Monday, November 26, 2012

ISO's work related to The Common Criteria

Updated November 9th, 2016

In 1990  ISO/IEC JTC 1 sub committee 27 was formed in order to deal with ICT security, Not long afterwards SC 27 initiated Working Group 3 "Security Evaluation Criteria". This working group focuses on security evaluation, testing and specification. 

At that time, Common Criteria was in development and the need to have these standards internationally recognised was an important point of the strategy. The goal, which has been achieved, was that the standards should be available to the world, regardless of the formal Common Criteria Recognition Arrangement which was the formal arrangement between nations.

SC27's business plan mentions that "The CCDB and SC 27/WG 3 have had a long-standing technical liaison on projects related to IT Security Evaluation Criteria. Thus, Working Group 3 has been working in close co-operation with the CCDB on the development of the Common Criteria, which has been simultaneously published as ISO/IEC 15408. The co-operation has been extended to also involve the work on 18045 “Evaluation methodology for IT security”.

This liaison allows ISO's member national bodies, especially those not represented directly in the CCDB, an opportunity to review, comment and contribute to the project. In many cases it also provides a vehicle for industry experts from the commercial sector (vendor) community to have a place to contribute more directly.

Both ISO/IEC JTC 1/SC 27/WG 3 and the CCDB produce supporting documents, those produced by the CCDB are listed on the CC portal at the bottom of the supporting publications page and cover smartcard and IC technology as well as documents directly related to supporting the CCRA.
Additional documents related to ISO/IEC 15408 produced by WG 3 are described below.

2016 Study Period on Information Assurance

2016: The Study Period, which has been run by ISO, in close liaison with the CCDB, in regard to determining appropriate future developments of ISO/IEC 15408, ISO/IEC 18045 and other IT Assurance standards closed after a year. 

The Fall  2016 WG 3 meeting enjoyed a summary of the two calls for comments and the rapporteurs presented a proposal for revising the ISO/IEC 15408 and ISO/IEC 18045 standards, as well as proposing some changes to the structure of ISO/IEC 15408.

The proposed changes are shown in the diagram below. They include the specification of two new parts to ISO/IEC 15408 and an additional document that will be guidance supporting the transition and explaining the changes to the standard.


Evaluation criteria and Methodology for IT security evaluation

These are the "equivalent standards" to those published by the CCDB on the CC Portal. Minor revisions of the CC standards are usually addressed in ISO through the publication of corrigenda.

These ISO standards are available from ISO for free (as in beer). The first three are equivalent to the first three parts of the CC, the fourth in the list is the equivalent of the CEM.

ISO/IEC 15408-1:2009: Evaluation criteria for IT security -- Part 1: Introduction and general model

ISO/IEC 15408-2:2008: Evaluation criteria for IT security -- Part 2: Security functional components

ISO/IEC 15408-3:2008: Evaluation criteria for IT security -- Part 3: Security assurance components

ISO/IEC 18045:2008: Methodology for IT security evaluation

Developing security and privacy functional requirements based on ISO/IEC 15408

ISO/IEC TS 19608: Guidance for developing security and privacy functional requirements based on ISO/IEC 15408

This Technical Report provides guidance for developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2, for selecting and specifying Security Functional Requirements from ISO/IEC 15408-2 to protect Personally Identifiable Information and to specify a procedure to define both privacy and security functional requirements in a coordinated manner.
 2016/11: This new Technical Specification is currently being published by ISO.

Guidance for the production of Protection Profiles and Security Targets

ISO/IEC TR 15446: Guide for the production of Protection Profiles and Security Targets

This technical report provides much needed guidance to PP authors and ST writers. Although ISO/IEC 15408-1 provides the technical information about writing a PP or an ST, The member nations of ISO supported that some practical guidance in writing these documents was needed and that this work should be completed. 

2016/11: The third edition of ISO/IEC 15446 is currently being published by ISO. 

Security assessment of operational systems

ISO/IEC TR 19791: Security assessment of operational systems.

ISO/IEC TR 19791:2010 provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408 by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated.
ISO/IEC TR 19791:2010 provides:
  1. a definition and model for operational systems;
  2. a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems;
  3. a methodology and process for performing the security evaluation of operational systems;
  4. additional security evaluation criteria to address those aspects of operational systems not covered by the ISO/IEC 15408 evaluation criteria.
ISO/IEC TR 19791:2010 permits the incorporation of security products evaluated against ISO/IEC 15408 into operational systems evaluated as a whole using ISO/IEC TR 19791:2010.
ISO/IEC TR 19791:2010 is limited to the security evaluation of operational systems and does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk.

