Dato' Ts. Dr Haji Amirudin Bin Abdul Wahab Chief Executive … · 2020. 1. 14. · 1 Amiroul Farhan...

PUBLIC

Title ISCB EVALUATION FACILITY MANUAL (ISCB_EFM)

Reference ISCB-5-MAN-7-ISCB_EFM-V2

Version 2

Approved by & Date

|| ORIGINAL SIGNATURE ||

Dato' Ts. Dr Haji Amirudin Bin Abdul Wahab Chief Executive Officer/ISCB Scheme Owner

2/12/2019

Date

Effective Date

2 December 2019

CyberSecurity Malaysia

Level 7, Tower 1 Menara Cyber Axis

Jalan Impact 63000 Cyberjaya

Selangor Darul Ehsan MALAYSIA

Tel: +60 (0)3 8800 7999 Fax: +60 (0)3 8008 7000

http://www.cybersecurity.my

PUBLIC

ISCB-5-MAN-7-ISCB_EFM-V2

12Page i

REVISION HISTORY

DATE VERSION NO.

PREPARED BY DESCRIPTION OF CHANGES

22 June 2017

1 Amiroul Farhan b. Roslaini

Final released

1 March 2018

1a Amiroul Farhan b. Roslaini

1) The document ID, paragraph numbering, page numbering and reference to paragraphs or sections are changed due to changes below. Changes in this version are made based on the discussion conducted with ISBC and MySEF on 21/2/2018. Please also refer to PRODUCT_SP v1b for the changes.

2) Removed 'Security Posture Assessment Facility (SPAF)’ or ‘SPAF’ in paragraph 12c), paragraph 42, paragraph 55, paragraph 150c), Table 4, and Table 5 because it is not relevant to any ISCB product certification schemes services any more. Refer to the above description.

3) Change the word ‘…(Encrypted…’ to ‘…(protected…’ in paragraph 48 because other protection method can also be used besides encryption.

4) Updated Figure 11 with the new process of TSA Scheme evaluation PLAN phase. This is based on the decision made on 21/2/2018 where the TSA certify and maintenance processes had to be changed and removal of SPAF from the scheme.

5) Remove the last sentence in paragraph 155 because the TSA_MSFR template had been divided into 3 new templates. Therefore, the new TSA_MSFR form only covers the application form.

6) Update paragraph 158 to make it consistent with Figure 11.

PUBLIC


12Page ii

DATE VERSION NO.


7) Updated Figure 12 with the new process of TSA Scheme evaluation EXECUTE phase. This is based on the decision made on 21/2/2018 where the TSA certify and maintenance processes had to be changed and removal of SPAF from the scheme.

8) Update paragraph 166, 167, 171, 178 to make it consistent with Figure 12.

9) Add paragraph 172 until 177 to make it consistent with Figure 12.

10) Update paragraph 182 to make it consistent with the agreed changes.

11) Updated Figure 13 with the new process of TSA Scheme evaluation CLOSE phase. This is based on the decision made on 21/2/2018 where the TSA certify and maintenance processes had to be changed and removal of SPAF from the scheme.

12) Update paragraph 184 until 187 to make it consistent with the agreed changes and Figure 13.

13) As agreed, remove in paragraph 192 as follows '.... period of one (1) month before and one (1) month after the certification…’ to ensure that the certificate is still invalid during the certification maintenance process.

14) Add paragraph 193 – 196 and change Figure 14 to elaborate about certification maintenance process.

15) Remove Section 3.3.2.1, 3.3.2.2, 3.3.2.3 and Figure 15 due to the agreed changes made.

11 November

2019

2

Nur Shazwani bt Mohd Zakaria

1) Change template and address 2) Change manual and procedure’s name

e.g. a) ISCB Quality & Security Manual to

ISCB Common Manual

PUBLIC


12Page iii

DATE VERSION NO.


b) ISCB Procedure Manual to ISCB Common Procedures

c) ISCB Product Certification Schemes Policy (Product_SP) and ISCB Product Certification Manual combined to ISCB Product Manual

d) MyCC Scheme Certification Process to MyCC Scheme Certification Procedure

e) MyCC Scheme Customer Manual (MyCC_P4) to MyCC Scheme Client Guideline (MyCC_CG)

3) To add “The MyCC Scheme Requirement (MyCC_REQ) (Ref [12]) that lists all requirement under MyCC Scheme accordance with CCRA Requirement (Ref [1]) in Section 1.1 Para 2(c).

4) To update Document Relationship in Figure 1 that aligned with latest document.

5) To change the title of “Customer” to “Client” that aligned with main ISCB Common Manual and ISCB Common Procedures.

6) To delete Section 1.1 Para 3(a) The ISCB Product Certification Manual (PRODUCT_CM) that provides interpretation of this policy application for the management and operation of ISCB Product Certification Scheme Section as specifies in Section 2.4 of the ISCB Product Certification Schemes Policy”.

7) To add “… and and MyCC Scheme Requirement (MyCC_REQ) ((Ref [12])…” in Section 1.1 Para 3(a).

8) To change “… Section 2.4 of ISCB Product Certification Schemes Policy (PRODUCT_SP)” to “… Annex B in ISCB Product Manual (PRODUCT_MANUAL) in Section 1.1 Para 3(a).

9) To remove “… quality and information security management system (QISMS)” in Section 1.1 Para 3(b).

PUBLIC


12Page iv

DATE VERSION NO.


10) To change “ISCB Head of Department” to “ISCB Scheme Head” at Section 1.1 Para 4.

11) To change “… Section 2.4 of the ISCB Product Certification Schemes Policy” to “…Annex B in the ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) in Section 1.3.2 Para 11.

12) To add “…and Section 1.1 in the MyCC Scheme Requirement (MyCC_REQ) (Ref [12])” in Section 1.3.2 Para 11.

13) To change “…ISCB product certification schemes policy” to “MyCC Scheme Requirement (specific for MySEF), manuals, procedures” in Section 2.2.1 Para 19(a).

14) To change “…ISCB product certification schemes policy” to “MyCC Scheme Requirement (specific for MySEF), manuals, procedures” in Section 2.2.2 Para 22(b).

15) To change “…ISCB product certification schemes policy” to “MyCC Scheme Requirement (specific for MySEF), manuals, procedures” in Section 2.2.3 Para 25(b).




19) To change “…ISCB product certification schemes policy” to “MyCC Scheme Requirement (specific for MySEF), manuals, procedures” in Section 2.2.6.1 Para 36.

PUBLIC


12Page v

DATE VERSION NO.


20) To change “… as specified in Section 2.4 of the ISCB Product Certification Schemes Policy” to “… as specified Annex B in the ISCB Product Manual (PRODUCT_MANUAL) and/or MyCC Scheme Requirement (MyCC_REQ) (specific for MySEF)).” in Annex REQ.2.

21) To add “… MyCC Scheme Requirement (MyCC_REQ) (specific for MySEF))…” in Annex REQ.3

22) To change address in Section 2.4.2 Para 48.

23) To add “… (refer to Section 2.3 in this document). ISCB will review the license of SEF if the condition are not resolve within the time frame given..” in Section 2.4 Para 53.

24) To change “Section 2.4 of the ISCB Product Certification Schemes Policy” to “Annex B in ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) and/or MyCC Scheme Requirement (MYCC_REQ) (Ref [12]) (specific for MySEF).” In Section 2.5 Para 54.

25) To change “Section 2.4 of the ISCB Product Certification Schemes Policy” to “Annex B in ISCB Product Manual (PRODUCT_MANUAL) in Section 2.5 Para 55.

26) To change “Section 2.4 of the ISCB Product Certification Schemes Policy” to “Annex B in ISCB Product Manual (PRODUCT_MANUAL) in Section 2.5 Para 56(a).

27) To add “MyCC Scheme Requirement (MyCC_REQ) (Ref [12]) (specific for MySEF)” in Section 2.5 Para 56(b).

28) To add “… function as described in the MyCC Scheme Requirement (MyCC_REQ) ((Ref [12]) ..” in Section 3.1.2 Para 97.

29) To change “ISCB Product Certification Schemes Policy (Product_SP)” into “MyCC Scheme Requirement (MyCC_REQ) (Ref [12])” in Section 3.1.2 Para 104.

PUBLIC


12Page vi

DATE VERSION NO.


30) To change “Section 2.4 of the ISCB Product Certification Schemes Policy” to “Annex B in ISCB Product Manual (PRODUCT_MANUAL) in Section 3.2.3 Para 145”.

31) To change “Section 2.4 of the ISCB Product Certification Schemes Policy” to “Annex B in ISCB Product Manual (PRODUCT_MANUAL) in Section 3.3.1.3 Para 182”.

32) To update current version of the document in Annex A.

PUBLIC


12Page vii

REVIEW RECORDS

VERSION NO. REVIEWED BY DATE

1 Wan Shafiuddin bin Zainudin 22 June 2017

1a Wan Shafiuddin bin Zainudin 1 March 2018

2 Hasnida bt Zainuddin 21 November 2019

2 Wan Shafiuddin bin Zainudin 21 November 2019

PUBLIC


12Page viii

DOCUMENT PREPARATION DOCUMENT TITLE: ISCB EVALUATION FACILITY MANUAL (ISCB_EFM) REFERENCE: ISCB-5-MAN-7-ISCB_EFM-V2 VERSION: 2

PUBLIC


12Page ix

COPYRIGHT AND CONFIDENTIALITY STATEMENT

The copyright of this document, which may contain proprietary information, is the property of CyberSecurity Malaysia. The document shall not be disclosed, copied, transmitted or stored in an electronic retrieval system, or published in any form, either wholly or in part without prior written consent. The document shall be held in safe custody and treated in confidence. © CYBERSECURITY MALAYSIA, 2019 Registered office: Level 7, Tower 1 Menara Cyber Axis Jalan Impact 63000 Cyberjaya Selangor Darul Ehsan Registered in Malaysia – Company Limited by Guarantee Company No. 726630-U

PUBLIC


12Page x

CONTENTS

1 Introduction ................................................................................................. 1 1.1 Purpose ............................................................................................................................ 1 1.2 Scope ................................................................................................................................ 1 1.3 Document Organisation ............................................................................................. 2 1.3.1 Document Relationships ........................................................................................ 2 1.3.2 Changes to this Manual .......................................................................................... 2

2 Security Evaluation Facility Minimum Requirement ....................................... 4 2.1 Overview .......................................................................................................................... 4 2.2 SEF staffing ..................................................................................................................... 4 2.2.1 SEF Manager ............................................................................................................... 5 2.2.2 Senior Evaluator ........................................................................................................ 6 2.2.3 Evaluator ..................................................................................................................... 6 2.2.4 SEF Quality Manager ................................................................................................ 8 2.2.5 Project Specific Roles .............................................................................................. 8 2.2.6 Allocation of Roles ................................................................................................... 9 2.2.6.1 Requirements and Measurements .................................................................. 9 2.3 SEF Quality Management System Requirements .............................................. 21 2.3.1 ISO/IEC 17025 (or its successors) Accreditation ......................................... 21 2.4 SEF Application ........................................................................................................... 21 2.4.1 Application Proposal ............................................................................................. 21 2.4.2 Submitting the Application ................................................................................. 22 2.4.3 Assessment of Application .................................................................................. 23 2.5 Operational Requirements ...................................................................................... 23

3 Evaluation Overview ................................................................................... 25 3.1 Security Evaluation Facilities Licensed under MyCC Scheme ....................... 25 3.1.1 Plan Phase ................................................................................................................. 25 3.1.2 Execute Phase .......................................................................................................... 28 3.1.3 Close Phase .............................................................................................................. 36 3.2 Security Evaluation Facilities Licensed under Malaysia Trustmark for Private Sector (MTPS) ............................................................................................................. 37 3.2.1 Plan Phase ................................................................................................................. 37 3.2.2 Execute Phase .......................................................................................................... 38 3.2.3 Close Phase .............................................................................................................. 40 3.3 Security Evaluation Facilities Licensed under Technology Security Assurance (TSA) Scheme ...................................................................................................... 42 3.3.1 CERTIFY ..................................................................................................................... 42 3.3.1.1 Plan Phase ............................................................................................................. 42 3.3.1.2 Execute Phase ...................................................................................................... 45

PUBLIC


12Page xi

3.3.1.3 Close Phase .......................................................................................................... 48 3.3.2 MAINTAIN ................................................................................................................. 50 3.4 Security Evaluation Facilities Licensed under Cryptographic Module Validation Program (MyCMVP) ............................................................................................ 52

4 SEF Assurance Process ............................................................................... 53 4.1 Operate SEF Management System ......................................................................... 53 4.2 SEF Management Reporting for the ISCB Product Certification Schemes . 53 4.2.1 Monitor SEF Key Performance Indicators ........................................................ 53 4.2.2 Prepare SEF Business Report ............................................................................... 54 4.3 Liaison with Third Party Assessors ....................................................................... 54 4.3.1 Assist CCRA Expert Reviewers ........................................................................... 54 4.3.2 Assist ISCB Auditors .............................................................................................. 54

