|
|||||||||
|
| Scheme
Frequently Asked Questions This section provides the answers to some Frequently Asked Questions about the UK IT Security Evaluation and Certification Scheme (the"UK Scheme") Scheme Questions Scheme Questions What is the benefit in having certified products and systems? What is the benefit in having certified products and systems? The use of certified products and systems provides a high-level of confidence that the claims being made about security functionality have been independently verified and tested. The vendor has demonstrated faith in their product by taking the time and trouble to seek an independent evaluation of the security claims against a pre-determined level of assurance. What is ITSEC? In May 1990 France, Germany, the Netherlands and the United Kingdom published the Information Technology Security Evaluation Criteria (ITSEC) based on existing work in their respective countries. Following extensive international review, Version 1.2 was subsequently published in June 1991 by the Commission of the European Communities for operational use within evaluation and certification schemes. ITSEC is a structured set of criteria for evaluating computer security within products and systems. Each evaluation involves a detailed examination of IT security features culminating in comprehensive and informed functional and penetration testing. This work is undertaken using an agreed Security Target as the baseline for ensuring that a product or system meets its security specification. ITSEC operates the concept of assurance levels E0 to E6. This scale represents ascending levels of confidence that can be placed in the TOEs security functions and determines the rigour of the evaluation. Since the launch of ITSEC in 1990, a number of other European countries have agreed to recognise the validity of ITSEC evaluations, but this set of criteria has now been superseded by Common Criteria. What is Common Criteria? Common Criteria (CC) represents the outcome of international efforts to align and develop the obsolescent European (ITSEC) and North American (U.S. TCSEC and Canadian CTCPEC) criteria towards a common standard for carrying out security evaluations. By establishing a common base, the results of an IT security evaluation are more meaningful to a wider audience. CC has a catalogue of standard Security Functional Requirements which represent the current state-of-the-art for trusted products and systems. These can be used to develop a Protection Profile and as a means for developing a Security Target. They can also be supplemented or tailored to suit more specialist requirements. A CC evaluation is carried out against a set of pre-defined assurance levels, termed Evaluation Assurance Levels (EAL0 to EAL7). This scale represents ascending levels of confidence that can be placed in the TOE Security Functions and determines the rigour of the evaluation. Related questions:
How does a Common Criteria evaluation compare to other types of security evaluation and testing? Most other schemes are based on black box testing concentrating on finding security errors through penetration testing. Common Criteria operates on the basis of white box testing where the evaluation is subject to a more structured and formal approach. The evaluator acquires an in-depth knowledge of the construction of the product by examining the required security functions and tracing the security functionality to lower levels of design or implementation. In addition, depending on the assurance level, the evaluators will examine how guidance is given to administrators and users, how the product is developed, and how vulnerable the product is to attack. White box testing may take longer than black box testing but more confidence can be placed in the final result. Related questions: What is Mutual Recognition? Mutual Recognition is a formal arrangement whereby other participating nations agree to recognise a security certification from a qualifying Certification Body. This helps vendors to cut their costs by having a single product or system evaluation which is recognisable by all participating nations. Common Cirteria Certifications up to and including EAL4 are mutually recognised by Australia, Austria, Canada, The Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, The Republic of Korea, The Netherlands, Norway, Singapore, Spain, Sweden, Turkey, The USA and the UK. Are UK certifications recognised internationally? Yes. The UK Scheme is a qualifying Certification Body and its certificates are recognised by many countries Related questions:
What is the UK Scheme Certification Mark? The UK Scheme Certification Mark demonstrates that a specific product or system has been evaluated and certified under the UK scheme. Vendors who have had their product or system certified under the UK Scheme are authorised to use the UK Scheme Certification Mark in their literature and marketing material. Why should I come to the UK for certification? The UK Scheme has been established since 1990 and has a reputation for quality, timely delivery and commercial awareness. Each Common Criteria evaluation is carried out under contract which is agreed with the sponsor in advance of evaluation. The contract includes a fixed price for certification, service level agreements for document turnround, and timescales for issuing of a Certification Report and Certificate. Related questions: Roles & Responsibilities What is the role of the Certification Body? What is the role of the Certification Body? The United Kingdom Certification Body is an independent organisation located within the UK Government's CESG, based at Cheltenham. The Certification Body ensures that the UK Scheme operates for the common good of all participants - vendors, sponsors, evaluators, certifiers, and purchasers. It liaises with external agencies such as other Certification Bodies to ensure harmonisation. The Certification Body maintains a set of agreed standards and ensures compliance by all parties. The Certification Body monitors the performance of CLEFs and independently certifies the result of each evaluation. Related questions: What is the role of UKAS? UKAS is the United Kingdom Accreditation Service. It is a private sector company, licensed