This document was initially produced as a technical report with the goal of gaining experience in the subject sufficient to be able to codify a standard. It defines extensions to ISO/IEC 15408 in order to enable the security assessment (evaluation) of operational systems. Since ISO/IEC 15408, does not capture certain critical aspects of an operational system that must be precisely specified in order to effectively evaluate such a system

The contents are fairly exhaustive with discussions of
  • The technical approach to operational systems assessment used in this Technical Report.
  • The extension of ISO/IEC 15408 evaluation concepts for use in operational system evaluation.
  • The relationship between this Technical Report and other security standards which have been used in its development.
  • requirements for specification of security problems, security objectives, security requirements, SST contents and periodic reassessment which are needed in order to evaluate operational systems.
Annexes provide further supportive material including operational system:
  • Security Targets and System Protection Profiles, which defines the security requirement specifications needed for operational systems.
  • Functional control requirements, which defines the additional security functional requirements needed for operational systems
  • Assurance requirements, which defines the additional security assurance requirements needed for operational systems.
  • evaluation methodology, which defines additional actions to be performed by an evaluator conducting the evaluation of an operational system.
This TR has been used in practice, with an early trial evaluation being reported from Japan.

Competence requirements for information security testers and evaluators

DRAFT ISO/IEC TR 19896-1: Competence requirements for information security testers and evaluators: Part 1: Introduction, concepts and general requirements.

Provides the fundamental concepts related to the topic of the competence of the individuals responsible for performing IT product security evaluations and conformance testing. Provides the framework and the specialised requirements that specify the minimum competence of individuals performing IT product security evaluation and conformance testing using established standards.
This will support the goals of ISO CASCO conformity assessment by contributing standardized requirements for competency supporting ISO/IEC 17024.

DRAFT ISO/IEC TR 19896-3: Competence requirements for information security testers and evaluators: Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluator.

Provides the specialised requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 and ISO/IEC 18045.

Vulnerability analysis and penetration testing for ISO/IEC 15408

ISO/IEC TR 20004-1:2016: Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045

ISO/IEC TR 20004-2:Detailing software penetration testing under ISO/IEC 15408 and ISO/IEC 18045 vulnerability analysis

Vulnerability Handling

ISO/IEC 30111  Vulnerability handling processes 

Describes processes for vendors to handle reports of potential vulnerabilities in products and online services. It is related to ISO/IEC 29147. It interfaces with elements described in ISO/IEC 29147 at the point of receiving potential vulnerability reports, and at the point of distributing vulnerability resolution information.This standard takes into consideration the relevant elements of ISO/IEC 15408-3, 13.5 Flaw remediation (ALC_FLR).

ISO/IEC 29147 Vulnerability disclosure

Gives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure.  This standard
  1. provides guidelines for vendors on how to receive information about potential vulnerabilities in their products or online services,
  2. provides guidelines for vendors on how to disseminate resolution information about vulnerabilities in their products or online services,
  3. provides the information items that should be produced through the implementation of a vendor's vulnerability disclosure process, and
  4. provides examples of content that should be included in the information items.
ISO/IEC 29147 has recently been published and is currently available for free.


Delving into technology specific areas of evaluation, biometrics were seen by the community as an area in need of standardization. So far WG 3 has produced two standards in this area.

ISO/IEC 19792 Security evaluation of biometrics

Relevant to both evaluator and developer communities as it addresses biometric-specific aspects and principles to be addressed during a security evaluation of a biometric system.
It does not address the non-biometric aspects which might form part of the overall security
evaluation of a system using biometric technology (e.g. requirements on databases or communication channels).
Neither does this standard aim to define any concrete methodology for the security evaluation of biometric systems but instead focuses on the principal requirements. 

As such, the requirements in this International Standard are independent of any evaluation or certification scheme and will need to be incorporated into and adapted before being used in the context of a concrete scheme. The standard includes:
  • an overview of all terms, definitions and acronyms used,
  • an introduction of the overall concept for a security evaluation of a biometric system,
  • a description of the statistical aspects of security-relevant error rates,
  • vulnerability assessment of biometric systems and
  • the evaluation of privacy aspects.

