Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager)...
Transcript of Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager)...
2005. 9. 28
Korea Certification Body
Korea IT Security Evaluation
and Certification Scheme
Korea IT Security Evaluation
and Certification Scheme
Dae Ho, LeeDae Ho, Lee
2
AgendaAgendaAgenda
Product and Protection ProfileProduct and Protection ProfileIV
KECS IntroductionKECS IntroductionI
Role and Responsibility of CBRole and Responsibility of CBII
Evaluation andEvaluation and Certification ProcedureCertification ProcedureIII
3
Korea IT Security Evaluation and Korea IT Security Evaluation and
Certification Scheme (KECS)Certification Scheme (KECS)
OverviewOverview
HistoryHistory
OrganizationOrganization
PublicationPublication
Quality SystemQuality System
Approval policy of EFApproval policy of EF
4
KECS Overview KECS Overview
ObjectiveObjective
Gain global trust and reliability of IT security systemGain global trust and reliability of IT security system
Improve international competitiveness of IT productImprove international competitiveness of IT product
Improve IT security level of national communication Improve IT security level of national communication
NetworkNetwork
Contribute to the realization of a sound information societyContribute to the realization of a sound information society
Legal Legal
StatusStatus
Article 15 of the Article 15 of the Framework Act on Information PromotionFramework Act on Information Promotion
Article 16 of the Enforcement Decree of the Framework Article 16 of the Enforcement Decree of the Framework
Act on Information Promotion Act on Information Promotion
5
KECS HistoryKECS History
Aug : Framework Act on IP and its Enforcement Decree19951995
19981998
Jul : IDS evaluation
Aug : Established Evaluation · Certification Scheme20002000
Feb : Firewall Evaluation
Aug : Adopted CC, ISO/IEC 15408 as IT security evaluation criteriaVPN evaluation
20022002
Nov : Access Control System, Fingerprint Recognition
System, Smartcard evaluation 20032003
Jan : CC became the only evaluation criteria20052005
Sep : Submitted Application to join CCRA20042004
6
KECS OrganizationKECS Organization
• IT Product
• Protection Profile
• Deliverables
Certification Body
(National Intelligence Service)
Evaluation Facility
(Korea Info. Security Agency)
• Certified Products List
• Publish Certification Report
• Certificate
• Certification Report
• Evaluation and Certification Scheme
• Evaluation Methodology
• Evaluation Management and Oversight
DeveloperSponsor
User
• Consultation on evaluation• Application for
evaluation
• EWP
• Work Package
• Observation Report
• Evaluation Report
7
KECS Organization KECS Organization –– CB(1/2)CB(1/2)
Certification Mgmt Team
(Quality manager)
Support Mgmt Team
ITSCCITSCCDirector, ITSCC
(Certification manager)
Senior Executive
ITSCC : IT Security Certification Center
Oversee evaluation
Site visit
Operate Certification
Committee
Issue certificates
Maintenance of Assurance
Prepare to Join CCRA
Operate scheme
Develop Roadmap for
PP development
Publish CPL
Audit
Provide training course
Certification committee
8
KECS Organizations KECS Organizations –– CB(2/2)CB(2/2)
Senior ExecutiveSenior Executive/Certification/Quality Manager/Certification/Quality Manager
SeniorSenior
ExecutiveExecutive
Approves schemeApproves scheme
Approves quality manualApproves quality manual
Approves issuance of certificateApproves issuance of certificate
CertificationCertification
ManagerManager
Supervises operation of certification bodySupervises operation of certification body
Approves internal auditApproves internal audit
Operates Certification CommitteeOperates Certification Committee
QualityQuality
ManagerManager
Operates and Maintains the quality systemOperates and Maintains the quality system
Develops plan and executes internal auditDevelops plan and executes internal audit
Operates education and training courseOperates education and training course
9
KECS Organizations KECS Organizations -- EFEF
EvaluationPlanning Team
(Quality assistant manager)
Evaluation Team 1
(Technical manager)
Evaluation Team 2
(Technical manager)
IT Security IT Security Evaluation Evaluation
CenterCenterVice president
(Quality manager)
President
• Operate EF quality system• Develop PP
• Research & support
related to evaluation
service
• Firewall
• Fingerprint
• Smartcard
• Etc
• IDS
• VPN
• Access control
• Etc
.
10
KECS Publications KECS Publications
KECSKECS
Overview of scheme : Principle of evaluation, Scope,
Organizational structure, Legal status, Operating resource, Etc.
Role and Responsibility of the Sponsor/EF/CB
Evaluation and Certification procedure
Maintenance of certified products
Quality Quality
ManualManual
ISO/IEC Guide 65
Quality system management
• Qualification of personnel, Training & education
• Data/Record management, Protecting and sharing of information
• Oversee Evaluation, Management of evaluation lab/equipment
• Appeal or Conciliation, Internal audits, Etc.