Annex A Reference Materials ....................................................................... 56 A.1 References .................................................................................................................... 56 A.2 Acronyms ...................................................................................................................... 57 A.3 Glossary of Terms ...................................................................................................... 58 A.4 Flow Chart Conventions ........................................................................................... 60 A.4.1 SEF Activities ............................................................................................................ 60 A.4.2 Other Activities ....................................................................................................... 61 A.4.3 External Function/ Phase/ Activities ................................................................ 61 A.4.4 Decision ..................................................................................................................... 61

Annex B ISCB Requirements for SEFs’ Management System .......................... 62 B.1 General Requirements .............................................................................................. 62 B.2 Administrative Structure .......................................................................................... 62 B.3 Organisational Structure .......................................................................................... 62 B.4 Confidentiality ............................................................................................................. 62 B.5 Quality Manual ............................................................................................................ 62 B.6 Documentation and Change Control ................................................................... 63 B.7 Records .......................................................................................................................... 64 B.8 Management Review .................................................................................................. 64 B.9 Evaluation/Testing Personnel ................................................................................. 64 B.10 Evaluation/Testing Facility .................................................................................. 65 B.11 Evaluation/Testing Procedures .......................................................................... 65 B.12 Evaluation/Test Report ......................................................................................... 65

PUBLIC


12Page xii

Index of Tables TABLE 1: EVALUATOR BASIC QUALIFICATIONS AND CERTIFICATIONS .............................................................. 7 TABLE 2: SEF ROLES AND REQUIREMENTS ..................................................................................................... 11 TABLE 3: REQUIREMENTS TABLE SUMMARY ................................................................................................... 20 TABLE 4: LIST OF ACRONYMS ........................................................................................................................ 57 TABLE 5: GLOSSARY OF TERMS ..................................................................................................................... 58

Index of Figures FIGURE 1: DOCUMENT RELATIONSHIP ............................................................................................................. 2 FIGURE 2: SEF ROLE STRUCTURE .................................................................................................................... 5 FIGURE 3: EVALUATION OVERVIEW ................................................................................................................ 25 FIGURE 4: EVALUATION PLAN PHASE FOR SEFS LICENSED UNDER MYCC SCHEME ....................................... 26 FIGURE 5: EVALUATION EXECUTE PHASE FOR SEFS LICENSED UNDER MYCC SCHEME ................................. 29 FIGURE 6: EVALUATION EXECUTE PHASE – EVALUATE EVIDENCE ................................................................... 30 FIGURE 7: EVALUATION CLOSE PHASE FOR SEFS LICENSED UNDER MYCC SCHEME ..................................... 36 FIGURE 8: EVALUATION PLAN PHASE FOR SEFS LICENSED UNDER MTPS ..................................................... 38 FIGURE 9: EXECUTE PHASE FOR SEFS LICENSED UNDER MTPS ..................................................................... 39 FIGURE 10: EVALUATION CLOSE PHASE FOR SEFS LICENSED UNDER MTPS ................................................. 41 FIGURE 11: EVALUATION PLAN PHASE FOR SEFS LICENSED UNDER TSA SCHEME ........................................ 43 FIGURE 12: EVALUATION EXECUTE PHASE FOR SEFS LICENSED UNDER TSA SCHEME .................................. 46 FIGURE 13: EVALUATION CLOSE PHASE FOR SEFS LICENSED UNDER TSA SCHEME ...................................... 49 FIGURE 14: TSA CERTIFICATION MAINTENANCE PROCESS ........................................................................... 51 ............................................................................................................................

PUBLIC


10Page 1

1 Introduction 1.1 Purpose

1 This document, ISCB Evaluation Facility Manual (ISCB_EFM), provides interpretation of the ISCB Product Manual (PRODUCT_MANUAL) and MYCC Scheme Requirement (MyCC_REQ) as applied to the management and operation of licensed Security Evaluation Facilities (SEFs).

2 The intended audience for this document is the Scheme Managers, SEF Managers, certifiers and evaluators. More information on the operation of the ISCB product certification schemes, and the conduct of certification activities, can be found in other ISCB publications. The other official ISCB certification schemes publications are:

a) The ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) that provides an overview of product certification schemes operated by ISCB and specifies the business rules governing its operation; and

b) The ISCB Certification Scheme Register (refer to Annex B in ISCB Product Manual (PRODUCT_MANUAL) (Ref [11])) that lists all ISCB certifications and evaluation projects.

c) The MyCC Scheme Requirement (MyCC_REQ) (Ref [12]) that lists all requirement under MyCC Scheme accordance with CCRA Requirement (Ref [1]).

3 Other official publications that provide detailed guidance for the aspects of ISCB product certification schemes operation are:

a) ISCB product certification processes specific to the certification schemes operated by the units (or known as the certification bodies) under the ISCB Product Certification Scheme Section (refer to Annex B in the ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) and MyCC Scheme Requirement (MyCC_REQ) (Ref [12]); that cover the details of Accept, Oversight, and Certify phases; and

b) The ISCB Common Manual (ISCB_CM) (Ref [9]) and ISCB Common Procedures (ISCB_CP) (Ref [10]) that defines the management system for operation of the ISCB Product Certification Scheme Section.

4 Some documents provided are not publicly available. Third parties seeking access to documents that are not publicly available must submit a request in writing to the ISCB Scheme Head. The decision to release these documents to a third party is at the discretion of ISCB and may be subject to conditions as part of that release.

1.2 Scope

5 This manual applies to the operation of every Security Evaluation Facility (SEF) licensed to conduct security evaluations under the ISCB product certification schemes.

PUBLIC


10Page 2

1.3 Document Organisation

6 This policy document is organised into the following sections: a) Section One provides an introduction to the manual outlining its purpose,

scope, authority, document organisation and related publications. b) Section Two describes the minimum requirements to become and

maintain operation as a licensed SEF within the ISCB product certification schemes, and the application process.

c) Section Three provides detail guidance on the workflow and functions for each business process associated with the delivery of security evaluation services by a SEF (PLAN, EXECUTE, CLOSE).

d) Section Four contains the description of the workflows and functions for each assurance process applicable to a SEF.

e) Annex A contains the Terminology and definitions relevant to SEF management and evaluation services.

f) Annex B contains the ISCB requirements for Security Evaluation Facilities, which is optional to obtain ISO/IEC 17025 accreditation, to deliver the security evaluation services.

1.3.1 Document Relationships

7 The relationship between this manual (shown in red) and other documents in the hierarchy is illustrated in Figure 1 below.

Figure 1: Document Relationship

1.3.2 Changes to this Manual

8 The change authority for this document is the ISCB Scheme Head. All change requests in relation to the manual should be forwarded in writing to the Scheme Managers.

PUBLIC


10Page 3

9 All changes will be submitted to the ISCB Scheme Owner for final approval. 10 Changes to this document should be managed in accordance with the ISCB

Common Manual (ISCB_CM) (Ref [9]) and ISCB Common Procedures (ISCB_CP) (Ref [10]).

11 All approved changes to this manual will be published on the respective certification schemes website as stated in Annex B in the ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) and Section 1.1 in the MyCC Scheme Requirement (MyCC_REQ) (Ref [12]).

PUBLIC


10Page 4

2 Security Evaluation Facility Minimum Requirement

2.1 Overview

12 The Security Evaluation Facility (SEF) licensed by ISCB to deliver the IT security evaluation are categorised as follows:

a) Malaysian Security Evaluation Facility (MySEF) – evaluation facility that is licensed by ISCB to conduct security evaluations of ICT products, systems, and protection profiles against CC (Ref [2], [3], [4]) and CEM (Ref [5]);

b) Crypto Validation Facility (CVF) – evaluation facility that is licensed by ISCB to conduct cryptography conformance and randomness testing against ISO/IEC 19790 (Ref [6]) and ISO/IEC 24759 (Ref [7]);

c) Malaysia Trustmark Certifier (MTC) – organisation or facility that is licensed by ISCB to conduct Trustmark Technical Security Assessment (TTSA) or to validate the security aspects of the e-business web portal and online payment system against the MTPS technical requirements and additional adopted standards such as PCI-DSS and web security best practices (OWASP).

Note: The SEFs above may be provided by the same organisation. 13 This section describes the requirements that are required to be met for an

organisation to become a SEF and to maintain their licence. The staffing requirements, accreditation requirements, application process and maintenance requirements are described separately in the following subsections.

2.2 SEF staffing

14 Each licensed SEF maintains, as a minimum, the following roles: a) SEF Manager; b) Senior Evaluator (or Senior MTPS Certifier (Senior MTC)); c) Evaluator (or MTPS Certifier (MTC)); and d) SEF Quality Manager.

15 While one person can fill more than one role, the SEF is required to maintain a minimum of two staff to ensure that appropriate reviews are performed.

PUBLIC


10Page 5

16 Figure 2 provides a graphical representation of the hierarchy of these roles. Each role, and the associated minimum education and professional experience requirements are described in Section 2.2.1 until Section 2.2.4.

Figure 2: SEF Role Structure

2.2.1 SEF Manager

17 The SEF Manager role is responsible for the operational management of SEF personnel, and the relationship and interface with ISCB. This role may be an authorised ISO/IEC 17025 signatory. In addition, the Lab Manager is responsible for:

a) Nominating SEF staff roles and providing a justification that the nominated staff member is skilled appropriately to perform the role.

b) Ensuring that the contract is in placed prior to the commencement of any evaluation work.

c) Producing an evaluation project proposal to advise ISCB of the intention to perform an evaluation.

d) Executing SEF License Agreement as part of the SEF commencement. e) Producing SEF Business Report annually as for input to the ISCB

certification schemes, as well as SEF management. f) Accepting evaluation documentation for an evaluation project.

18 While one person can fill more than one role, each SEF will have only one staff member nominated as the SEF Manager.

19 The Lab Manager is required to have the following knowledge and skills (the competency requirement and competency measurements are described in Table 2):

a) Formal knowledge in MyCC Scheme Requirement (specific for MySEF), manuals, procedures, and acceptable standards and methodologies;

b) Knowledge in project management (e.g. PRINCE2, PMBOK); c) SEF Management System;

PUBLIC


10Page 6

d) Business Management; e) Personnel Management; and f) ISO/IEC 17025, its successors, or ISCB requirements which is specified in

Annex B of this document, and its application to SEF operations. 20 Ideally, the SEF Manager will also have evaluation skills equivalent to the Senior

Evaluator role.

2.2.2 Senior Evaluator

21 The Senior Evaluator role reports to the SEF Manager and is responsible for: a) Ensuring the effective application of IT security evaluation criteria for

evaluations conducted within the ISCB product certification schemes; b) Maintaining the technical development of Evaluators in the facility; c) Continuous application of the SEF Management System to the conduct of

evaluations within the SEF; d) Acting as an authorised signatory for the evaluation work; e) Attending meetings to discuss interpretations and technical evaluation

issues as needed. 22 The Senior Evaluator is required to have the following knowledge and skills

(the competency requirement and competency measurements are described in Table 2) in addition to those required of an Evaluator:

a) At least two (2) years evaluation or certification experience which is related to ISCB product certification schemes services;

b) Formal knowledge in MyCC Scheme Requirement (specific for MySEF), manuals, procedures, and acceptable standards and methodologies;

c) Knowledge in project management (e.g. PRINCE2, PMBOK); d) Personnel management; e) ISO/IEC 17025, its successors, or ISCB requirements which is specified in

Annex B of this document, and its application to SEF operations; f) Recognised as an Authorised Signatory by the Accreditation Body or ISCB;

and g) SEF Management System.

23 While one person can fill more than one role, each SEF will have only one staff member nominated as the Senior Evaluator.

2.2.3 Evaluator

24 The Evaluator is responsible for the conduct of day-to-day evaluation projects under the direction of the Senior Evaluator and in compliance with the SEF Management System.

25 The Evaluator is required to have the following knowledge and skills (the competency requirement and competency measurements are described in Table 2):

PUBLIC


10Page 7

a) Experience in ICT security evaluation which is related to ISCB product certification schemes services;

b) Formal knowledge in MyCC Scheme Requirement (specific for MySEF), manuals, procedures, and acceptable standards and methodologies;

c) Knowledge in project management (e.g. PRINCE2, PMBOK); d) ISO/IEC 17025, its successors, or ISCB requirements which is specified in

Annex B of this document, and its application to SEF operations; e) SEF Management System; f) Pre-requisite knowledge and skills in at least one of the following areas: Software engineering;

Electronics engineering;

Microcontroller architecture and programming;

ICT Security; and

Systems Analysis.

Note. Pre-requisite knowledge can be demonstrated by tertiary qualifications, professional certifications, or equivalent experience in at least one of those areas identified in Table 1 below before they can conduct ICT security evaluation work.

Table 1: Evaluator Basic Qualifications and Certifications

Qualification Description

ICT Degree / Computer Science Degree / Electronics Engineering Degree

Bachelor, Master or PhD in information and communication Technology that includes at least one but not limited to the following: • Software engineering; • Computer architecture; • ICT Security; • Digital electronics; • Analog electronics; • Microcontroller architecture and

programming; or • System Analysis and design.

CISSP Certified Information Systems Security Professional

SSCP Systems Security Certified Practitioner – Only where the evaluator has an indirectly related degree. For example if an evaluator has a degree in business information

PUBLIC


10Page 8

systems, then SSCP is suitable to augment their skills for ICT security evaluation.

