Thursday, November 10, 2016

ISO/IEC JTC1/SC 27/WG 3 meeting in Abu Dhabi


At the end of October I was once again privileged to be able to  join ISO/IEC JTC 1/SC 27/WG 3 during the latest of their bi-annual working sessions held in April and October.

Convened by Miguel Bañón, this working group is of particular interest to atsec since it includes work on the international standards and guidance documents relating to ISO/IEC 15408, ISO/IEC 19790 and other documents closely related to evaluation and testing and the provision of security assurance.

I have written in more detail on these standards in:

ISO's work related to the Common Criteria
ISO's cryptographic module work.




A little history on the relationship between ISO/IEC 15408 and the Common Criteria reveals that in the early 1990's, as the various national criteria, including Europe's ITSEC, The Canadian Criteria (CTCPEC) and the US Federal criteria, were brought together in order to create a single set of harmonized criteria, the intention was to publish the new set of "Common Criteria" as an ISO standard. A decision was made to create a more agile  technical community, the Common Criteria Development Board (CCDB), that could produce the work and present it to ISO. This was not done using the ISO "PAS" process, but aimed to produce and submit  a substantially complete work that would allow expeditious instantiation of the work with the full involvement of the ISO community, which could then support the standard's future maintenance within ISO.

Hence, the CCDB and ISO established a close liaison relationship, the Common Criteria were submitted to ISO by the CCDB and the first edition of  ISO/IEC 15408 was published in December of 1999.  Since then the CCDB have continued to liaise with ISO enabling the content  of ISO/IEC 15408 and the "Common Criteria" to remain synchronized. It's a two way relationship allowing for changes and innovations from WG 3 to be brought into the CCDB standards development.

The CCDB was initially comprised of representatives from those  countries contributing their own national criteria, today the CCDB is still a subset of  the  17 members of the CCRA certificate issuing signatory nations and the CCDB standards development efforts reflect the needs of the government agencies which they represent.

From the perspective of commercial industry it is a closed group, a little disconcerting when you realize that at least in the U.S., the stated policy is to adopt COTS products as a means of making government systems, more timely and cost-effective  and the US government emphasizes the benefits of public-private partnership.

So, this has been the status quo for several years: The CCDB updates the Common Criteria and the CEM standards using input from the CCDB members and from the WG 3 experts.  ISO publishes the aligned CC/CEM content as the ISO/IEC 15408 and ISO/IEC 18045 standards.

ISO brings to the table a breadth and depth of constituents far beyond that of the CCDB. SC 27 (IT Security Techniques) currently brings together 53 participating nations, a further 20 observing nation and is in liaison with many industry groups and standards organizations such as:
(ISC)2CCETTCloud security allianceECBSENISAEPCETSIEcma InternationalIEEEISACAISSEAITUMasterCardMasterCard
CCDBTCGOpengroup, United KingdomTMForumISAABC4TrustCSCCINLACCyber SecurityTAS3(ISC)2PRACTICEISFOECDFIRSTOIDFPQCRYPTOWITDOMKantara InitiativeISCIPRIPAREEuroCloudPICOSArticle 29 Data Protection Working PartyInterpolETSITREsPASSEUDCA

The various national bodies and liaison organizations represented in WG 3 work closely within their home fields to garner the participation of, and to  represent the interests of their own constituents.

Over time, the success of the Common Criteria has resulted in interest and use of the CC standards far beyond the national Agencies that are the the constituents of the CCDB. The diagram below attempts to illustrate this:



After a year long joint study period, WG3 and the CCDB recognized this evolution, and noting that ISO has more resources, and more widely represents the diverse stakeholders of the Common Criteria standards,  decided that ISO will take the lead in developing the next revision of the standards.

If you are interested in contributing to the development of ISO/IEC 15408 (The "CC"), ISO/IEC 18045 ("The CEM") or other projects within SC 27 then you can do so either through your national body, or through one of the liaison organizations to SC 27.

By Fiona Pattinson

P.S. in the U.S. the national body is ANSI who are are represented in SC 27 by INCITS.

Tuesday, October 4, 2016

Second Annual 27K: Security Summit for the Americas meets in San Francisco

From Monday, September 26th to Thursday, September 29th, 2016, the second annual 27K: The Security Summit for the Americas took place at the South San Francisco Conference Center in South San Francisco, California. The conference brought together experts in the ISO/IEC 27001 Information Security Management System (ISMS) standard along with people on the front lines of international IT security to promote the standard in the Western Hemisphere. See the 27K Summit website for full details on the conference.



Ryan Hill, Community Engagement Manager for
atsec information security manning their booth

The summit was attended by more than 120 individuals and was sponsored by more than 20 IT security companies, including atsec information security. This year’s conference was focused on the challenges of security in the area of Cloud Computing.


The 27K Summit started with a day of workshops on Monday that covered topics from introductions to the standard to harmonizing ISO/IEC 27001 with other standards. Day two, Tuesday, began with opening remarks from Ryan Hill, atsec’s Community Engagement Manager, followed by keynote presentations from Jim Reavis, Co-Founder and CEO of the Cloud Security Alliance, and Crispen Maung, Vice President of Compliance at Box.



Jim Reavis, CEO of Cloud Security Alliance,
speaking on "Security Assurance at the Speed of Cloud"

The conference continued with presentations on two tracks, Getting Started and Implementation, for the remainder of the day. The Implementation track continued into Wednesday and a new track, Enterprise Issues, was also introduced. In all there were over thirty speakers who presented.



Wednesday, July 13, 2016

atsec adds Italian Common Criteria Scheme accreditation

Italian flag

atsec is pleased to announce that it has recently been accredited to work as a Common Criteria evaluation laboratory (LVS - Laboratori per la Valutazione della Sicurezza) under the Italian Common Criteria scheme.

OCSI - Organismo di Certificazione della Sicurezza Informatica, founded in 2004, is the Italian scheme which is a signatory to both the CCRA - Common Criteria Recognition Arrangement as well as SOGIS – the Senior Officials Group Information Systems Security.

This means that atsec’s Common Criteria customers have the opportunity to select from the US, Sweden, Italian and German Schemes for their Common Criteria certification.



Helmut Kurth, atsec Chief Scientist stated that the addition of an LVS accreditation by the Italian national scheme to astec’s portfolio allows atsec to support customers in selecting the certification scheme that best fits their commercial needs with respect to certification timeline, cost, and knowledge in specific technical domains.