by the Department of Trade and Industry (DTI) as the sole national accreditation body in specified fields. UKAS assesses and accredits certification bodies and testing and calibration laboratories. Subject to stringent requirements, these bodies and laboratories are then authorised to issue formal certificates and reports for specific types of certification, testing and measurement. The Commercial Evaluation Facilities (CLEFs) are subject to accreditation by UKAS, as is the Certification Body itself. What is the role of an evaluation facility (CLEF)? A Commercial Evaluation Facility (CLEF) is an organisation which is appointed by the Certification Body to conduct security evaluations in accordance with the standards of the UK Scheme. Because CLEFs are testing laboratories, they are regularly inspected by the United Kingdom Accreditation Service (UKAS). Each CLEF is appointed to perform evaluations to the necessary standard and to a specified Assurance Level, as determined by the scope of the UKAS accreditation. The main requirement of a CLEF is to be totally independent from the developer of a product or system, including its parent company. CLEFs are usually contracted by sponsors of products and systems to undertake security evaluations. Related questions: Who are the evaluation facilities (CLEFs) and how can I get in touch with them? There are currently three Commercial Evaluation Facilities (CLEFs). They welcome enquiries from any one with an interest in evaluation - see CLEF contact details. Vendor Questions Why should we have our computer product or system evaluated? Why should we have our computer product or system evaluated? Security now forms an important consideration in the software selection process by most commercial firms and government agencies. These organisations have neither the time or resources to verify the validity of security claims to the same level as that undertaken by a skilled evaluation facility. There is a greater opportunity for increased sales if vendors have their security claims independently verified using an approved scheme such as the UK Scheme. This is demonstrated by the firewall market and it is now normal practice for purchasers of these products to choose certified versions. What type of product or system can I have evaluated? Any electronic product or system that claims to have a security capability can be evaluated eg - operating systems, database management systems, firewalls, communication systems, smartcards, data separators, PKI systems, e-commerce systems. In practice, most evaluations are usually undertaken on software components, but the field is beginning to widen to include more firmware and hardware (see Find a Certified Products) How much does it cost to get my product/system certified? The cost of evaluation can be split three ways: developer cost in providing the correct documentation to the CLEF; the CLEF costs in performing the evaluation itself; and, the Certification Body costs in monitoring and certifying the evaluation. There is also a dependency on the nature and complexity of the software, the assurance level required and whether any re-use can be made of work performed from previous evaluations of the same product or system. All aspects of costs are confidential to the parties concerned so it is not possible to give an accurate estimate. If you are considering having your product or system evaluated, both the CLEF and the Certification Body will be pleased to provide a quote for the work involved without obligation. Related questions: Should my product undergo a CC evaluation? Vendors who wish to sell into Government Organisations in Europe and North America are advised to use Common Criteria. Related questions: How long does evaluation take? Most product evaluations are completed within 6 to 12 months of starting. Others, of a more complex nature, can take much longer depending on the scope of the Security Target. The elapsed time for the whole process is dependent on the availability of the correct developer documentation - e.g. design and operational documentation. Related questions: What evaluation documentation is required? For Common Criteria evaluations, the developer is required to provide at least application design and operational guidance documentation. Common Criteria Part 3: Security Assurance Requirements (www.commoncriteriaportal.org/public/developer/index.php?menu=2) details the documentation required for Common Criteria evaluations. System Evaluations and Fast Track Assessments are based on Common Criteria requirements. How do you maintain certification for new products or systems? Once a product or system has been successfully evaluated, Common Criteria and the alternative approaches operate assurance maintenance methodology for maintaining certification without having to undergo separate evaluations for each new version of software. The concept is to ensure that a TOE continues to meet its security target as changes are made to the software or its environment. Related questions: What does a Certifier do? The Certification Body of the UK Scheme employs a number of Certifiers to monitor the conduct and performance of evaluations and to produce certification reports reflecting the outcome of evaluation results. In practice, this means that for each evaluation the Certifier:
What consultancy services are available to sponsors? Sponsors of evaluations have the option of attending an informal meeting with the Certification Body to discuss which evaluation options are more suitable for their business. Each of the three CLEFs provides a consultancy service to help sponsors in the production of evaluation documents. Related questions: Who do I talk to if I am considering evaluation? A good place to start is with the Certification Body itself who will be pleased to give further advice, contact CESG Enquiries. You may also wish to contact one of the three CLEFs who will be willing to give appropriate advice. Related questions: Purchaser Questions Will certified products cost me more money? Will certified products cost me more money? No, because the vendor pays for evaluation and this cost tends to be absorbed in research and development. How can I tell whether a product or system fulfils my security requirements? A CC certificate provides assurance that a product or system has met a Security Target based on security objectives, threats, functionality and the environment in which it is intended to operate. Also, the scheme's hierarchical levels of assurance allow you to match your requirements for confidence precisely against the vendor's claims. Therefore, the first step is to decide on what level of assurance is required (eg EAL3) and then to read the Security Target and Certification Report to determine if a particular product or system matches your security requirements. If these are unavailable, you may require a security evaluation. Related questions: Technical Questions Exactly what is a security evaluation? Exactly what is a security evaluation? A security evaluation using an appropriate set of evaluation criteria and methodology, is a process aimed at establishing a required level of assurance as to the absence of vulnerabilities in a Target of Evaluation (TOE). The higher the value of the assets requiring protection, and the greater the threat to those assets, the higher the assurance needed to reduce the residual risk to those assets to an acceptable level. Through evaluation the sponsor seeks to demonstrate a level of confidence, commensurate with the identified risk, in the countermeasures provided by the TOE. It is the responsibility of the evaluator to confirm the required assurance, using deliverables supplied by the developer as inputs to the evaluation, and to use the knowledge gained for devising effective penetration tests Related questions: What is a TOE? A TOE is a well-used acronym in security evaluations and refers to the Target of Evaluation. The TOE is that part of the product or system which is to be subjected to evaluation, including its associated administrator and user guidance documentation. It may be a single component operating in isolation (eg a PC start-up boot process) or it may be constructed from several components which are layered together (eg a database management system sitting on top of an operating system). Related questions: What is a Security Target? A Security Target is a document which forms the baseline for evaluation of a product or system (ie the TOE). It is an important input to the evaluation process and the Security Target itself is subjected to scrutiny to ensure that it is complete, accurate and consistent. It contains a specification of the security functions against which the product or system will be evaluated, and includes a description of the threats and security objectives present in the environment in which the product or system is to operate. The audience of a Security Target is therefore not confined solely to those undertaking the evaluation, but also for those responsible for purchasing, managing, installing, configuring, and using the product or system. Related questions: What is a Protection Profile? A Protection Profile (PP) is a document used within security evaluations under Common Criteria. A PP is an implementation-independent set of security requirements for a category of TOEs that meet specific consumer needs for IT security. Many PPs are currently being designed to cover most aspects of application security. Existing examples of PPs include the Canadian Firewall PP, Oracles Database Management System PP, and the UK Controlled Access PP and UK Labelled Security PP. Each PP contains a description of the intended environment, security objectives, security functions, and assurance requirements. A PP itself is subjected to a Common Criteria evaluation and only those which pass the evaluation are eligible for inclusion in a central registry. The registry is currently under construction and will be supported by a web site on the Internet. There are several advantages to using a PP: provides guidance to developers on the state-of-the-art security requirements for a product type; enables purchasers to select products and systems which are conformant to a particular requirement set; and, helps sponsors to construct Security Targets more easily. Related questions: What are Security Functions? Security functions are features which are designed into a product or system at the development stage. They are user and administrator requirements which are needed to prevent or detect accidental/intentional misuse of the operational software. Security functions generally cover Confidentiality, Integrity and Availability aspects. Typical examples are Identification and Authentication, Access Control, Audit, Accountability, Object Re-use, Accuracy, Reliability of Service and Data Exchange. What are evaluation assurance levels? Common Criteria, ITSEC and other sets of evaluation criteria operate the concept of assurance levels. For Common Criteria the levels are EAL0 to EAL7. These scales represent ascending levels of confidence that can be placed in the TOE meeting its security objectives. The higher the level the greater the degree of rigour is applied in assessing whether the TOE has met its security requirements (eg by intensifying the analysis and search for security vulnerabilities in the TOE Security Functions). Related questions: Further Information Is there a list of certified products and systems? Is there a list of certified products and systems? A Directory of Infosec Assured Products is issued annually; an up-to-date list of Certified Products is accessible online from this site. What Protection Profiles are currently available? Several Protection Profiles have been developed and many more are currently in production by participating nations. A centralised registry (www.commoncriteriaportal.org) with a supporting web site has been constructed to hold details of all evaluated and approved Protection Profiles. In the, UK certified Protection Profiles can be viewed via this site. Related questions: Which documents provide details of the evaluation process? Access to various introductory guides and formal documentation is available via this site, and the Common Criteria website (www.commoncriteriaportal.org). Who may I contact to answer further questions? The CESG Certification Body via CESG Enquiries or any of the CLEFs will be pleased to answer further questions. Related questions: |
 |
|||
|