2.2.4 SEF Quality Manager

26 This role is responsible for maintenance of the SEF Management System, and conducts reviews of the application of the management system within the SEF.

27 The SEF Quality Manager is required to have the following knowledge and skills (the competency requirement and competency measurements are described in Table 2):

a) ISO/IEC 17025, its successors, or ISCB requirements which is specified in Annex B of this document, and its application to SEF operations; and

b) Comprehensive understanding of the SEF Management System. 28 Ideally, the SEF Quality Manager will also have one or more of the following

skills: a) Formal knowledge in MyCC Scheme Requirement (specific for MySEF),

manuals, procedures, and acceptable standards and methodologies; b) Knowledge in project management (e.g. PRINCE2, PMBOK); c) ICT and/or Management System Audit (Certified Information System

Auditor, ISMS Lead Auditor or equivalent). 29 While one person can fill more than one role, each SEF will have only one staff

member nominated as the SEF Quality Manager.

2.2.5 Project Specific Roles

30 Within each evaluation project, there are two key roles, in addition to team members. The SEF should nominate a Lead Evaluator and at least one Authorised Signatory for each project. The nomination will be contained in the evaluation project plan submitted to ISCB. One person may fill both of these roles.

i) Lead Evaluator

31 The Lead Evaluator is the technical lead and project manager for a given evaluation project. They are responsible for ensuring that the evaluation methodology requirements are met, the project meets the proposed schedule within the proposed budget, and the evaluation progress report is produced monthly.

32 In addition to being an evaluator, the Lead Evaluator for a project is required to have the following experience:


b) Equivalent knowledge of the product type to the attackers defined in the Security Target or scope of the evaluation;

c) Participated in all evaluation aspects of the proposed evaluation level, during at least two evaluations;

PUBLIC


10Page 9

d) Personnel management; and e) Knowledge in project management (e.g. PRINCE2, PMBOK).

ii) Authorised Signatory

33 The Authorised Signatory for a project is responsible for authorising all reports and documents that are produced during an evaluation project. They are required to ensure that the evaluation is conducted in accordance with ISO/IEC 17025, its successors, or ISCB requirements which is specified in Annex B of this document.

34 In addition to being an evaluator, the Authorised Signatory for a project is required to have the following experience/qualifications:


b) ISO/IEC 17025, its successors, or ISCB requirements which is specified in Annex B of this document, and its application to SEF operations; and

c) Recognised as an Authorised Signatory by the Accreditation Body or ISCB; and

d) At least two (2) years evaluation or certification experience which is related to ISCB product certification schemes services.

2.2.6 Allocation of Roles

35 ISCB is responsible for approving the allocation of SEF staff to SEF roles, based on their qualifications. The SEF Manager is responsible for nominating his staff for roles, and providing a justification that the nominated staff member is skilled appropriately to perform the assigned role.

2.2.6.1 Requirements and Measurements

36 ISCB is required to provide training, which is related to the MyCC Scheme Requirement (specific for MySEF), manuals, procedures, to the SEF personnel.

37 Table 2 below provides details of the training including the competency requirement and competency measurements for each SEF role. These information will be used by ISCB as a guidance when approving the allocation of SEF staff to SEF roles.

38 The requirements are in the following format REQ.[requirement number].[requirement level] where the knowledge level requirements are broken into three levels:

a) Level 1 – basic. The knowledge level required at this level is considered to be general.

b) Level 2 – working. The knowledge level required at this level involves a medium level of expertise. This can be obtained through study and/or on the job experience. At this level, the person is required to work under some level of supervision, has a level of qualified skills.

c) Level 3 – detailed. The knowledge level required at this level involves a higher level of expertise. At this level, the person is required to be able

PUBLIC


10Page 10

to work independently, has qualified skills that are relevant to the area and is able to lead as required.

PUBLIC


10Page 11

Table 2: SEF Roles and Requirements

ROLES LEVEL OF

KNOWLEDGE MEASUREMENT OF COMPETENCY TO PERFORM ROLE

REQ.1 – Tertiary Qualifications or (equivalent) Professional Certification (as specified in Table 1)

Requirement: Tertiary qualifications, professional certifications, or an equivalent experience in at least one of those areas identified in Table 1

Senior Evaluator REQ.1.3 • A tertiary education degree; or

• A certificate of qualification eg. CISSP, SSCP.

Evaluator REQ.1.3 • A tertiary education degree; or

• A certificate of qualification eg. CISSP, SSCP.

REQ.2 – The ISCB Accepted IT Security Evaluation Methodology and Certification Standards

Requirement: Knowledge of the ISCB accepted IT security evaluation methodology and certification standards as specified in Annex B of the ISCB Product Manual (PRODUCT_MANUAL) and/or MyCC Scheme Requirement (MyCC_REQ) (specific for MySEF)

SEF Manager

REQ.2.2 Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.

PUBLIC


10Page 12

ROLES LEVEL OF


Senior Evaluator REQ.2.3 • Minimum of 2 years on the job experience as a SEF Evaluator, including

as a Lead Evaluator, or Certifier which covers highest evaluation assurance components accepted by the ISCB product certification schemes; and

• Evidence of completion, such as training attendance certificate, of related IT security evaluation methodology and certification standards such as CC training or ISCB product certification schemes training.

For MySEF, below is the additional measurement:

• Pass MyCC Scheme examination.

Evaluator REQ.2.2 • Evidence of completion, such as training attendance certificate, of

related IT security evaluation methodology and certification standards such as CC training or ISCB product certification schemes training.


• Pass MyCC Scheme examination; or

• In the case of candidate failed the MyCC Scheme examination, minimum of 1 evaluation project experience as a MySEF Evaluator for all assurance components in the target assurance package for the project, and skills of the technology type are required.

PUBLIC


10Page 13

ROLES LEVEL OF


Lead Evaluator REQ.2.3 • Evidence of completion, such as training attendance certificate, of

related IT security evaluation methodology and certification standards such as CC training or ISCB product certification schemes training.; and

• Minimum of 1 evaluation project experience as a SEF Evaluator for all assurance components in the target assurance package for the project, and skills of the technology type.



• In the case of the candidate failed the MyCC Scheme examination, minimum of 2 evaluation projects experience as a MySEF Evaluator for all assurance components in the target assurance package for the project, and skills of the technology type are required.

SEF Quality Manager REQ.2.1 Evidence of completion of the ISCB product certification schemes training such as training attendance certificate.

REQ.3 – MyCC Scheme Requirement (MyCC_REQ) (specific for MySEF), ISCB Product Manual (PRODUCT_MANUAL) and Certification Processes

Requirement: Knowledge of the MyCC Scheme Requirement (MyCC_REQ) (specific for MySEF), ISCB Product Manual (PRODUCT_MANUAL) and certification processes.

SEF Manager REQ3.2 Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.

PUBLIC


10Page 14

ROLES LEVEL OF


Senior Evaluator REQ3.1 Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.

SEF Quality Manager REQ3.1 Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.

REQ.4 – CCRA Rules and Requirements (specific for MySEF)

Requirement: Knowledge of the Common Criteria Mutual Recognition Arrangement (CCRA) Rules and Requirements (Ref [1])

SEF Lab Manager REQ.4.1 Evidence of completion of the MyCC Scheme training such as training attendance certificate.

Senior Evaluator REQ.4.1 Evidence of completion of the MyCC Scheme training such as training attendance certificate.

REQ.5 – ISCB Evaluation Facility Manual

Requirement: knowledge in the ISCB Evaluation Facility Manual (ISCB_EFM)

SEF Manager REQ.5.3 Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.

PUBLIC


10Page 15

ROLES LEVEL OF


Senior Evaluator REQ.5.3 • Evidence of completion of the relevant ISCB product certification

schemes training such as training attendance certificate.; and

• Minimum of 2 years on the job experience as a SEF Evaluator, including as a Lead Evaluator, or Certifier which covers highest evaluation assurance components accepted by the ISCB product certification schemes.

Evaluator REQ.5.2 Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.

SEF Quality Manager REQ.5.2 Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.

REQ.6 – SEF Management System

Requirement: Knowledge of the SEF Management System (based on the SEF manual)

SEF Manager REQ.6.3 • On the job experience as a SEF Manager; and

• Evidence of completion of SEF induction such as induction attendance list.

Senior Evaluator REQ.6.3 • On the job experience as a Senior Evaluator; and


PUBLIC


10Page 16

ROLES LEVEL OF


Evaluator REQ.6.2 • On the job experience as an Evaluator; and


SEF Quality Manager REQ.6.3 • On the job experience as a Quality Manager; and


REQ.7 – ISO/IEC 17025, its successors, or ISCB requirements

Requirement: knowledge in the General Requirements for the Competence of Testing and Calibration Laboratories or ISCB requirements as specified in Section 2.3 of this document

SEF Manager REQ.7.3 • On the job experience as a SEF Manager; and

• Licensed as an ISO/IEC 17025 (or its successors) assessor by the Accreditation Body; or

• A certificate of completion in ISO/IEC 17025 (or its successors) training.

Senior Evaluator REQ.7.3 • On the job experience as a SEF Senior Evaluator; and



Evaluator REQ.7.1 On the job experience as a SEF Evaluator.

PUBLIC


10Page 17

ROLES LEVEL OF


SEF Quality Manager REQ.7.3 • On the job experience as a SEF Quality Manager; and



REQ.8 – Evaluation

Requirement: Experience performing a product security evaluation against the ISCB accepted IT security evaluation methodology and certification standards such as CC, CEM etc

Senior Evaluator REQ.8.3 • Minimum of 2 years on the job experience as a SEF Evaluator, including

as a Lead Evaluator, or Certifier which covers highest evaluation assurance components accepted by the relevant ISCB product certification schemes; and

• Evidence of completion of the relevant ISCB product certification schemes training such as training attendance certificate.


• Pass MyCC Scheme examination.

PUBLIC


10Page 18

ROLES LEVEL OF


Evaluator REQ.8.2 • On the job experience as a Evaluator; and/or

• Evidence of completion, such as training attendance certificate, of related IT security evaluation methodology such as CC training or relevant ISCB product certification schemes training.



• In the case of candidate failed the MyCC Scheme examination, minimum of 1 evaluation project experience as a MySEF Evaluator for all assurance components in the target assurance package for the project, and skills of the technology type are required.

Lead Evaluator REQ.8.3 • Evidence of completion, such as training attendance certificate, of

related IT security evaluation methodology such as CC training or relevant ISCB product certification schemes training.

• Minimum of 1 evaluation project experience as a SEF Evaluator for all assurance components in the target assurance package for the project, and skills of the technology type.



• In the case of the candidate failed the MyCC Scheme examination, minimum of 2 evaluation projects experience as a MySEF Evaluator for all assurance components in the target assurance package for the project, and skills of the technology type are required.

PUBLIC


10Page 19

ROLES LEVEL OF


REQ.9 – Project Management

Requirement: Experience in a project management role

SEF Manager REQ.9.3 • Evidence of completion of formal Project Management training such

as training attendance certificate; or

• An academic transcript demonstrating completion of Project Management related units.

Senior Evaluator REQ.9.3 • Evidence of completion of formal Project Management training such

as training attendance certificate; or


Lead Evaluator REQ.9.2 • On the job experience as a Lead Evaluator; and

• Evidence of completion of formal Project Management training such as training attendance certificate; or


REQ.10 – Relevant ICT Product Type, Web Security etc

Requirement: Experience performing testing/evaluation of the ICT product or web security

Lead Evaluator REQ.10.2 • Evidence of completion of product specific training such as training

attendance certificate; and/or

• Testing experience from evaluation of a similar ICT product or web security.

PUBLIC


10Page 20

39 The summary of roles and the knowledge level requirements is listed in the table below.

Table 3: Requirements Table Summary

ROLES

REQUIREMENTS

REQ

.1

– Te

rtia

ry

Qua

lific

atio

ns

or

Prof

essi

onal

Cer

tific

atio

n

REQ

.2

– IS

CB

Acc

epte

d IT

Se

curi

ty

Eval

uatio

n M

etho

dolo

gy

and

cert

ifica

tion

Stan

dard

s

REQ

.3

– IS

CB

Prod

uct

Cer

tific

atio

n Sc

hem

es P

olic

y an

d C

ertif

icat

ion

Proc

esse

s

REQ

.4

– C

CRA

Ru

les

and

Requ

irem

ents

(MyS

EF o

nly)

REQ

.5

– IS

CB

Eval

uatio

n Fa

cilit

y M

anua

l

REQ

.6 –

MyS

EF M

anag

emen

t Sy

stem

REQ

.7 –

ISO

/IEC

170

25,

its

succ

esso

rs,

or

ISC

B re

quir

emen

ts

REQ

.8 –

Eval

uatio

n

REQ

.9 –

Pro

ject

Man

agem

ent

REQ

.10

– Re

leva

nt

ICT

Prod

uct

Type

, W

eb S

ecur

ity

etc

SEF Manager 2 2 1 3 3 3 3

Senior Evaluator 3 3 1 1 3 3 3 3 3

Evaluator 3 2 2 2 1 2

Lead Evaluator1 3 3 2 22

Quality Manager 1 1 2 3 3

1 As a Lead Evaluator is required to be an Evaluator, only those requirements that increase to perform the Lead Evaluator role are shown. 2 Where an evaluation includes AVA_VAN.4 or AVA_VAN.5 this requirement increases to REQ.10.3. The Lead Evaluator must be able to demonstrated detailed knowledge and experience testing that type of ICT product, web security etc.