11
Quality ManualQuality Manual
Reparation
Document
Management
Corrective and
Preventive
Measure
Certification
Management
Internal
Audit
Management
Review
Management of
Certification
Regulation
Record
Management
Management
of Assurance
Protection of
Confidential
Information
Certification
Training
And
Education
Handling of
Dispute
Management of
Deliverables
Operation of
Certification lab
Sampling
Certification
Committee
Guaranteeing of
Independence
WrittenPledge
WrittenPledge
12
Approval policy of EF Approval policy of EF
CCRA B.3CCRA B.3
ABABaccreditedaccredited
approvedapproved CBCB
oror
establishedestablished
KECSKECS
KISAKISA
(EF)(EF)
Framework Act on Information Promotion
establishedestablished
Evaluation
Facility
Evaluation
Facility
Law/statutory instrument
Role and Responsibility of Role and Responsibility of
Certification BodyCertification Body
Qualification AssignmentQualification Assignment
Basic/Advanced TrainingBasic/Advanced Training
Certification ActivityCertification Activity
Certification CommitteeCertification Committee
Certification Report and CertificateCertification Report and Certificate
14
Qualification of Evaluator and CertifierQualification of Evaluator and Certifier
Role and Responsibility of CBRole and Responsibility of CB
Trainee Certifier (evaluator)Trainee Certifier (evaluator)Basic/Advanced TrainingBasic/Advanced Training
Certifier (evaluator)Certifier (evaluator)� Experience of C/E
(more than 2 product)
� Capability of EAL3 C/E
� Experience of C/E
(more than 2 product)
� Capability of EAL3 C/E
Senior Certifier (evaluator)Senior Certifier (evaluator)� Experience of C/E
(more than 3 years)
� Capability of EAL4 C/E
� Experience of C/E
(more than 3 years)
� Capability of EAL4 C/E
* C/E : Certification and Evaluation
WrittenPledge
15
Basic/Advanced TrainingBasic/Advanced Training
Role and Responsibility of CBRole and Responsibility of CB
BasicBasic
(5days)(5days)
ISO/IEC Guide 65ISO/IEC Guide 65
ISO/IEC 17025ISO/IEC 17025
CC/CEMCC/CEM
KECSKECS
CCRA RequirementsCCRA Requirements
How to write and evaluateHow to write and evaluate
PP, ST and deliverablesPP, ST and deliverables
EWP EWP
Evaluate deliverables Evaluate deliverables
write Evaluation Technical Reportwrite Evaluation Technical Report
Site visitSite visit
AdvancedAdvanced
(10days)(10days)
16
Role and Responsibility of CBRole and Responsibility of CB
Certification ActivityCertification Activity
The review meeting of EWP and ORThe review meeting of EWP and OR
Evaluation of Testing and VulnerabilityEvaluation of Testing and Vulnerability
•• Review the plan for testing of EFReview the plan for testing of EF
•• Independent evaluator testing and vulnerability testingIndependent evaluator testing and vulnerability testing
Evaluation of the on site security environmentEvaluation of the on site security environment
•• Review the plan for on site evaluationReview the plan for on site evaluation
Review the following document andReview the following document and
record result of certification in the record result of certification in the ““CB Review CommentCB Review Comment””
•• EWP, ST, WP, OR, ETR(PP, TOE)EWP, ST, WP, OR, ETR(PP, TOE)
ReviewReview
andand
RecordRecord
AttendAttend
17
Role and Responsibility of CBRole and Responsibility of CB
Certification CommitteeCertification Committee
Composed of 12 professionals from industry, academia, researcComposed of 12 professionals from industry, academia, research h
institutes and the governmentinstitutes and the government
Check for validity and impartiality of the evaluation resultsCheck for validity and impartiality of the evaluation results
Review any major changes made to schemeReview any major changes made to scheme
Mediate dispute between sponsor, EF and CBMediate dispute between sponsor, EF and CB
18
Evaluation Evaluation ·· Certification Certification
ProcedureProcedure
Preparation PhasePreparation Phase
Evaluation PhaseEvaluation Phase
Certification PhaseCertification Phase
19
Evaluation Phase
Pre
Preparation Phase
CBEFSponsor
Inquiry about Evaluation
Preparation of Deliverables
Consultation of Evaluation
Apply for evaluation(deliverables) Sign Contract Accept deliverables
Kick off Meeting with EF and CB Develop EWP
Approve EWP
Evaluate TOE Monitor Evaluation
Develop ETR Review ETR
Certification Committee
Produce the Certification Report
Issue the certificate
