Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager)...

28
2005. 9. 28 Korea Certification Body Korea IT Security Evaluation and Certification Scheme Korea IT Security Evaluation and Certification Scheme Dae Ho, Lee Dae Ho, Lee

Transcript of Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager)...

Page 1: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

2005. 9. 28

Korea Certification Body

Korea IT Security Evaluation

and Certification Scheme

Korea IT Security Evaluation

and Certification Scheme

Dae Ho, LeeDae Ho, Lee

Page 2: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

2

AgendaAgendaAgenda

Product and Protection ProfileProduct and Protection ProfileIV

KECS IntroductionKECS IntroductionI

Role and Responsibility of CBRole and Responsibility of CBII

Evaluation andEvaluation and Certification ProcedureCertification ProcedureIII

Page 3: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

3

Korea IT Security Evaluation and Korea IT Security Evaluation and

Certification Scheme (KECS)Certification Scheme (KECS)

OverviewOverview

HistoryHistory

OrganizationOrganization

PublicationPublication

Quality SystemQuality System

Approval policy of EFApproval policy of EF

Page 4: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

4

KECS Overview KECS Overview

ObjectiveObjective

Gain global trust and reliability of IT security systemGain global trust and reliability of IT security system

Improve international competitiveness of IT productImprove international competitiveness of IT product

Improve IT security level of national communication Improve IT security level of national communication

NetworkNetwork

Contribute to the realization of a sound information societyContribute to the realization of a sound information society

Legal Legal

StatusStatus

Article 15 of the Article 15 of the Framework Act on Information PromotionFramework Act on Information Promotion

Article 16 of the Enforcement Decree of the Framework Article 16 of the Enforcement Decree of the Framework

Act on Information Promotion Act on Information Promotion

Page 5: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

5

KECS HistoryKECS History

Aug : Framework Act on IP and its Enforcement Decree19951995

19981998

Jul : IDS evaluation

Aug : Established Evaluation · Certification Scheme20002000

Feb : Firewall Evaluation

Aug : Adopted CC, ISO/IEC 15408 as IT security evaluation criteriaVPN evaluation

20022002

Nov : Access Control System, Fingerprint Recognition

System, Smartcard evaluation 20032003

Jan : CC became the only evaluation criteria20052005

Sep : Submitted Application to join CCRA20042004

Page 6: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

6

KECS OrganizationKECS Organization

• IT Product

• Protection Profile

• Deliverables

Certification Body

(National Intelligence Service)

Evaluation Facility

(Korea Info. Security Agency)

• Certified Products List

• Publish Certification Report

• Certificate

• Certification Report

• Evaluation and Certification Scheme

• Evaluation Methodology

• Evaluation Management and Oversight

DeveloperSponsor

User

• Consultation on evaluation• Application for

evaluation

• EWP

• Work Package

• Observation Report

• Evaluation Report

Page 7: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

7

KECS Organization KECS Organization –– CB(1/2)CB(1/2)

Certification Mgmt Team

(Quality manager)

Support Mgmt Team

ITSCCITSCCDirector, ITSCC

(Certification manager)

Senior Executive

ITSCC : IT Security Certification Center

Oversee evaluation

Site visit

Operate Certification

Committee

Issue certificates

Maintenance of Assurance

Prepare to Join CCRA

Operate scheme

Develop Roadmap for

PP development

Publish CPL

Audit

Provide training course

Certification committee

Page 8: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

8

KECS Organizations KECS Organizations –– CB(2/2)CB(2/2)

Senior ExecutiveSenior Executive/Certification/Quality Manager/Certification/Quality Manager

SeniorSenior

ExecutiveExecutive

Approves schemeApproves scheme

Approves quality manualApproves quality manual

Approves issuance of certificateApproves issuance of certificate

CertificationCertification

ManagerManager

Supervises operation of certification bodySupervises operation of certification body

Approves internal auditApproves internal audit

Operates Certification CommitteeOperates Certification Committee

QualityQuality

ManagerManager

Operates and Maintains the quality systemOperates and Maintains the quality system

Develops plan and executes internal auditDevelops plan and executes internal audit

Operates education and training courseOperates education and training course

Page 9: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

9

KECS Organizations KECS Organizations -- EFEF

EvaluationPlanning Team

(Quality assistant manager)

Evaluation Team 1

(Technical manager)

Evaluation Team 2

(Technical manager)

IT Security IT Security Evaluation Evaluation

CenterCenterVice president

(Quality manager)

President

• Operate EF quality system• Develop PP

• Research & support

related to evaluation

service

• Firewall

• Fingerprint

• Smartcard

• Etc

• IDS

• VPN

• Access control

• Etc

.

Page 10: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

10

KECS Publications KECS Publications

KECSKECS

Overview of scheme : Principle of evaluation, Scope,

Organizational structure, Legal status, Operating resource, Etc.

Role and Responsibility of the Sponsor/EF/CB

Evaluation and Certification procedure

Maintenance of certified products

Quality Quality

ManualManual

ISO/IEC Guide 65

Quality system management

• Qualification of personnel, Training & education

• Data/Record management, Protecting and sharing of information

• Oversee Evaluation, Management of evaluation lab/equipment

• Appeal or Conciliation, Internal audits, Etc.