PUBLIC

ISCB-5-MAN-7-ISCB_EFM-V2 Page 21

2.3 SEF Quality Management System Requirements

40 SEFs shall implement and maintain its quality management system. A SEF is accepted as a licensed SEF either:

a) has been accredited against ISO/IEC 17025 (Ref [8]) by Jabatan Standards Malaysia or other accreditation authorities who are recognised by the Malaysian government and CyberSecurity Malaysia; or

b) meet the requirements specified in Annex B of this document or the requirements of ISO/IEC 17025. ISCB is responsible to determine the compliance against the requirements during the licensing site visit.

41 MySEF(s) and CVF(s) is compulsory to obtain the ISO/IEC 17025 accreditation. The requirement to complete the accreditation is specified in Section 2.3.1.

42 For SEF that is optional to obtain ISO/IEC 17025 accreditation like MTC, they shall meet the requirements specified in paragraph 40b).

2.3.1 ISO/IEC 17025 (or its successors) Accreditation

43 For a new MySEF and CVF, ISO/IEC 17025 accreditation is required to be completed either:

a) Prior to the submission of their final evaluation technical report (ETR) for their first completed evaluation project; or

b) Within twenty four (24) months of being granted their partial SEF license,

c) whichever is the sooner. 44 If the requirement in paragraph 43a) cannot be fulfilled due to the

accreditation body requirement (e.g. accreditation body may require more than 1 sample to commence the accreditation assessment), the SEF need to submit the accreditation application that had been submitted to the accreditation body as the evidence of the accreditation commitment.

2.4 SEF Application

45 Any company wishing to become a SEF is required to complete an application proposal outlined in Section 2.4.1, and meet the requirements specified in Section 2.3 and 2.5.

46 Applicants are required to pay a non-refundable application fee to ISCB for assessing the application. The current fee structure is published on the respective ISCB certification schemes websites.

2.4.1 Application Proposal

47 The application proposal is composed of four parts as follow: a) Part 1 - Organisation information.

PUBLIC


Corporate entity, name, address and legal status; and

Details of any potential or existing conflict of interest that would affect the applicant’s ability to become a SEF or to perform the functions of a SEF.

b) Part 2 – Statement of organisational capability and structure. Organisation background and structure;

Financial capacity to support ICT security evaluation services;

Curriculum vitae of proposed evaluation staff and SEF roles;

Staff experience using ICT security evaluation related skills, such as experience in the use of formal methods or functional and vulnerability testing;

Details of ISO/IEC 17025 accreditation, or a plan on how to achieve ISO/IEC 17025 (or its successors) accreditation or comply with the ISCB requirements as specified in Section 2.4 of this manual.

The management structure that will achieve and maintain the quality, security and confidentiality of ICT security evaluations;

The organisation’s quality management system based on the requirement specified in Section 2.3 of this manual;

An outline quality plan for the conduct of ICT security evaluations;

A plan for supervision of inexperienced evaluators; and

Any other supporting factors to support the application.

c) Part 3 – Facilities and Infrastructure. Proposed SEF accommodation; and

Proposed physical and logical security arrangements.

d) Part 4 – Statement of Compliance against the SEF Licensing Agreement.

Compliance statement for each clause of the licence agreement; and

Justification for any non-compliance.

2.4.2 Submitting the Application

48 An applicant is required to submit three (3) hard copies and one (1) electronic copy (protected) to the ISCB Scheme Head at the address stated below:

Level 6, Tower 1, Menara Cyber Axis, Jalan Impact 63000 Cyberjaya Selangor Malaysia

PUBLIC


49 ISCB will notify receipt of an application to become a SEF and if there are any deficiencies in the application material. An applicant has five (5) business days to address any deficiencies and resubmit its application.

2.4.3 Assessment of Application

50 ISCB is responsible for assessing an application to become a SEF. Assessment includes review of the application and the conduct of a site visit by an assessment team appointed by the ISCB. ISCB will provide notification of the site visit to the applicant during the assessment process.

51 During the assessment, ISCB may require additional information to clarify or confirm claims made in the evaluation application. The applicant is required to provide additional information in a timely fashion.

52 Where an application is determined to be compliant, the assessment team conduct a site visit to confirm the claims made by the applicant. It is critical, that the assessment team has completed its review of the application before the site visit. This visit should occur within five (5) business days of completion of the review of the application. The visit should be no more than one (1) business day in length.

53 ISCB’s decision to proceed with granting falls into two categories of SEF license:

a) Full license; or b) Probationary license migrating to a full license upon resolution of any

conditions imposed by ISCB (refer to Section 2.3 in this document). ISCB will review the license of SEF if the condition are not resolve within the time frame given.

2.5 Operational Requirements

54 MySEF and CVF are required to maintain ISO/IEC 17025 (Ref [8]) accreditation throughout their license period. The scope of their accreditation must include the relevant services provided by ISCB Product Certification Section as specific in Annex B in ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) and/or MyCC Scheme Requirement (MYCC_REQ) (Ref [12]) (specific for MySEF).

55 For SEF that is optional to obtain ISO/IEC 17025 accreditation like MTC, they shall meet the requirements specified in paragraph 40b) in order to provide relevant services as specific in Annex B in the ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]).

56 A licensed SEF is required to deliver ISCB product certification schemes services in accordance with the following:

a) ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]); b) MyCC Scheme Requirement (MyCC_REQ) (Ref [12]) (specific for

MySEF); c) This manual – ISCB Evaluation Facility Manual (ISCB_EFM);

PUBLIC


d) ISCB accepted standards and methodology used for conducting IT security evaluation as specified in Annex B in ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]); and

e) Their management system based on the requirements of ISO/IEC 17025, its successors, or ISCB requirements which is specified in Annex B of this document.

57 The SEF should implement appropriate security controls to ensure confidentiality of client information, and to ensure that evaluations are unaffected by other projects taking place in the SEF.

58 SEF personnel are required to sign a confidentiality undertaking prior to their commencement in any role within the SEF.

PUBLIC


3 Evaluation Overview 59 All evaluations occurring under the ISCB product certification schemes will

be performed in three functions: Plan, Execute, and Close. These functions and their relationships to the ISCB product certification schemes are outlined in Figure 3.

Figure 3: Evaluation Overview 60 Due to the difference in the evaluation and certification processes, the

activities of each function above will be different for each SEF licensed under ISCB product certification scheme and will be discussed in the sections below.

3.1 Security Evaluation Facilities Licensed under MyCC Scheme

3.1.1 Plan Phase

61 The purpose of the function is to ensure that each evaluation has a sound base and that the evaluation has a reasonable chance of completion. This function is the commencement of each evaluation that occurs in the SEF licensed under the MyCC Scheme.

62 Figure 43 shows the activities of the evaluation planning function for SEFs licensed under MyCC Scheme, or also known as Malaysian Security Evaluation Facility (MySEF).

3 Flow chart conventions are described in Annex A.4

PUBLIC


Figure 4: Evaluation Plan Phase for SEFs Licensed Under MyCC Scheme

63 Prior to the commencement of any evaluation work, the MySEF Manager will ensure that a contract to provide the evaluation services is in place. The contract will assign the MySEF as their authorised representative for engaging with MyCB (a unit within ISCB Product Certification Scheme Section i.e. the certification body for MyCC Scheme).

64 The MySEF Manager will ensure that the sponsor and/or developer is aware of their responsibilities as described in the MyCC Scheme Client Guideline (MyCC_CG) (Ref [16]).

65 The Senior Evaluator is required to review the Security Target (ST) or Protection Profile (PP) to determine whether it is a sound basis for evaluation. Note: The MySEF is not expected to evaluate the ST or PP at this stage, only determine whether the ST is complete, and that the scope of the TOE is clearly defined and reasonably consistent with the included SFRs. If the ST or PP is not complete at this stage, the MySEF can provide informal comments to assist the developer in developing a suitable ST or PP.

66 If the MySEF has comments on the initial ST or PP, the sponsor/developer will be requested to address the comments and resubmit the ST or PP to the MySEF for review.

67 The MySEF Manager is required to produce an evaluation application to advise the MyCB of the intention to perform an evaluation. The evaluation application includes the following documents:

a) ST or PP that forms the basis of the evaluation;

PUBLIC


b) A statement of any potential or actual conflict of interest that arises as a result of the MySEF conducting the evaluation and any proposed measures to manage that conflict of interest;

c) The MySEF must ensure that the sponsor and the developer (if applicable) are aware of their responsibilities to support the evaluation. The MySEF should provide evidence that the sponsor/developer has acknowledged these responsibilities; and

d) An Evaluation Project Proposal. The Evaluation Project Proposal is required to contain the following information: i) Evaluation project scope – the project scope includes key details

of the evaluation, including the TOE Name and Version, CC Version and Assurance Level, any applicable National and International Interpretations released at the time of writing, and an overview of the TOE functionality.

ii) Contact details for all stakeholders – this includes the Point of Contact details for the developer, sponsor and Lead Evaluator.

iii) Evaluation resources – resource assignment must include a summary of the evaluation teams experience and a justification of the sufficiency of the team. This section is required to nominate a Lead Evaluator and at least one Authorised Signatory for the project.

iv) Schedule and work-breakdown structure – this section will divide the evaluation into manageable pieces and provide estimated commencement and completion dates for each piece of work; and

v) Proposed confidentiality requirements – this should include communication between the MyCB, MySEF, sponsor and developer. Requirements may also be specified in a confidentiality agreement between two or more parties for an evaluation project. Confidentiality requirements should include the measures to be used for the storage and transmission of information between the parties to the agreement.

vi) Proposed reuse of results from previous evaluations – this section is required to demonstrate that the reuse of results is appropriate, and that the previous results are relevant to the proposed TOE.

Notes for Reuse of Evaluation Results: Where a MySEF intends to reuse past evaluation results, the MySEF is required to organise a re-evaluation planning meeting (RPM). The RPM is attended by: 1) A MySEF representative; 2) A MyCC Scheme Certifier;

PUBLIC


The MySEF is required to distribute the agenda for an RPM five (5) business days prior to the meeting with the following additional inputs where applicable and available: 1) An IAR report that considers the impact of changes on the

assurance baseline of the certified TOE; 2) The ST for the current TOE (for re-evaluation); 3) The Evaluation Technical Report (ETR) for the certified TOE; 4) The Certification Report (CR) for the certified TOE4; and 5) The MySEF rationale for reuse of evaluation results.

68 The MyCB will review the evaluation application within five (5) business days of receipt of the evaluation application by the MyCC Scheme and advise the MySEF and the sponsor whether the application has been accepted. If the MyCB finds any deficiencies in the evaluation application, then the MySEF has two (2) business days to address these deficiencies and resubmit the evaluation application. If the evaluation is accepted, the Kick-off Meeting is held. If the application is rejected, the evaluation process ends.

69 Once formally accepted by the MyCB, the MySEF Lead Evaluator for the evaluation is required to organise an Evaluation Kick-off Meeting. The kick-off meeting is attended by: a) The certifier(s) assigned by the MyCB to the evaluation project; b) The lead evaluator for the evaluation project; c) A representative of the sponsor; and d) A representative of the developer.

70 The agenda for the meeting include at least the following points: a) Overview of the scope of the TOE; b) Overview of the evaluation process; c) Overview of the roles and responsibilities; d) Agreement to the schedule; and e) Confirm confidentiality requirements.

3.1.2 Execute Phase

The focus of the MySEF in this function is to determine whether the TOE provides the functionality claimed and whether the claimed Common Criteria requirements have been met.

71 Figure 55 shows the activities of the evaluation execute function for SEFs licensed under MyCC Scheme.

4 The MyCB will normally have access to the CR for the original certified TOE – this need not be provided by the

MySEF 5 Flow chart conventions are described in Annex A.4

PUBLIC


Figure 5: Evaluation Execute Phase for SEFs Licensed Under MyCC Scheme

72 The sponsor/developer is required to provide evidence to the MySEF that meets the requirements of the Common Criteria for the assurance requirements defined in the Security Target or Protection Profile.

73 The MySEF is required to apply the requirements outlined in the CC (Ref [2], [3], [4]) and CEM (Ref [5]), to the evidence provided by the developer. This Activity is outlined in Figure 6 and described in the following subsections.

PUBLIC


Figure 6: Evaluation Execute Phase – Evaluate Evidence 74 For each assurance requirement claimed in the ST or PP, the MySEF

evaluators are required to apply the CC (Ref [2], [3], [4]) and CEM (Ref [5]) and any interpretations agreed at the Kick-off Meeting to determine that the evidence supplied meets the requirements. The MySEF evaluators may also apply interpretations made after the Kick-off meeting, subject to agreement from the sponsor and the Lead Certifier. Note: It is not a requirement that any specific document aside from the ST or PP exists, e.g. there does not have to be a document called “Functional Specification” as long as the CC requirements are met by one or more of the documents submitted for evaluation.

75 The MySEF evaluators are required to examine the evidence in accordance with the Evaluator Action Elements described in the CEM (Ref [5]).

