) Alliance is an industry consortium launched in February 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple user-names and passwords. FIDO is the World’s Largest Ecosystem for Standards-Based, Interoperable Authentication. The spe-cifications and certifications from the FIDO Alliance enable enterprises and service providers to deploy strong authentica-tion solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

PCI PTS

The PCI PTS security approval framework addresses the logical and/or physical protection of cardholder and other sensitive data at point of interaction (POI) devices and hardware se-curity modules (HSMs) providing a comprehensive evaluation process to address the diversity of payment security device ar-chitectures, product options, and integration models and po-tentially optimizing evaluation costs and time. If you need a PCI PTS certification, please contact us!

PCI SPoC

PCI SPoC is a new standard intended to address the security of credit card transactions using PIN entry software that runs in general purpose devices. The SPoC Security Requirements are a cross-functional PCI SSC standard that include specific requirements that have been validated through the PCI PTS Program and, where applicable, the PCI DSS Assessment/QSA Program and/or the PCI PIN program. The SPoC Security Requirements and SPoC Test Requirements also contain spe-cific requirements for overall Solutions and SPoC Elements (SCRPs, PIN CVM Applications, Monitoring/Attestation Sys-tems and Back-end Monitoring Environments) that are used in the Solution. If you need a PCI SPoC certification, please contact us!

19

Security Norms Consulting - jtsec

Scheme Definition

jtsec members have a great experience in different well known IT evaluation methodologies and schemes, such as Common Criteria, FIPS 140-2, Global Platform TEE, FIDO, EMVco or eIDAS Regulation (EU) 910/2014. We have also participated in different innovative initiatives, like the European IACS Cy-bersecurity Certification Framework in industrial sector or a Security evaluation framework for IoT. We have also supported the launching of some of these schemes.

jtsec could be your perfect partner if you need to define your IT security certification scheme including the methodology, security requirements, evaluation/certification process or lab accreditation process.

20

jtsec : Beyond IT Security

Our tiger team of ethical hackers audit your systems to ensure their se-curity. If you have special security requirements in your business or are afraid of what hackers can do with your data, you can contact us.

—Information Systems Audit & Ethical Hacking Information Systems Audit& Ethical Hacking

21

Information Systems Audit & Ethical Hacking - jtsec

Our hackers team is undergoing a continuous training process that allows them to be aware of the latest tools and techniques to carry out the most complete audit of your information systems.

We have the most advanced vulnerability analysis and exploitation tools, many of them developed by our research and development team, as well as the necessary ex-perience to have a high degree of confidence that if we aren’t able to penetrate your systems, neither can the competition nor a malicious hacker.

Many companies have already relied on us to test their systems and make sure they are secure from attacks from both inside and outside.

Whether you are aware of the need for adequate protections in your systems, be-cause you want to ensure the continuity of your business, or simply for regulatory compliance, you can count on our team of professionals to ensure the security of your systems.

Ethical Hacking and Penetration Testing

White Box Penetration Testing & Code Review

Black Box Penetration Testing

White box testing begins from the knowledge of the source code to ensure with a high degree of certainty the security of your application under conditions of prede-termined use. It offers more guarantees than the black box testing and as a result you will get a detailed report of potential weaknesses and defects in the code that could lead to exploitable vulnerabilities, thus increasing the quality of the final code.

Black box testing is performed on the code already compiled or in the final form in which it is delivered to your customer. This approach places our experts in a similar situation to that of a real-world attacker. Using the same techniques and tools as the attackers, we try to find security holes in your application so that they can be correc-ted and the quality of your product improved..

© jtsec - 2018

www.jtsec.es

Granada, SpainMadrid, Spain

(+34) 858-981-999 • hola@jtsec.es