Page 11: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

11

Quality ManualQuality Manual

Reparation

Document

Management

Corrective and

Preventive

Measure

Certification

Management

Internal

Audit

Management

Review

Management of

Certification

Regulation

Record

Management

Management

of Assurance

Protection of

Confidential

Information

Certification

Training

And

Education

Handling of

Dispute

Management of

Deliverables

Operation of

Certification lab

Sampling

Certification

Committee

Guaranteeing of

Independence

WrittenPledge

WrittenPledge

Page 12: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

12

Approval policy of EF Approval policy of EF

CCRA B.3CCRA B.3

ABABaccreditedaccredited

approvedapproved CBCB

oror

establishedestablished

KECSKECS

KISAKISA

(EF)(EF)

Framework Act on Information Promotion

establishedestablished

Evaluation

Facility

Evaluation

Facility

Law/statutory instrument

Page 13: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

Role and Responsibility of Role and Responsibility of

Certification BodyCertification Body

Qualification AssignmentQualification Assignment

Basic/Advanced TrainingBasic/Advanced Training

Certification ActivityCertification Activity

Certification CommitteeCertification Committee

Certification Report and CertificateCertification Report and Certificate

Page 14: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

14

Qualification of Evaluator and CertifierQualification of Evaluator and Certifier

Role and Responsibility of CBRole and Responsibility of CB

Trainee Certifier (evaluator)Trainee Certifier (evaluator)Basic/Advanced TrainingBasic/Advanced Training

Certifier (evaluator)Certifier (evaluator)� Experience of C/E

(more than 2 product)

� Capability of EAL3 C/E

� Experience of C/E

(more than 2 product)

� Capability of EAL3 C/E

Senior Certifier (evaluator)Senior Certifier (evaluator)� Experience of C/E

(more than 3 years)

� Capability of EAL4 C/E

� Experience of C/E

(more than 3 years)

� Capability of EAL4 C/E

* C/E : Certification and Evaluation

WrittenPledge

Page 15: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

15

Basic/Advanced TrainingBasic/Advanced Training

Role and Responsibility of CBRole and Responsibility of CB

BasicBasic

(5days)(5days)

ISO/IEC Guide 65ISO/IEC Guide 65

ISO/IEC 17025ISO/IEC 17025

CC/CEMCC/CEM

KECSKECS

CCRA RequirementsCCRA Requirements

How to write and evaluateHow to write and evaluate

PP, ST and deliverablesPP, ST and deliverables

EWP EWP

Evaluate deliverables Evaluate deliverables

write Evaluation Technical Reportwrite Evaluation Technical Report

Site visitSite visit

AdvancedAdvanced

(10days)(10days)

Page 16: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

16

Role and Responsibility of CBRole and Responsibility of CB

Certification ActivityCertification Activity

The review meeting of EWP and ORThe review meeting of EWP and OR

Evaluation of Testing and VulnerabilityEvaluation of Testing and Vulnerability

•• Review the plan for testing of EFReview the plan for testing of EF

•• Independent evaluator testing and vulnerability testingIndependent evaluator testing and vulnerability testing

Evaluation of the on site security environmentEvaluation of the on site security environment

•• Review the plan for on site evaluationReview the plan for on site evaluation

Review the following document andReview the following document and

record result of certification in the record result of certification in the ““CB Review CommentCB Review Comment””

•• EWP, ST, WP, OR, ETR(PP, TOE)EWP, ST, WP, OR, ETR(PP, TOE)

ReviewReview

andand

RecordRecord

AttendAttend

Page 17: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

17

Role and Responsibility of CBRole and Responsibility of CB

Certification CommitteeCertification Committee

Composed of 12 professionals from industry, academia, researcComposed of 12 professionals from industry, academia, research h

institutes and the governmentinstitutes and the government

Check for validity and impartiality of the evaluation resultsCheck for validity and impartiality of the evaluation results

Review any major changes made to schemeReview any major changes made to scheme

Mediate dispute between sponsor, EF and CBMediate dispute between sponsor, EF and CB

Page 18: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

18

Evaluation Evaluation ·· Certification Certification

ProcedureProcedure

Preparation PhasePreparation Phase

Evaluation PhaseEvaluation Phase

Certification PhaseCertification Phase

Page 19: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

19

Evaluation Phase

Pre

Preparation Phase

CBEFSponsor

Inquiry about Evaluation

Preparation of Deliverables

Consultation of Evaluation

Apply for evaluation(deliverables) Sign Contract Accept deliverables

Kick off Meeting with EF and CB Develop EWP

Approve EWP

Evaluate TOE Monitor Evaluation

Develop ETR Review ETR

Certification Committee

Produce the Certification Report

Issue the certificate

Receive the certificate

Certification PhasePublish the certification report on the website

Register the certificate to the CPL

Page 20: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

20

CBEFSponsor

Evaluation Evaluation ·· Certification ProcedureCertification Procedure

Preparation PhasePreparation Phase

Inquiry about

Evaluation

Preparation of

Deliverables

Consultation of

Evaluation

Separate evaluator withconsultant for impartiality

and independency of evaluation

Apply for evaluation

With deliverablesSign Contract

- Review deliverables for

completeness

- Review Contract

Accept deliverables

- Assign a certifier

- Review deliverables

Page 21: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

21

CBEFSponsor

Evaluation Evaluation ·· Certification ProcedureCertification Procedure

Evaluation Phase(1/2)Evaluation Phase(1/2)