76 The MySEF evaluators are required to record the result of the evaluation in the Evaluator Workbook.

77 The MySEF evaluators are also required to assign verdicts to the requirements of the security evaluation criteria, that is ‘pass’, ‘fail’ or ‘inconclusive’.

78 The MySEF evaluators are required to raise an Evaluation Observation Report (EOR) once a problem that can potentially affect the assurance of the evaluation is detected. Note that evaluator is not permitted to use an EOR to raise any non-assurance related issues with the sponsor.

PUBLIC


79 An EOR contains the following information: a) Identifier assigned to the evaluation project to which the EOR relates

to;

b) Unique reference number of the EOR; c) Version number of the EOR; d) Date on which the EOR was raised; e) Details of the evaluation action element against which the issue was

found and the relevant work package; f) Details of the evaluation deliverables that are relevant to the EOR; g) Observation – describe the problem being reported in sufficient detail

to provide the MyCB and the sponsor understanding to the nature of the problem and its implications;

h) EOR Resolution – detail the resolution of the problem, this section evolves as the resolution takes place.

i) Authorisation Section – detail the authorisation by relevant parties for the release and/or resolution of the EOR.

80 The MySEF may include, the following information, as required: a) Implication – identify the implication for the problem raised to the

evaluation (e.g. an indication of potential knock on effects); b) Recommendation – provide general advice on how the problems can

be solved. Note: MySEF evaluators on a project cannot contribute to the development of the TOE and therefore cannot provide detailed recommendations for remediation of observations.

81 EORs will be provided to the sponsor and Lead Certifier. The Lead Evaluator is required to advise the Lead Certifier if the EOR describes a potential vulnerability.

82 The developers are required to provide the MySEF evaluators with resolutions to all raised EORs in accordance with the MyCC Scheme Client Guideline (MyCC_CG). Evaluation evidence will be submitted to the MySEF for review.

83 During the execution of the evaluation, the Lead Evaluator will be required to submit test plan/site visit plan for:

a) The conduct of development site visits; b) The conduct of functional testing; and c) The conduct of penetration testing.

Observation Site Visits 84 When the Lead Evaluator is ready to plan for an observation site visit, the

evaluators are required to prepare a draft site visit plan. The plan is required to meet the requirements defined in the CEM and will include the following details:

a) Date(s) and site(s) for the observation site visit;

PUBLIC


b) Key personnel involved in the observation site visit; c) Purpose of the proposed observation site visit, including

requirements that need to be addressed; d) Details of the development site personnel that will be interviewed

during the observation site visit and their role in the TOE development;

e) For each assurance requirement that will be tested during the observation site visit: i) The reference documentation satisfying the assurance

requirement;

ii) The proposed action that will be taken at the observation site visit to verify the assurance requirement has been satisfied;

f) For each interview that will be conducted: i) The details of the individual that will be interviewed;

ii) Planned timings for the interview and who will conduct the interview;

iii) A list of interview questions and potential follow-up questions;

85 The plan is to be submitted at least five (5) working days and approved by MyCB prior to the commencement of testing. Note (1): At the discretion the Scheme Manager, and in consultation with the Senior Certifier, at least one (1) member of the certification team for an evaluation project may accompany the evaluators on an observation site visit. This decision should be based on the proficiency and experience of the evaluation team, and/or concerns relating to developer security or configuration management. Where a decision is made to attend, the costs for the certifier attendance at the site visit are charged at cost to the MySEF. It is responsibility of the MySEF to recover the costs from the client. Note (2): If the site located outside Klang Valley, it is the responsibility of the MySEF to cover the cost and managing all the arrangement includes flight ticket, visa (if applicable), hotel accommodation and transportation. Functional and Penetration Testing

86 When the Lead Evaluator is ready to plan for testing, the evaluators are required to prepare a draft test plan. The test plan is required to meet the requirements defined in the CEM and will include the following details:

a) Date(s) and site(s) of testing; b) Key personnel involved in the testing effort; c) Purpose of the proposed testing effort, including requirements that

need to be addressed; d) Test environment, including the version or configuration of the TOE,

hardware and software components including their version numbers and configuration settings;

PUBLIC


e) Test specifications for each test that is going to be performed. The test specification should identify: i) Objective of the test – including a justification for the test. This

may include a reference to a problem report or other evaluation records;

ii) Cross references to applicable security functional requirements (Only for functional testing);

iii) Steps involved – detail of steps that are going to be performed by the evaluators in conducting the test, identifying inputs and configuration settings; and

iv) Expected or desired results.

87 The test plan is to be submitted at least five (5) working days and approved by MyCB prior to the commencement of testing.

88 The MyCB is required to review and respond within five (5) working days of receipt of the test plan. Review of the test plan is required to be performed in accordance with MyCC Scheme Certification Procedure (MyCC_CP) (Ref [12]).

89 If the test report is accepted, the MySEF evaluators can commence testing. If the MyCB has comments, the Lead Evaluator will address the comments in a new draft of the test plan.

90 The MySEF evaluators are required to record the results throughout the testing. The following information must be recorded for each test:

a) Date the test was performed; b) Evaluators involved in performing the test; c) Any additional information relevant to the performance of the test;

and d) Results obtained from the test.

91 At the completion of testing, the MySEF evaluators are required to compare the results obtained from the execution of the test with the expected test results detailed in the test plan. Any deviation from the expected results must be documented and accounted for.

92 Vulnerabilities that are discovered during testing must be reported to the MyCB in accordance to paragraph 78 until paragraph 81 above.

93 Project monitoring occurs throughout the evaluation execute function, and consists of the following aspects. Evaluation Progress Report

94 The Lead Evaluator is required to report progress of the evaluation by submitting Evaluation Progress Report each month to MyCB.

95 The report will include at least the following points: a) An overview of the project against the agreed schedule;

PUBLIC


b) Previous evaluation activities – activities that have been recently completed;

c) Upcoming evaluation activities – to identify future evaluation activities. The Lead Certifier may also provide the evaluation team with guidance for the upcoming evaluation activities; and

d) Overview of the EORs – including the status of issued EORs. e) Project risks and issues and any planned activities to address these

risks and issues Project Progress Meeting

96 The Lead Evaluator is responsible to conduct a formal meeting between the certification team, evaluation team and the sponsor to discuss matters related to the execution of an evaluation project when required. If required, evaluation team, certification team or sponsor can request from the Lead Evaluator for the project progress meeting.

97 The MyCB is responsible to conduct OVERSIGHT function as described in the MyCC Scheme Requirement (MyCC_REQ) (Ref [12]), ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) and MyCC Scheme Certification Procedure (MyCC_CP) (Ref [12]). Within the OVERSIGHT function, the certification team perform the technical certification work and utilise this phase to gain a greater understanding of the TOE and to oversee evaluation activities. This function comprises the following aspects: Technical Review Meeting

98 The MyCB is responsible for organising regular technical review meetings to discuss the technical aspects of the evaluation. The planned frequency of these meetings will be identified in the formal acceptance correspondence provided by the MyCB to the MySEF and the client. At a minimum assurance technical review meeting will be attended by:

a) The lead certifier assigned by the MyCB to the evaluation project; and b) The lead evaluator for the evaluation project.

99 To conduct this meeting, the MyCB may request evaluator evidence of work undertaken on an evaluation project be provided to the lead certifier prior to the technical review meeting and/or during the technical review meeting. Oversight the Testing

100 Lead Certifier (or their delegate) is responsible to review and approved the test plans prior to the commencement of testing as described in paragraph 88 and 89. The test plans include the development site visit plan, functional and penetration testing plan.

101 During execution of the development site visit, functional and penetration testing activities for an evaluation project, the Lead Certifier (or their delegate) may attend the activities as observer. Handle Observation Report

102 During the execution of the evaluation project, the Lead Evaluator will provide information copies of all evaluation observation reports (EORs)

PUBLIC


generated in accordance to paragraph 78 until paragraph 81 above. In general EORs fall into two categories:

a) Evaluation inputs. EORs that relate to non-compliance of evaluation inputs with CC requirements. In the main, these result from documentation review; and

b) Vulnerabilities. EORs that relate to exploitable vulnerabilities identified by the evaluation team. In the main, these result from functional and/or penetration testing.

103 The certification team receives these EORs to monitor for exploitable vulnerabilities identified by the evaluation team. Where an exploitable vulnerability is discovered, MyCB may elect to suspend the evaluation project until a remediation strategy can be agreed with the sponsor. Monitor Evaluation Project

104 Lead Certifier is responsible to monitor the evaluation project progress based on the Evaluation Progress Report provided monthly by the Lead Evaluator as described in paragraph 93 until paragraph 96 above. If issues raised during the evaluation met the suspension or termination criteria as described in the MyCC Scheme Requirement (MyCC_REQ) (Ref [12]), MyCB may suspend or terminate the evaluation project.

105 The MySEF evaluators are required to finalise the workbook. This includes performing an internal review of the workbook in accordance with the MySEF implementation of ISO/IEC 17025 (Ref [8]).

106 The MySEF evaluators are required to document their findings in an Evaluation Technical Report (ETR), which represents the final output from the evaluation project. The conclusions documented in the ETR state the degree to which the evaluation criteria and security functionality have been met, with supporting evidence. The ETR content needs to conform to the requirements of the CEM (Ref [5]), and ISO/IEC 17025 (Ref [8]), and is required to be submitted by the MySEF to the MyCB for review.

107 The MyCB is required to review the ETR submitted by the MySEF evaluator to ensure that all evaluation requirements have been adhered to.

108 Acceptance of the ETR by the MyCB is required prior to the release of CR. 109 The MyCB is required to produce a Certification Report (CR) which

summarises the results of the evaluation. The MyCB will provide the draft CR to the Lead Evaluator and client for review.

110 The drafted CR is reviewed by the MySEF Lead Evaluator for the project and the client to ensure that the information contained within the report accurately reflects the TOE and the evaluation work performed.

111 The MySEF Lead Evaluator is required to submit a set of comments from the evaluator and the sponsor to the MyCB within five (5) working days of receiving the draft CR.

112 Once received the comments from MySEF Lead Evaluator, the MyCB is responsible produce a revised version that is submitted to the Scheme Head for final approval and issue of the certificate for the evaluation.

PUBLIC


3.1.3 Close Phase

This function allows clients of the MySEF to provide feedback on the evaluation process, and formally ends the evaluation.

113 Figure 76 shows the activities of the evaluation close function for SEFs licensed under MyCC Scheme.

Figure 7: Evaluation Close Phase for SEFs Licensed Under MyCC Scheme

114 The MyCB will provide a copy of the final Certification Report (CR) and Certificate to the MySEF and the sponsor. The MySEF is required to archive the Certification Report with the other evaluation records.

115 Once the final version of the CR has been approved, the MyCB is required to publish the details of the evaluation project, its CR and other supporting documentation as required by the CCRA on the MyCC Scheme Certified Product Register (MyCPR) (www.cybersecurity.my/mycc/mycpr.html) and the Common Criteria portal (www.commoncriteriaportal.org) to reflect the certification of the TOE.

116 Once the TOE is certified and the final CR is received, a formal closedown meeting will be hosted by the MySEF conducting the evaluation project. The evaluation closedown meeting is required to be attended by:

a) The certifier(s) assigned by the MyCB to the evaluation project; b) The lead evaluator for the evaluation project; and c) A representative of the sponsor.

117 The meeting will include at least the following points: a) Summary of the evaluation, including key dates; b) Time to complete evaluation and certification activities;


PUBLIC


c) Effort spent in the delivery of evaluation and certification services; d) Vulnerabilities discovered and corrected through the delivery of

evaluation and certification services;

e) Consumer and client satisfaction with the evaluation and certification services offered by the scheme; and

f) Confirm confidentiality and archiving requirements.

3.2 Security Evaluation Facilities Licensed under Malaysia Trustmark for Private Sector (MTPS)

3.2.1 Plan Phase

118 The purpose of this function is to ensure that each MTPS application comply with the requirement of the MTPS and that the application has a reasonable chance of completion. This function is the commencement of each audit and validation that occurs in the SEF licensed under the MTPS.

119 The evaluation plan phase for MTPS is different from the evaluation plan phase for MyCC Scheme. This is because the application will be submitted to MTO (a unit within ISCB i.e. the certification body for MTPS) for the acceptance process.

120 Figure 87 shows the activities of the evaluation planning function for SEFs licensed under MTPS, or also known as Malaysia Trustmark Certifier (MTC).


PUBLIC


Figure 8: Evaluation Plan Phase for SEFs Licensed Under MTPS 121 An organisation that wants to apply for MTPS shall submit the MTPS

Application and Self-Assessment Checklist (which can be downloaded from MTPS website) to MTO Unit (a unit within ISCB Product Certification Scheme Section i.e. the certification body for MTPS).

122 The MTO will review the MTPS Application Form, Self-Assessment Checklist and other supporting documents submitted by the applicant against the requirements of MTPS.

123 If the application is accepted, MTO will issue the formal acceptance to the applicant. If the application is rejected, the application process ends.

124 Once accepted, the MTPS Manager will creates a project workspace for the audit and validation project, and records the details of the project.

