“Consorzio RES and IT Security Certifications”

1/22

the Consorzio RES operates as

Consorzio RES originates in 1997 in response to the ICT market growing needs in the framework of

security processing and maintenance of electronic data

Security Evaluation Laboratory

(LVS) qualified by the OCSI (ISTICOM)

Evaluation Centre (CE.VA.) qualified by ANS (the

Italian National Security Authority)

Global Consultant in the physical, organizational and

ICT security

2/22

Scheme managed by OCSI,

the certification body for security Evaluation an

Certification of commercial

systems and products (DPCM of the 30/10/2003)

Scheme managed by ANS, the certification body for

security Evaluation and Certification of systems and

products dealing with classified information concerning the

National Security (DPCM of the 11/04/2002)

Consorzio RES is a laboratory qualified to perform Security Evaluation Processes according to

the following National Schemes

What is an Evaluation Process ?

3/22

An Evaluation Process is part of a Certification Process and has the purpose to produce a Final Evaluation Report. On the base of this report the Certification Body produces the Certification Report and, eventually,

the Certificate

So, the target seems to be achieving the

Security Certificate

…and this target

MUSTbe achieved…

in a while

with money savings

at high assurance level

4/22

… these are Customers usual requests!

?!

5/22

6/22

Our approach punctually answers to the

main problems of the ones who are disposed to engage a certification

process

Consequently Consorzio RES has consolidate an operative

metodology with certain benefits for the Customers

Experience taught us to respect the Customers needs

Why certify

What certify

How much spend

… and the presumptions of our Customers are…

7/22

Why certify

It is necessary to

sell our product…

Our direct competitor has just

achieved the security certificate

for his product…

We have some left-over money in

our project…

49%

49%

2%

8/22

All

We don’t know…

50%

50%

What certify

9/22

Few money

We have this available

amount…do what you

can!

50%

50%

How much spend

10/22

Consorzio RES intervention, since the Certification is only an hypothesis,

allows the Customers to resolve to their advantage the previous

problems

Analysis of these needs has driven the Consorzio RES in the

development of a working metodology that attends the Customers since before the Evaluation Process start-up

Followed approach answers to the Customers needs though

respecting all procedures of the reference scheme as well as

used security standard for the system/product evaluation

11/22

Why certify

Since before the starting of Evaluation Process, Consorzio RES

cooperates with the Customers in a clear definition of :

So that data requiring protection can be managed in a security context appropriate

to real environment

“

”

Real security needs

Most suitable operating

environment

Strictly necessary

countermeasures

12/22

What certifyOnly the components (HW/SW) that, implementing Security, are

effectively contrasting the supposed threats

“

”

One of the major activities of Consorzio RES is to support

Customers to clearly mark off the boundaries of :

Target of Evaluation

Everything else

Operating environment

items

13/22

How much spend

The bare minimum after having correctly answered to the

questions:Why certify?What certify? ”

“

14/22

It is frequent that Security Problem ambiguities are transposed in a cautionary extention of the boundaries of Target of Evaluation and its Operating Environment, as well as in the definition of Security

Procedures onerous for the workaday users operations

Confusion about true Security Objectives

Certification

time increasing

Certification

cost increasing

Rules/StandardsModifications

HW/SW Obsolescence

15/22

Evaluation Assistance

Phase

Evaluation Preparation

Phase

Evaluation Phase

Certificate Emission

certification

Evaluation Starting

Evaluation Ending

Consorzio RES Intervention Areas

16/22

Critical Success Factors (1/2)

Evaluation Assistance

Phase

Evaluation Phase

Evaluation Preparation

Phase

certification

17/22

Evaluation Preparation

Phase

Identification of Security Aspects strictly related to

the Security Problem

Evaluation Assistance

Phase

Very well written evaluation documents

compliant with referential Security Standard

Critical Success Factors (2/2)

18/22

Paying attention to these Critical Success Factors remarkably reduces the risk to

cumulate considerable delays

during a certification process, in behalf of

costs and operatives engagements for

system/product under certification

Evaluation Assistance

Phase

Evaluation Preparation

Phase

Evaluation Phase

Turn key solutions

Consorzio RES is able to offer all these services during a same certification process, having the availability of highly qualified personnel in a sufficient number to guarantee the independency

expected by national scheme

19/22

Every human resource of Consorzio-RES is also qualified, by both certification bodies, for the respective schemes, to hold the

Evaluator role during the evaluation process

Common Criteria v.3.1 (ISO/IEC 15408)

Every human resource of Consorzio RES is skilled according to the

most recent security standard, recognized by an international board:

20/22

the Customers trust has allowed us to achieve primacy goals

First Italian LVS to have completed an evaluation process according to the National Scheme managed by OCSI

First Italian laboratory to have completed several Common Criteria evaluation processes according to the National Scheme managed by Italian National Security Agency

First Italian LVS to obtain required qualification to carry out products/systems or protection profiles evaluation process according to the National Scheme managed by OCSI

...all unavoidable results of the care and the skills by which “Consorzio RES” answers to the Customers needs

21/22

Other information on:

www.consorzio-res.it

Contact:

contatto@consorzio-res.it

22/22