 ISO/IEC 24745: Biometric information protection

Provides guidance for the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. Additionally, ISO/IEC 24745 provides requirements and guidelines for the secure and privacy-compliant management and processing of biometric information. ISO/IEC 24745 specifies the following:
  • analysis of the threats to and countermeasures inherent in a biometric and biometric system application models;
  • security requirements for secure binding between a biometric reference and an identity reference;
  • biometric system application models with different scenarios for the storage of biometric references and comparison; and
  • guidance on the protection of an individual's privacy during the processing of biometric information.
ISO/IEC 24745: does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.

DRAFT IS 19989-1: Criteria and methodology for security evaluation of biometric systems: Part 1: Framework

DRAFT IS 19989-2: Criteria and methodology for security evaluation of biometric systems: Part 2: Biometric recognition performance

DRAFT IS 19989-3: Criteria and methodology for security evaluation of biometric systems: Part 3: Presentation attack detection

Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408

DRAFT ISO/IEC  TR 20543:Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408.

Physically unclonable functions (PUFs)

DRAFT: ISO/IEC  20897:Security requirements, test and evaluation methods for physically unclonable functions (PUFs) for generating non-stored security parameters

Cryptographic Protocols 

IS 29128: Verification of cryptographic protocols: 

Establishes a technical base for the security proof of the specification of cryptographic protocols. It specifies design evaluation criteria for these protocols, as well as methods to be applied in a verification process for such protocols. It also provides definitions of different protocol assurance levels consistent with evaluation assurance components in ISO/IEC 15408.

Physical Security Attacks, Mitigation Techniques and Security Requirements

ISO/IEC  30104:2015 Physical Security Attacks, Mitigation Techniques and Security Requirements

This technical report provides guidance and addresses the following topics:
  • a survey of physical security attacks directed against different types of hardware embodiments including a description of known physical attacks, ranging from simple attacks that require little skill or resource, to complex attacks that require trained, technical people and considerable resources;
  • guidance on the principles, best practices and techniques for the design of tamper protection mechanisms and methods for the mitigation of those attacks; and
  • guidance on the evaluation or testing of hardware tamper protection mechanisms and references to current standards and test programs that address hardware tamper evaluation and testing.

Secure System Engineering

ISO/IEC TS 19249: Catalogue of Architectural and Design Principles for Secure Products, Systems, and Applications

Provides a catalogue of architectural and design principles that can be used in the development of secure products, systems, and applications together with guidance on how to use those principles effectively. Each architectural and design principle is described using a common structure, identifying the purpose and advantage of the design principle, how it can contribute to develop a secure product, system, or application, its dependency on other principles described in the catalogue.

Examples are provided for each principle on how it may be implemented, how it may contribute to security properties and functions and what other aspects have to be taken into account in the example provided to also address non-security related requirements like usability and performance.

It gives guidelines for the development of secure products, systems and applications and is aiming for a more effective assessment with respect to the security properties they are supposed to implement.

ISO/IEC TS 19249 is related to IS 15408 and IS 18045 and addresses both developers and evaluators of secure products, systems, and applications.

This Technical Specification does not establish any requirements for the evaluation or the assessment process or implementation.

ISO/IEC TR 29193: Secure system engineering principles and techniques

This  technical report, ISO/IEC TR 29193 offers guidance on secure system engineering for Information and Communication Technology systems or products, and emphasizes security engineering aspects within the scope of the development stages of the system lifecycle described in ISO/IEC 15288.

Drawing on the notion that it is better to build a system or product securely in the first place than to spend much resource after its instantiation this technical report begins to offer guidance on how the use of these principles and techniques will support a system engineering process to obtain results consistent with the system security characteristics and objectives determined for the ICT system or product. 

ISO/IEC 21827:2008: Systems Security Engineering -- Capability Maturity Model® (SSE-CMM®). 

This standard was submitted through the Publicly Available Specification (PAS) process by ISSEA and remains in the ISO catalogue.

ISO/IEC 15443  ("FRITSA")

ISO/IEC TR 15443-1:2012:  Security assurance framework -- Part 1: Introduction and concepts

ISO/IEC TR 15443-2:2012: Security assurance framework -- Part 2: Analysis

Substantially revised in 2012. Part one gives a discussion of the nature of security assurance, providing a framework for further discussions and documents. Part 2 of this technical report describes the "criteria for criteria". It discusses security assurance schemes, and how these themselves can be evaluated. While some schemes are of high quality, others may not be. What criteria can be used to tell?

Study Period on the Security requirements, test and evaluation methods for White Box Cryptography (WBC).

WG 3 is currently investigating the above topic.

~By Fiona Pattinson.

1 comment:

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.