125 If the application is for MTPS Trust Level 1 (TL1), then the MTPS Manager will establish the project team which consist of personnel from MTO only and prepare project audit plan (refer paragraph 128).

126 If the application is for MTPS Trust Level 2 (TL2) or MTPS Trust Level 3 (TL3), the MTPS Manager will notify MTC. The MTC Manager will propose one of its personnel to become the member of the project.

127 If the MTPS Manager agree with the proposal, the MTPS Manager will establish the project team which consist of personnel from MTO and MTC, and prepare project audit plan (refer paragraph 128).

128 The MTPS Manager will establish the contract, prepare the MTPS audit plan, and establish the project team based on the competency analysis and MTPS Trust Level. The team member will consist of:

a) MTPS Operator (MTO) – responsible to audit and validate the legality of the organisation based on the MTPS requirements;

b) MTPS Certifier (MTC) – responsible to validate the security requirements of the organisation which includes the Web security assessment and online payment security assessment review (for TL2 & TL3 only).

3.2.2 Execute Phase

129 The focus of the MTC in this function is to determine whether the applicant has implemented security controls for the security of its website and online payment. Note. This function will only be conducted for TL2 and TL3 only.

130 Figure 98 shows the activities of the evaluation execute function for SEFs licensed under MTPS.


PUBLIC


Figure 9: Execute Phase for SEFs Licensed Under MTPS

131 The applicant is required to provide evidence, i.e. the documentations and records regarding the applicant e-business practices including disclosure of information, security, client data protection and alternative dispute resolution, to the MTO that meets the requirements defined in the MTPS Self-Assessment Checklist. In addition, the applicant shall also submit the latest documents and records regarding the web assessment and penetration testing, and PCI DSS assessment that had been conducted previously.

132 The applicant is required to demonstrate the practical implementation of the web security and online payment security to ensure that they maintain the confidentiality, integrity and availability of their client’s data.

133 During the review of the web security and online payment assessment report, the MTC will take sample observations to verify the effectiveness of the implemented security controls. If the MTC has vague that the implemented security controls might not effectively manage the vulnerabilities, the MTC will conduct additional vulnerability assessment to verify the effectiveness of the implemented security controls. Note. During execution of the vulnerability assessment activities, the Lead MTO (or their delegate) may attend the activities as observer.

134 MTC is required to submit the Finding Report of the review or assessment to the MTO.

135 Concurrent with the MTC execute function, MTO will perform assessment against the claimed MTPS Self-Assessment Checklist. MTO will review the evidence submitted by the applicant, conduct site visit to the applicant

PUBLIC


premise, and conduct interviews with the applicant’s staffs that involve in the e-business practices.

136 Once the assessment completed and MTO had received the Finding Report from MTC, the MTO is required to analyse the results obtained from the assessment with the requirement of the MTPS. Any deviation from the expected results must be documented and accounted for.

137 The MTO is required to raise a Non-Conformity Report (NCR) once a problem that can potentially affect the assurance is detected. NCRs will be provided by MTO to the applicant. Note. A meeting between the MTO, MTC, and applicant might be conducted to present the NCRs.

138 The applicant is required to define an appropriate set of corrective actions plan to resolve the identified non-conformity. Note. The applicant shall meet the MTO and MTC to discuss about their proposed corrective actions. The timeline taken by the applicant to resolve the NCRs shall be agreed by the MTO and MTC. The agreed corrective actions plan shall be submitted to MTO within ten (10) business days from the receipt of the NCRs.

139 The resolution and closure of the corrective actions should be verified by inspection and review of the evidences, or by means of re-audit and re-validation to verify satisfactory closure of the corrective actions.

140 Once the MTO and MTC are satisfied with the closure of the corrective actions, the MTO will compile and summarise the findings in the MTPS Audit Report (MAR). The report will be submitted for internal and technical review by the ISCB Quality Manager and MTC. Once the review process completed, a recommendation is proposed to the Scheme Head to make a decision whether to grant or revoke the Malaysian Trustmark.

141 Once approved, the MAR will be submitted to the applicant and MTO is responsible to publish the Malaysia Trustmark at the validated e-business website.

3.2.3 Close Phase

142 This function allows clients of the MTPS to provide feedback on the evaluation and certification processes, and formal closing of the project.

143 Figure 109 shows the activities of the evaluation close function for SEFs licensed under MTPS.


PUBLIC


Figure 10: Evaluation Close Phase for SEFs Licensed Under MTPS

144 Once the Malaysia Trustmark is published at the validated e-business website, the MTO and MTC are required to archive all evaluation records.

145 With consent from the applicant, the MTPS Manager (or his delegate) will publish the validated website details in the MTPS Validated Website Register (MTPS_VWR) (refer to Annex B of the ISBC Product Manual (Ref [11] for the link of the MTPS_VWR).

146 A formal project closure notification will be submitted by the MTO to the applicant and MTC, including the client feedback form. The notification should include at least the following points:

a) Summary of the evaluation, and non-conformities discovered and corrected through the delivery of the MTPS audit and validation services;

b) Confirm confidentiality and archiving requirements; and c) Changes of the Malaysia Trustmark status. The MTO is required to

inform the applicant that they are bonded to the rules of the MTPS. The Malaysia Trustmark might be revoked if:

A validated e-business organisation has persistently or seriously failed to meet the MTPS requirements effectively;

A validated e-business organisation do not want to renew the application. Note: Malaysia Trustmark is valid for one (1) year; or

A validated e-business organisation has voluntarily requested a revocation.

PUBLIC


3.3 Security Evaluation Facilities Licensed under Technology Security Assurance (TSA) Scheme

147 As specified in Annex B of the ISCB Product Manual (PRODUCT_MANUAL), TSA Scheme services includes:

a) Certify Evaluation Result (CERTIFY) - The process that, in accordance with ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) requirements, provides controlled acceptance of a TOE into the TSA Scheme for evaluation and certification, provides oversight of the work conducted by the SEFs and certifies the results of the evaluation.

b) Maintain Certificate (MAINTAIN) – The process that provides maintenance of the certificate and to ensure a level of confidence in the security provided by the certified TOE that has completed certification within the TSA Scheme and its operational environment as it is updated, in accordance with ISCB Product Manual (Ref [11]) requirements.

148 The SEFs licensed by ISCB to deliver IT security evaluation under TSA Scheme includes:

a) Malaysian Security Evaluation Facility (MySEF) – evaluation facility that is licensed by ISCB to conduct functional testing and vulnerability assessment of an ICT product against TSA Mandatory Security Functions Requirement (TSA_MSFR) which is developed based on the international standards and best practices such as the CC (Ref [2], [3], [4]) and other related best practices.

b) Cryptography Validation Facility (CVF) – evaluation facility that is licensed by ISCB to conduct cryptography conformance and randomness testing against ISO/IEC 19790 (Ref [6]) and ISO/IEC 24759 (Ref [7]). This testing will only be conducted if required by the TSA_MSFR.

Note. The SEFs above may be provided by the same organisation. 149 The detail processes involve in order to deliver the services above will be

discussed in Section 3.3.1 and Section 3.3.2 of this document.

3.3.1 CERTIFY

3.3.1.1 Plan Phase

150 The purpose of the function is to ensure that each application for the certification project comply with the requirement of the TSA Scheme and that the evaluation has a reasonable chance of completion.

151 Figure 11 10 shows the activities of the evaluation planning function for SEFs licensed under TSA Scheme to deliver CERTIFY service.


PUBLIC


Figure 11: Evaluation Plan Phase for SEFs Licensed Under TSA Scheme

152 Prior to the commencement of any evaluation work, the MySEF Manager will ensure that a contract to provide the evaluation services is in place. The contract will assign the MySEF as their authorised representative for engaging with TSACB (a unit within ISCB Product Certification Scheme Section i.e. the certification body for TSA Scheme).

153 The MySEF Senior Evaluator is required to review the claimed TSA Mandatory Security Functions Requirement (TSA_MSFR) form submitted by the applicant to determine whether it is complete, and reasonably consistent. Note: TSA_MSFR form is the application form that contain the information of the applicant, and its product specification and claimed security functions.

154 If the MySEF Senior Evaluator found that the TSA_MSFR form is not complete at this stage, the MySEF Senior Evaluator can provide informal comments to assist the applicant in completing the TSA_MSFR form.

155 If the MySEF has comments on the claimed TSA_MSFR form, the applicant will be requested to address the comments and resubmit the TSA_MSFR form to the MySEF for review.

156 Once the MySEF Manager is satisfied with the application, if the application require additional cryptography conformance and randomness testing, the MySEF Manager is required to notify CVF Manager regarding the evaluation application and submit the SEF Evaluation Planning Form the CVF Manager. Both MySEF and CVF need to establish a non-disclosure agreement to

PUBLIC


ensure the confidentiality of the applicant’s information. CVF Manager needs to fill-in the relevant information in the SEF Evaluation Planning Form and submit it to MySEF Manager.

157 The MySEF Manager is required to finalise and submit the evaluation application to advise the TSACB of the intention to perform an evaluation. The evaluation application shall include the following documents:

a) A complete TSA_MSFR form that forms the basis of the evaluation; b) SEF Evaluation Planning Form – is a form used by the TSACB to ensure

that the evaluation will be conducted by the competent licensed SEF(s), and to ensure that each evaluation has a sound base and that the evaluation has a reasonable chance of completion; and

c) A draft test plan. The draft test plan is required to contain the following information: i) Date(s) and site(s) of testing;

ii) Key personnel involved in the testing effort;

iii) Purpose of the proposed testing effort, including requirements that need to be addressed;

iv) Test environment, including the version or configuration of the TOE, hardware and software components including their version numbers and configuration settings;

v) Test specifications for each test that is going to be performed. The test specification should identify:

1) Objective of the test – including a justification for the test. This may include a reference to a problem report or other evaluation records;

2) Cross references to applicable security functional requirements (only for functional testing);

3) Steps involved – detail of steps that are going to be performed by the evaluators in conducting the test, identifying inputs and configuration settings; and

4) Expected or desired results. 158 The TSACB will review all the documents submitted above within three (3)

business days of receipt of the evaluation application by the TSA Scheme and advise the MySEF and the applicant whether the application has been accepted or rejected.

159 If the TSACB finds any deficiencies in the evaluation application, then the MySEF has two (2) business days to address these deficiencies and resubmit the evaluation application. If the evaluation is accepted, the MySEF shall plan for the project kick-off meeting that shall be conducted within five (5) working days from the date the application is accepted. If the application is rejected, the evaluation process ends.

PUBLIC


160 Once formally accepted by the TSACB, the MySEF Lead Evaluator for the evaluation is required to organise a project kick-off meeting. The kick-off meeting is attended by: a) The certifier(s) assigned by the TSACB to the evaluation project; b) The lead evaluator for the evaluation project; and c) A representative of the applicant.

161 The agenda for the meeting include at least the following points: a) Overview of the scope of the TOE; b) Overview of the evaluation process; c) Overview of the roles and responsibilities; d) Agreement to the schedule; e) Confirm confidentiality requirements; and f) Product demonstrations and installation.

3.3.1.2 Execute Phase

162 The focus of MySEF in this function is to determine whether the TOE provides the claimed security functionality and whether the claimed TSA_MSFR requirements have been met.Figure 1211 shows the activities of the evaluation execute function for SEFs licensed under TSA Scheme to deliver CERTIFY service.


PUBLIC


Figure 12: Evaluation Execute Phase for SEFs Licensed Under TSA Scheme 163 The applicant is required to provide evidence, i.e. the ICT product, guidance

document, and other evidence which had been declared in the TSA_MSFR form and agreed during the kick-off meeting, to the MySEF.

164 Once the evidence had been received and the product had been installed, the MySEF evaluators can commence testing.

165 If additional cryptography conformance and randomness testing is required, the MySEF Lead Evaluator will submit the evidence required by the CVF evaluator to perform the testing.

166 The MySEF and CVF evaluators are required to record the results throughout the testing. The following information must be recorded for each test:

a) Date the test was performed; b) Evaluators involved in performing the test; c) Any additional information relevant to the performance of the test;

and d) Results obtained from the test.

167 At the completion of testing, the MySEF and CVF evaluators are required to compare the results obtained from the execution of the test with the expected test results detailed in the test plan. Any deviation from the expected results must be documented and accounted for.

PUBLIC


168 The MySEF and CVF evaluators are required to finalise the test plan report, and also summaries their findings and recommendations in Section 1 and Section 2 of the Evaluation and Certification Report form. Those documents represents the final output from the evaluation project. The MySEF Lead Evaluator is required to advise the Lead Certifier if an evaluation finding describes a potential vulnerability. Note: MySEF and CVF evaluators on a project cannot contribute to the development of the TOE and therefore cannot provide detailed recommendations for remediation of findings.

169 The conclusions recorded in the Evaluation and Certification Report form state the degree to which the TSA_MSFR have been met, with supporting evidence. The final test plan report, and Evaluation and Certification Report form are required to be submitted by the MySEF to the TSACB for review.

170 The TSACB is required to review the final test plan report, and Evaluation and Certification Report form submitted by the MySEF evaluator to ensure that all evaluation requirements have been adhered to. If there is any deficiencies in the reports, then the MySEF and CVF has five (5) business days to address these deficiencies and resubmit the reports.

