Omissions and errors in the CC Who got
- Slides: 14
Omissions and errors in the CC Who got it right? 8 ICCC Denise Cater 1
Security Standards ISO alone have issued: • ISO 15408 – Common Criteria • ISO 19092 – Financial Service – Security • ISO 19790 – Security Requirements for Cryptographic modules (FIPS 140) • ISO 27001 – Information Security Management • ISO 27002 (formerly ISO 17799) – ISMS best practice 2
3
Many standards: One CC • Catalogue of security components: – Functional – Assurance • Focus on repeatability – Voluminous guidance for consistent application – Scheme rules and interpretations =“Heavy” process 4
Payment Industry Security Standards • Payment Card Industry (PCI) Data Security Standard • EMV (Europay, Mastercard, Visa) Specifications • APACS PIN Entry Device PP APACS 5
APACS application of CC • Own Certification Body – Appointment of labs – Issuing of certificates • Focus on CC – Less emphasis on CEM • Concentration of efforts – Design and testing seen as paramount – Procedural requirements seen as supporting 6
Smartcard Industry • Developed PPs • Generated own interpretations – Adopted as CC Supporting Documents – Included own Attack Potential Table • Examples of Smartcard Specific Attacks 7
Smartcard Industry • Took the CC and gave specific guidance for their industry • A lot of focus placed on penetration testing • Identified additional stages in lifecycle/delivery 8
Adapt to Adopt • Both industries have made changes to use CC – Interpretations – Greater emphasis in some areas, less in others 9
Who got it right? • The CC of course! – Providing a catalogue that Industry and other schemes can draw upon • But, also Industry/other schemes – Focus on areas of specific interest – Light-touch on other areas 10
Who got it wrong? • Those who requested EALs to be included in CC (for backwards compatibility) – Led to “incorrect” use of CC – Initially less PPs developed as just concentrated on assurance level 11
Who got it wrong? • Authors of the CEM or CC Schemes? – Too prescriptive – Forcing evaluators to complete work units at level of detail that is not always necessary – Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis 12
In summary • CC got it right • CC got it wrong But, Industry can adapt the CC to adopt it 13
Thank you Denise Cater denise@iconsecurity. co. uk 14
- Errors and omissions definition construction
- Present simple exercises intermediate
- Present simple pravila
- Family and friends 2 unit 2 test
- Impermissible omissions
- Hình ảnh bộ gõ cơ thể búng tay
- Bổ thể
- Tỉ lệ cơ thể trẻ em
- Chó sói
- Chụp tư thế worms-breton
- Hát lên người ơi alleluia
- Môn thể thao bắt đầu bằng từ chạy
- Thế nào là hệ số cao nhất
- Các châu lục và đại dương trên thế giới