Receive the certificate
Certification PhasePublish the certification report on the website
Register the certificate to the CPL
20
CBEFSponsor
Evaluation Evaluation ·· Certification ProcedureCertification Procedure
Preparation PhasePreparation Phase
Inquiry about
Evaluation
Preparation of
Deliverables
Consultation of
Evaluation
Separate evaluator withconsultant for impartiality
and independency of evaluation
Apply for evaluation
With deliverablesSign Contract
- Review deliverables for
completeness
- Review Contract
Accept deliverables
- Assign a certifier
- Review deliverables
21
CBEFSponsor
Evaluation Evaluation ·· Certification ProcedureCertification Procedure
Evaluation Phase(1/2)Evaluation Phase(1/2)
Develop EWP
Consider complexity of security functions,scope of evaluation
Approve EWP
Review the EWP
- Appropriateness of the formation of the
evaluation team
- Appropriateness of
the method of calculatingthe duration of the
evaluation
- Appropriateness of the
claimed PP and TOE scope
Kick off Meeting
With Sponsor and CB
22
CBEFSponsor
Evaluation Evaluation ·· Certification ProcedureCertification Procedure
Evaluation Phase(2/2)Evaluation Phase(2/2)
Evaluation TOE
- Compliance with CC,CEM
- Produce OR, WP for
each work unit
- Site visit
Monitor Evaluation
- Review OR, WP
- Testing and vulnerability
- Site visit
- Compliance with scheme
Develop ETR Review ETR
- Review ETR
· impartiality of evaluation
· conformance of CC/CEM
- Compliance with scheme
23
CBEFSponsor
Evaluation Evaluation ·· Certification Procedure`Certification Procedure`
Certification PhaseCertification Phase
Certification
Committee
- Review the all documents of evaluation and certification
(EWP, OR, WP, ETR, etc)
Produce the
Certification Report
Issue the certificate
Receive
the certificate
Publish the Certification Report on the website
Register the certificate to the CPL
24
Certification MaintenanceCertification Maintenance
Sponsor
CB
Sponsor
CB
Sponsor
Approve
Change ?
EF
deliverables
Test and analysis result
Application for change
approval
(deliverables)
Yes
Yes
Sponsor
EF
No
No
· Consult
· Contract
· Evaluation
Re-evaluation
Notify result
Approve
Change ?
25
Product and Protection ProfileProduct and Protection Profile
Certified productCertified product
Protection ProfileProtection Profile
26
2222FWFW
1616
88
44
11
11
--
‘‘0505
2020
11
1010
22
77
‘‘0404
55IDSIDS
88Access ControlAccess ControlSystemSystem
141433FW, VPNFW, VPN
IDSIDS
FWFW
2020
99
88
‘‘0303
959521211010552211TotalTotal
CommonCommon
CriteriaCriteria
2626111133
4040101077552211Domestic Domestic
CriteriaCriteria
sumsum‘‘0202‘‘0101‘‘0000‘‘9999‘‘9898CategoryCategory
<As of July 18, 2005><As of July 18, 2005>
Product and Protection ProfileProduct and Protection Profile
Certified ProductCertified Product
Firewall IDS VPN Smart CardAccess ControlIPS
Biometric
27
Protection ProfileProtection Profile
Product and Protection ProfileProduct and Protection Profile
EAL4+EAL4+Smartcard open platform protection profile V1.0Smartcard open platform protection profile V1.02004. 122004. 12
EAL4EAL4Network Intrusion Prevention System Protection Profile V1.0Network Intrusion Prevention System Protection Profile V1.02005. 52005. 5
EAL3+EAL3+LabelLabel--based access control system protection profile V1.0based access control system protection profile V1.02004. 22004. 2
EAL3+EAL3+VPN gateway protection profile V1.1VPN gateway protection profile V1.12003. 42003. 4
EAL3+EAL3+VPN protection profile V1.1VPN protection profile V1.12003. 42003. 4
EAL2+EAL2+Fingerprint recognition system protection profile V1.0Fingerprint recognition system protection profile V1.02004. 22004. 2
EAL2 EAL2 FirewallFirewall--VPN composite protection profile V1.0VPN composite protection profile V1.02004. 22004. 2
EAL3+EAL3+Intrusion detection system protection profile V1.1Intrusion detection system protection profile V1.12003. 42003. 4
EAL3+EAL3+Firewall protection profile V1.1Firewall protection profile V1.12003. 42003. 4
EALEALTitleTitlePublicationPublication
28
ITSCC of NISITSCC of NIS (Certification Body)(Certification Body)
-- Homepage :Homepage : http://http://www.kecs.go.krwww.kecs.go.kr
-- EE--mail :mail : [email protected]@ncsc.go.kr
KISA (Evaluation Body)KISA (Evaluation Body)
-- Homepage :Homepage : http://http://www.kisa.or.krwww.kisa.or.kr
-- EE--mail :mail : [email protected]@kisa.or.kr
Q & AQ & A