171 If the reports are accepted, the TSACB Lead Certifier will need to identify if there is any FAIL finding from the conclusions recorded in the Evaluation and Certification Report form. If there is no FAIL finding, the TSACB certification team need to complete and finalise the Evaluation and Certification Report form, perform internal review, and submit those documents to the Scheme Head for final approval and issue the certificate for the evaluation.

172 However, if there is any FAIL finding reported in the Evaluation and Certification Report form, the TSACB Lead Certifier will requested MySEF to host a project meeting. This is important in order to communicate with the applicant regarding the evaluation result, and determine their readiness and commitment in order to rectify the FAIL finding.

173 The project meeting is attended by: a) The certifier(s) assigned by the TSACB to the evaluation project; b) The lead evaluator for the evaluation project; and c) A representative of the applicant.

174 The agenda for the meeting include at least the following points: a) Summary of the evaluation, and effort spent in the delivery of

evaluation and certification services; b) Discussion on the evaluation findings which shall include PASS and

FAIL findings, and exploitable vulnerability discovered (if any); c) Identification whether this will be the first iteration:

Note: TSA Scheme will allow only one (1) iteration of evaluation finding. If a problem that can potentially affect the assurance of the evaluation is detected for the second time, the evaluation project will be ended.

PUBLIC


i) If this is not the first iteration, then the meeting will discuss about the closure of the evaluation project as specified in Section 3.3.1.3;

ii) If this will be the first iteration, then the meeting will need determine the applicant readiness and commitment in order to rectify all the FAIL findings and exploitable vulnerability discovered. Timeline for the new evaluation evidence submission need to be identified and agreed during this meeting. If the applicant do not want to proceed with the rectification, then the project will be ended (the meeting will discuss items as specified in Section 3.3.1.3).

175 If the applicant agree to proceed with the rectification, they are required to provide the MySEF with the resolutions within the agreed schedule. Evaluation evidence will be submitted to the MySEF and/or CVF for further action.

176 The TSACB is responsible to conduct OVERSIGHT function as described in the ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]) and TSA Scheme Certification Procedure (TSA_CP) (Ref [15]). Within the OVERSIGHT function, the certification team perform the technical certification work and utilise this phase to oversee evaluation activities and resolve any issues found during the evaluation execute phase. This function comprises the following aspects. Oversight the Testing

177 During execution of the functional and penetration testing activities for an evaluation project, the Lead Certifier (or their delegate) may attend the activities as observer. Monitor Evaluation Project

178 Lead Certifier is responsible to monitor the evaluation project progress. If issues raised during the evaluation met the suspension or termination criteria as described in the ISCB Product Manual (PRODUCT_MANUAL) (Ref [11]), TSACB may suspend or terminate the evaluation project.

3.3.1.3 Close Phase

179 This function allows clients of the MySEF and CVF to provide feedback on the evaluation process, and formal engagement between TSACB and the applicant to conduct certificate maintenance within 6 months from the certification date (for new application) or 12 months from the certification date (for existing certified product).

PUBLIC


180 Figure 1312 shows the activities of the evaluation close function for SEFs licensed under TSA Scheme to deliver CERTIFY service.

Figure 13: Evaluation Close Phase for SEFs Licensed Under TSA Scheme

181 The TSACB will provide a copy of the Certificate to the MySEF, CVF (if required) and the applicant. The MySEF and CVF are required to archive the Certificate with the other evaluation records.

182 Once the final version of the Evaluation and Certification Report form and Certificate had been approved, the TSACB is required to publish the details of the certification project, its Certificate and other supporting documentation (if any) on the TSA Scheme Certified Product Register (TSA_CPR) (refer to Annex B of the ISBC Product Manual (Ref [11] for the link of the TSA_CPR).

183 A formal closedown meeting will be hosted by the MySEF conducting the evaluation project. The evaluation closedown meeting is required to be attended by:

a) The certifier(s) assigned by the TSACB to the evaluation project; b) The lead evaluator for the evaluation project; c) A applicant representative; and d) Representatives from CVF.

184 The meeting will include at least the following points:


PUBLIC


a) Summary of the evaluation, and effort spent in the delivery of evaluation and certification services;

b) Vulnerabilities discovered and corrected through the delivery of evaluation and certification services (if any);

c) Client satisfaction with the evaluation and certification services offered by the scheme;

d) Confirm confidentiality and archiving requirements; and e) Formal engagement between the applicant and TSACB. The applicant

shall sign an agreement with TSACB to ensure that they are bonded to the rules of the TSA Schemes. This is to ensure that the applicant will participate in the certificate maintenance and ensure the correct usage of the certification mark. Their certificate will be withdrawn if they fails to perform its obligations under the agreement.

f) Formal engagement between the applicant and TSACB to conduct certificate maintenance within 6 months from the certification date (for new application) or 12 months from the certification date (for existing certified product).

185 The closedown meeting is the final activity for the CERTIFY service. 186 Based on paragraph 147b), the client is required to participate in the

certification maintenance. The detail processes for MAINTAIN service is described in Section 3.3.2 below.

3.3.2 MAINTAIN

187 The objective of certification maintenance is: a) to ensure continuous compliance with ISCB product certification

schemes rules; b) to ensure a level of confidence in the security provided by the certified

ICT product and its operational environment as it is updated; and c) to verify the correct use of the certificate and certification mark.

d) In addition, certification maintenance provides clients with a cost effective method of maintaining the same confidence level in the security provided by the certified TOE after modification and update throughout its normal lifecycle.

188 TSACB shall ensure the certification maintenance is conducted at least once a year and shall be conducted onsite, where the site should be proposed by the client. The date of the first certification maintenance following the initial TOE certification shall not be more than six (6) months from the certificate date.

189 The certification maintenance shall have been completed within the period of one (1) month before the certificate due date or previous certification maintenance due date. If this time period is exceeded and the certification maintenance is not conducted within the prescribed time period, the certificate will then be no longer valid and cannot be used. In such a case,

PUBLIC


all issued copies of the certificate have to be returned to the TSACB and the TSA_CPR should be updated. Note. TSA Scheme certificate applies only to a specific version of a TOE and is valid for one (1) year.

190 TSACB performs certification maintenance as two (2) business functions as shown Figure 14 below.

Figure 14: TSA Certification Maintenance Process

191 During the ASSESS Phase, TSACB will determines the category of changes to a certified TOE as either:

a) MINOR. The changes do not significantly impact the confidence level in the security provided by the certified TOE and can be accepted under certification maintenance. The Lead Certifier will prepare an addendum for the original certificate issued for the certified TOE and update the TSA_CPR; or

b) MAJOR. The changes have a significant impact on the confidence level in the security provided by the certified TOE. The Lead Certifier will prepare a formal notification to request a decision from the client whether to proceed for re-certification.

192 If the result of the ASSESS Phase is a MAJOR finding, and the client chooses to continue with the TOE re-certification, TSACB will notify MySEF that was involved in the previous TOE evaluation for re-certification. Note. TSACB will notify other licensed SEF if the client chooses other licensed SEF to perform the re-certification.

193 The contracted MySEF will commence the PLAN Phase of the TSA Scheme CERTIFY service (refer to Section 3.3.1).

PUBLIC


3.4 Security Evaluation Facilities Licensed under Cryptographic Module Validation Program (MyCMVP)

194 MyCMVP is currently under development as one of ISCB 11th Malaysian Plan project. The detail activities of the evaluation planning function for SEFs licensed under MyCMVP, or also known as Cryptography Validation Facility (CVF), will be updated once the scheme is ready for operation.

PUBLIC


4 SEF Assurance Process 195 This section provides a description of the workflows and functions for each

assurance process applicable to a SEF. The processes that will be included are:

a) Operate SEF Management System; b) SEF Management Reporting for the ISCB Product Certification

Schemes; and c) Liaison with Third Party Assessors.

4.1 Operate SEF Management System

196 This process defines, maintains, monitors and improves the SEF management system in accordance with the requirements specified in Section 2.3 of this document.

4.2 SEF Management Reporting for the ISCB Product Certification Schemes

197 The process for collating the outcomes of (continuous and planned) assurance activities related to a SEF, and for the preparation and delivery of management-level reports to the Scheme Managers (as required) and to senior management of the SEF. This will occur at least annually, and is part of maintaining ISO/IEC 17025 accreditation and SEF licensing. This process incorporates two key functions:

a) Monitor SEF Key Performance Indicators; and b) Prepare SEF Business Report.

4.2.1 Monitor SEF Key Performance Indicators

198 The SEF is required to monitor (as a minimum) the following key performance measures and report performance in the SEF Business Report:

a) Time to complete evaluation activities; b) Effort spent in the delivery of evaluation services; c) Vulnerabilities discovered and corrected through the delivery of

evaluation services; d) Consumer and client satisfaction with the evaluation services offered

by the scheme; e) Outcomes of management reviews and accreditation activities

undertaken; f) Training and development activities undertaken by the evaluators;

and g) Any other aspects and indicators as directed by the ISCB product

certification schemes.

PUBLIC


4.2.2 Prepare SEF Business Report

199 The SEF Business Report shall be prepared and submitted to the ISCB on an annual basis, outlining the following information:

a) Prospective business: The SEF provides ISCB with details of contacts made with prospective clients, allowing ISCB to gauge the level of demand for ISCB product certification schemes services and to understand potential future certifier and resource requirements.

b) Staffing: A list of all current SEF staff members, and their current status or roles within the SEF. This should include an indication of the percentage of time, against full time equivalence, that each staff member is allocated to SEF activities. This section of the report should also highlight any changes in personnel or their status since the previous SEF Business Report.

c) Licensing and accreditation status: The report indicates the current state of the SEF licensing and accreditation status, highlighting any changes since the previous SEF Business Report. .

d) Scheme issues: Any general issues in relation to the ISCB product certification schemes that the SEF may wish to bring to the attention of ISCB are to be included in the report.

e) Key Performance Indicators: The SEF shall report on the KPI’s, including any changes since the previous SEF Business Report.

200 The Scheme Manager may request a meeting with the SEF Lab Manager to discuss matters arising from the business report.

4.3 Liaison with Third Party Assessors

201 This process for assisting third party assessors (external and independent) with the conduct of their responsibilities associated with assessing the operation of the SEF. This process incorporates two key functions:

a) Assist CCRA Assessors; and b) Assist ISCB Auditors.

4.3.1 Assist CCRA Expert Reviewers

202 The MyCC Scheme is required to participate in CCRA Voluntary Periodic Assessment (VPA) activities every five years. This may require the MySEF to allow access to evaluation facilities, projects and staff by technical experts to facilitate reviews of the MyCC Scheme by external experts in the CCRA.

4.3.2 Assist ISCB Auditors

203 All SEFs shall be prepared to be audited by ISCB upon receipt of written notice on intention to conduct an audit by ISCB. ISCB audits are not scheduled and may be conducted for reasons including:

a) A client complaint;

PUBLIC


b) An appeal of a certification decision; c) As a result of ISO/IEC 17025 accreditation or licensing issues; d) As a result of reported Voluntary Periodic Assessment (VPA) issues;

and/or e) As a random activity.

204 The SEF is required to provide any assistance to ISCB Auditors that is reasonably requested in auditing the SEF.

205 In addition to ISCB audits, a SEF is required to maintain the licensing requirements and accreditation against ISO/IEC 17025 (for MySEF and CVF). Accreditation requires periodic assessment by Jabatan Standards Malaysia or other accreditation authorities appointed assessors. SEF Managers should contact Jabatan Standards Malaysia or other accreditation authorities, who are recognised by the Malaysian government and CyberSecurity Malaysia, for the schedule of these assessments. The SEF is required to provide any assistance to assessors that are reasonably requested in completing accreditation.

PUBLIC


Annex A Reference Materials A.1 References [1] Arrangement on the recognition of Common Criteria Certificates in the field

of Information Technology Security, July 2014. [2] Common Criteria for Information Technology Security Evaluation, Part 1:

Introduction and general model, CCMB-2017-04-001, Version 3.1, Revision 5, April 2017.

[3] Common Criteria for Information Technology Security Evaluation, Part 2: Security functional components, CCMB-2017-04-002, Version 3.1, Revision 5, April 2017.

[4] Common Criteria for Information Technology Security Evaluation, Part 3: Security assessment components, CCMB-2017-04-003, Version 3.1, Revision 5, April 2017.

[5] Common Evaluation Methodology for Information Technology Security Evaluation, CCMB-2017-04-004, Version 3.1, Revision 5, April 2017.

[6] ISO/IEC 19790:2012 – Information technology – Security techniques – Security requirements for cryptographic modules, International Standards Organisation, 2012.

[7] ISO/IEC 24759:2014 – Information technology – Security techniques – Test requirements for cryptographic modules, International Standards Organisation, 2014.

[8] ISO/IEC 17025:2017 – The General requirements for the Competence of Testing and Calibration Laboratories, International Standards Organisation, 2017.

[9] Latest version of ISCB Common Manual (ISCB_CM) as listed in the ISCB Master Register.

[10] Latest version of ISCB Common Procedures (ISCB_CP) as listed in the ISCB Master Register.

[11] Latest version of ISCB Product Manual (PRODUCT_MANUAL) as listed in the ISCB Master Register.