Develop EWP

Consider complexity of security functions,scope of evaluation

Approve EWP

Review the EWP

- Appropriateness of the formation of the

evaluation team

- Appropriateness of

the method of calculatingthe duration of the

evaluation

- Appropriateness of the

claimed PP and TOE scope

Kick off Meeting

With Sponsor and CB

Page 22: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

22

CBEFSponsor

Evaluation Evaluation ·· Certification ProcedureCertification Procedure

Evaluation Phase(2/2)Evaluation Phase(2/2)

Evaluation TOE

- Compliance with CC,CEM

- Produce OR, WP for

each work unit

- Site visit

Monitor Evaluation

- Review OR, WP

- Testing and vulnerability

- Site visit

- Compliance with scheme

Develop ETR Review ETR

- Review ETR

· impartiality of evaluation

· conformance of CC/CEM

- Compliance with scheme

Page 23: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

23

CBEFSponsor

Evaluation Evaluation ·· Certification Procedure`Certification Procedure`

Certification PhaseCertification Phase

Certification

Committee

- Review the all documents of evaluation and certification

(EWP, OR, WP, ETR, etc)

Produce the

Certification Report

Issue the certificate

Receive

the certificate

Publish the Certification Report on the website

Register the certificate to the CPL

Page 24: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

24

Certification MaintenanceCertification Maintenance

Sponsor

CB

Sponsor

CB

Sponsor

Approve

Change ?

EF

deliverables

Test and analysis result

Application for change

approval

(deliverables)

Yes

Yes

Sponsor

EF

No

No

· Consult

· Contract

· Evaluation

Re-evaluation

Notify result

Approve

Change ?

Page 25: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

25

Product and Protection ProfileProduct and Protection Profile

Certified productCertified product

Protection ProfileProtection Profile

Page 26: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

26

2222FWFW

1616

88

44

11

11

--

‘‘0505

2020

11

1010

22

77

‘‘0404

55IDSIDS

88Access ControlAccess ControlSystemSystem

141433FW, VPNFW, VPN

IDSIDS

FWFW

2020

99

88

‘‘0303

959521211010552211TotalTotal

CommonCommon

CriteriaCriteria

2626111133

4040101077552211Domestic Domestic

CriteriaCriteria

sumsum‘‘0202‘‘0101‘‘0000‘‘9999‘‘9898CategoryCategory

<As of July 18, 2005><As of July 18, 2005>

Product and Protection ProfileProduct and Protection Profile

Certified ProductCertified Product

Firewall IDS VPN Smart CardAccess ControlIPS

Biometric

Page 27: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

27

Protection ProfileProtection Profile

Product and Protection ProfileProduct and Protection Profile

EAL4+EAL4+Smartcard open platform protection profile V1.0Smartcard open platform protection profile V1.02004. 122004. 12

EAL4EAL4Network Intrusion Prevention System Protection Profile V1.0Network Intrusion Prevention System Protection Profile V1.02005. 52005. 5

EAL3+EAL3+LabelLabel--based access control system protection profile V1.0based access control system protection profile V1.02004. 22004. 2

EAL3+EAL3+VPN gateway protection profile V1.1VPN gateway protection profile V1.12003. 42003. 4

EAL3+EAL3+VPN protection profile V1.1VPN protection profile V1.12003. 42003. 4

EAL2+EAL2+Fingerprint recognition system protection profile V1.0Fingerprint recognition system protection profile V1.02004. 22004. 2

EAL2 EAL2 FirewallFirewall--VPN composite protection profile V1.0VPN composite protection profile V1.02004. 22004. 2

EAL3+EAL3+Intrusion detection system protection profile V1.1Intrusion detection system protection profile V1.12003. 42003. 4

EAL3+EAL3+Firewall protection profile V1.1Firewall protection profile V1.12003. 42003. 4

EALEALTitleTitlePublicationPublication

Page 28: Korea IT Security Evaluation and Certification Scheme · Certification Mgmt Team (Quality manager) Support Mgmt Team ITSCC Director, ITSCC (Certification manager) Senior Executive

28

ITSCC of NISITSCC of NIS (Certification Body)(Certification Body)

-- Homepage :Homepage : http://http://www.kecs.go.krwww.kecs.go.kr

-- EE--mail :mail : [email protected]@ncsc.go.kr

KISA (Evaluation Body)KISA (Evaluation Body)

-- Homepage :Homepage : http://http://www.kisa.or.krwww.kisa.or.kr

-- EE--mail :mail : [email protected]@kisa.or.kr

Q & AQ & A