[12] Latest version of MyCC Scheme Requirement (MyCC_REQ) as listed in the ISCB Master Register.

[13] Latest version of MyCC Scheme Certification Procedure (MyCC_CP) as listed in the ISCB Master Register.

[14] Latest version of MTPS Certification Procedure (MTPS_CP) as listed in the ISCB Master Register.

[15] Latest version of TSA Scheme Certification Procedure (TSA_CP) as listed in the ISCB Master Register.

[16] Latest version of MyCC Scheme Client Guideline (MyCC_CG) as listed in the ISCB Master Register.

PUBLIC


A.2 Acronyms

Table 4: List of Acronyms

Acronyms Expanded Term

CB Certification Body

CC Common Criteria

CEM Common Evaluation Methodology

CCRA Common Criteria Recognition Arrangement

MyCC_REQ MyCC Scheme Requirement

CPR Certified Products Register

ICT Information and Communications Technology

IEC International Electrotechnical Commission

ISCB Information Security Certification Body

ISCB_EFM ISCB Evaluation Facility Manual

ISO International Standards Organisation

MTC Malaysia Trustmark Certifier

MTO Malaysia Trustmark Operator

MTPS Malaysia Trustmark for Private Sector

MTPS_VWR MTPS Validated Website Register

MyCB Malaysian Common Criteria Certification Body

MyCC Malaysian Common Criteria Evaluation and Certification

MyCMVP Cryptographic Module Validation Program

MyCPR MyCC Scheme Certified Products Register

MySEF Malaysian Security Evaluation Facility

PP Protection Profile

PUBLIC


PRODUCT_MANUAL ISCB Product Manual

ISCB_CM ISCB Common Manual

ISCB_CP ISCB Common Procedures

ST Security Target

TOE Target of Evaluation

TSA Technology Security Evaluation

TSACB Technology Security Evaluation Certification Body

TSA_CPR TSA Scheme Certified Products Register

TSA_MSFR TSA Mandatory Security Functions Requirement

A.3 Glossary of Terms

Table 5: Glossary of Terms

Term Definition and Source

Audit An assessment of a client organisation’s certification scope (e.g. ISMS or MTPS scope) as defined by the certification scheme, proposed by an application against the standards covered by the scope defined in its application against the certification criteria specified in the rules of the certification scheme.

Certificate The official representation from the Certification Body of the certification of a specific version of the recognise certification standards such as ISO/IEC 27001, Common Criteria etc.

Certification Body An organisation responsible for carrying out certification and for overseeing the day-to-day operation of a certification scheme.

Consumer The organisation or personnel that uses the certified product within their infrastructure.

Customer/ Client/ Organisation

The organisation (sponsors, developers or consumers) that submits an application and make use of services provided by the ISCB.

PUBLIC


Developer The organisation that develops the product submitted for evaluation and certification.

Evaluation The assessment of an IT product, IT system, or any other valid target as defined by ISCB product certification schemes, proposed by an applicant against the standards covered by the scope defined in its application against the certification criteria specified in the ISCB product certification schemes rules.

Evaluation and Certification Scheme

The systematic organisation of the evaluation and certification function under the authority of a certification body in order to ensure that high standards of competence and impartiality are maintained and that consistency is achieved. Source CCRA.

Interpretation Expert technical judgement, when required, regarding the meaning or method of applicant of any technical aspect of the criteria or the methodology. An interpretation may be either a national or international interpretation.

ISCB Personnel Includes all members of the Scheme Manager, Auditor, Certifier, MTPS Operator, Quality Manager, and Head of Department.

Lead Certifier The Certifier responsible for managing a specific certification task.

Lead Evaluator The Evaluator responsible for managing the technical aspects of a specific evaluation task.

MTPS Certifier / MTC The personnel responsible for reviewing and assessing the technical and security aspects of the organisation e-business web portal and online payment system. MTPS Certifier is the member of Security Evaluation Facility.

MTPS Operator / MTO The personnel responsible for managing the audit and validation project. Auditing of the organisation’s MTPS scope is based on the MTPS technical requirements. MTPS Operator is the member of ISCB personnel.

MyCB Personnel Includes all members of the Scheme Manager, Senior Certifier, Certifier, and Quality Manager.

PUBLIC


Security Evaluation Facility

An organisation (or business unit of an organisation) licensed by ISB that conducts: a) Malaysian Security Evaluation Facility

(MySEF) – evaluation facility that is licensed by ISCB to conduct security evaluations of ICT products, systems, and protection profiles against CC and CEM;

b) Cryptography Validation Facility (CVF) – evaluation facility that is licensed by ISCB to conduct cryptography conformance and randomness testing against ISO/IEC 19790 and ISO/IEC 24759; and

c) Malaysia Trustmark Certifier (MTC) – organisation or facility that is recognised by ISCB to conduct Trustmark Technical Security Assessment (TTSA) or to validate the security aspects of the e-business web portal and online payment system against the MTPS technical requirements and additional adopted standards such as PCI-DSS and web security best practices (OWASP).

Note. The security evaluation facilities above may be provided by the same organisation.

Sponsor The organisation that submits a product for evaluation and certification under the ISCB product certification schemes. The sponsor may also be the developer.

Surveillance/ Maintenance of Certificate

The update of certificate to reflect that the certification scope is being maintained under the certification scheme.

A.4 Flow Chart Conventions

A.4.1 SEF Activities 206 Activities that must be performed directly by the SEF are represented by a

white box with a solid outline.

PUBLIC


207 Activities that must be performed directly by the SEF and represent end of activity for current function or phase are represented by an orange box with a solid outline.

A.4.2 Other Activities 208 Activities that are related to the evaluation workflow but are not performed

by the SEF are represented by a white box with a dashed outline.

209 Activities that are related to the evaluation workflow but are not performed by the SEF and represent start activity for current function or phase, are represented by an orange box with a dashed outline.

A.4.3 External Function/ Phase/ Activities 210 Functions, Phases and Activities that occur outside of the current function

or phase are represented by a box filled with orange. These boxes represent predecessors or successors to the current function or activity.

A.4.4 Decision 211 Decision points are represented by a diamond. Decision points are

graphical representations of a decision that is made in the activity preceding the decision point.

PUBLIC


Annex B ISCB Requirements for SEFs’ Management System

212 SEFs that are optional to get accreditation against ISO/IEC 17025, shall meet the requirements specified in this annex and the licensing agreement. ISCB is responsible to determine the compliance against the requirements during the licensing site visit.

B.1 General Requirements 213 The services of the SEF are to be available without undue financial or other

conditions. The procedures under which the SEF operates are to be administered in a non-discriminatory manner.

B.2 Administrative Structure 214 The SEF is to be impartial. In particular, it should have permanent staff

responsible to a senior executive enabling day-to-day operations to be carried out free from undue internal and external commercial, financial and other pressures and influences that may adversely affect the quality of the evaluation or testing work.

B.3 Organisational Structure 215 The SEF is to have and make available on request:

a) a chart showing clearly the responsibility, authority and interrelationships of all personnel who manage, perform or verify work affecting the quality of the evaluation or test;

b) a description of the means by which the organisation obtains financial support; and

c) documentation clearly identifying its legal status.

B.4 Confidentiality 216 The SEFs shall have policies and procedures to ensure protection of its

clients’ confidential information and proprietary rights, including procedures for protecting the electronic storage and transmission of results.

217 The SEFs shall have policies and procedures to avoid involvement in any activities that would diminish confidence in its competence, impartiality, judgement or operational integrity.

B.5 Quality Manual 218 The SEF is to have a Quality Manual, and documented policies and

procedures as a management system to ensure quality of all work and that they are communicated, available, understood and implemented by the appropriate personnel.

PUBLIC


219 The SEF is to ensure the quality policy statement is issued under the authority of top management.

220 The SEF is to have a Quality Manual and documentation setting out the procedures by which it complies with the requirements of this Annex. These are to include at least:

a) the laboratory management’s commitment to good professional practice and quality of its service;

b) a statement of the laboratory’s standard of service; c) the purpose of the management system; d) the laboratory management’s commitment to compliance with the

management system and to continually improve the management system;

e) a brief description of the legal status of the SEF; f) the names, qualifications and duties of the senior executive and other

SEF personnel; g) details of training arrangements for SEF personnel; h) an organisation chart showing lines of authority, responsibility and

allocation of functions stemming from the senior executive; i) a requirement for all personnel to be familiar with and implement the

quality documentation; j) details of procedures for the conduct and monitoring of the

evaluation/testing, internal audit, and management review; k) the identities of any contractors and details of the documented

procedures for assessing and monitoring their competence; and l) details of any procedures for complaints.

B.6 Documentation and Change Control 221 The SEF is to maintain a system for the control of all documentation relating

to its evaluation or testing, and ensure that: a) current issues of the appropriate documentation are available at all

relevant locations; b) documents are not amended or superseded without proper

authorisation; c) changes are promulgated in such way that those who need to know

are promptly informed and are in a position to take prompt and effective action;

d) superseded documents are removed from use throughout the organisation and its agencies; and

e) those with a direct interest in the SEF management system are informed of changes.

PUBLIC


B.7 Records 222 The SEF is to maintain a record system to suit its particular circumstances

and to comply with relevant regulations applied in the jurisdiction to which the SEF is subject. The system is to include all records and other papers produced in connection with each evaluation/testing; it is to be sufficiently complete to enable the course of each evaluation/testing to be traced. All records are to be securely and accessibly stored for a period of at least five years.

B.8 Management Review 223 The SEF is to undertake management reviews annually of its laboratory

operations to ensure their continuing suitability and effectiveness, and to introduce necessary changes or improvements. The review shall take account of:

a) The suitability of policies and procedures; b) Reports from managerial and supervisory personnel; c) The outcome of recent internal audits; d) Corrective and preventive actions; e) Changes in the volume and type of work; f) Client feedback; g) Complaints; h) Recommendations for improvement; and i) Other relevant factors, such as quality control activities, resources and

staff training. 224 Findings from the management reviews shall be recorded. The SEF

management shall ensure that those actions are carried out within an appropriate and agreed timescale.

B.9 Evaluation/Testing Personnel 225 The SEFs shall appoint its personnel based on the requirements stated in

Section 2.2 of this document. 226 The SEF personnel are to be competent for the functions they undertake.

Information on the relevant qualifications, training and experience of each member of staff is to be maintained by the SEF and kept up-to-date.

227 SEFs shall provide adequate supervision of evaluation or testing staff, including trainees, by persons familiar with methods and procedures, purpose of each test, and with the assessment of the test results.

228 Personnel are to have available to them clear, up to date, documented instructions pertaining to their duties and responsibilities in order to achieve the objectives of the management system.

229 If work is contracted to an outside body, the SEF is to ensure that the personnel carrying out the contracted work meet the applicable requirements of this Annex and must be agreed by ISCB.

PUBLIC


B.10 Evaluation/Testing Facility 230 The SEF’s shall ensure that the facilities for evaluation/testing do not

invalidate the results or adversely affect the required quality of any measurement. Any conditions that can affect the results of the evaluation/testing shall be documented and controlled.

231 There shall be effective separation between neighbouring areas in which there are incompatible activities. Measures shall be taken to prevent cross-contamination.

232 Access to the evaluation/testing areas shall be controlled to ensure the quality of the evaluation/testing.

233 Measures shall be taken to ensure good housekeeping in the facility. Procedures shall be established where necessary.

B.11 Evaluation/Testing Procedures 234 The SEF is to have the required documented procedures to enable the

evaluation/testing to be correctly carried out in accordance with ISCB accepted methodologies, standards, and best practices (i.e. CEM, CC, etc.). This shall include but not limited to:

a) Procedure for sampling, receipt, handling, transport, protect, storage, preparation and disposal of items to be evaluated/tested, including all provisions necessary to protect the integrity of the testing and to protect the interests of the facility and the client.

b) Instruction on the use and operation of all relevant equipment and on the handling and preparation of the items for evaluation/testing.

c) Procedure for safe handling, transport, storage, use and planned maintenance of equipment to ensure proper functioning and in order to prevent contamination or deterioration.

B.12 Evaluation/Test Report 235 The SEF is to report the evaluation/testing accurately, clearly,

unambiguously and objectively and in accordance with any specific instructions in the test methodology.

236 The draft of the evaluation/test report shall be submitted to ISCB for review. 237 The test reports must include:

a) a title (e.g. “Test Report”); b) name and address of the SEF, and the location where the

evaluation/testing was carried out, if different from the address of the location;

c) unique identification of the evaluation/testing document; d) name and address of the client; e) identification of the method used; f) description, condition and identification of the item evaluated/tested;

PUBLIC


g) reference to the sampling plan and procedures used by the SEF or other bodies where applicable;

h) evaluation/testing results; i) name, function and signature or equivalent identification of person

authorising the evaluation/testing document; j) statement to the effect that the results relate only to the items

evaluated/tested where applicable.

----------END OF DOCUMENT----------

Dato' Ts. Dr Haji Amirudin Bin Abdul Wahab Chief Executive … · 2020. 1. 14. · 1 Amiroul Farhan...

Documents

Transcript of Dato' Ts. Dr Haji Amirudin Bin Abdul Wahab Chief Executive … · 2020. 1. 14. · 1 Amiroul Farhan...