Download - Common Criteria Recognition Arrangement
Common Criteria Recognition ArrangementCommon Criteria Recognition Arrangement
8th ICCCRome, 25th September 2007
Report by the MC ChairmanGen. Luigi Palagiano
Rome, 25 september 20071
The diffusion of IT systems and networks empowers the international and national exchange of information
But, at the same time ….
The growing connectivity among secure and insecure networks creates new opportunities for unauthorized intrusions into sensitive networks and computer systems.
IntroductionIntroduction
Rome, 25 september 20072
Terrorists, drugs traffickerand criminal organisations will take advantage of the new high speed information technologies supporting their illegal activities
Rome, 25 september 20073
The complexity of systems and computer networks is growing faster than the ability to understand and protect them by identifying critical nodes, verifying security, and monitoring activity and intrusion attempts.
System & Network complexitySystem & Network complexity
Rome, 25 september 20074
1. Capture data related to industrial, military or national security;
2. Destroy or control information systems which are for critical infrastructures (for example: airports)
3. Information alteration
Systems / Networks ThreatsSystems / Networks Threats
Rome, 25 september 20075
Security can be defined as:
“Getting rid of any unacceptable risk". The risks relate the following categories of losses:
Confidentiality of InformationConfidentiality of Information
Integrity of Data and system related assetsIntegrity of Data and system related assets
Availability of Data and ServiceAvailability of Data and Service
Definition of IT SecurityDefinition of IT Security
Rome, 25 september 20076
Assurance that information is shared only Assurance that information is shared only among authorized persons or organisations. among authorized persons or organisations.
Breaches of Confidentiality can occur when data Breaches of Confidentiality can occur when data is not handled in a manner adequate to is not handled in a manner adequate to safeguard the confidentiality of the information safeguard the confidentiality of the information concerned. concerned.
ConfidentialityConfidentiality
Rome, 25 september 20077
Assurance that the information is authentic and Assurance that the information is authentic and complete. Ensuring that information can be relied complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. upon to be sufficiently accurate for its purpose.
Assuring information will not be accidentally or Assuring information will not be accidentally or maliciously altered or destroyed.maliciously altered or destroyed.
IntegrityIntegrity
Rome, 25 september 20078
Ensuring that information and service Ensuring that information and service
is available to authorized users, when needed.is available to authorized users, when needed.
AvailabilityAvailability
9Rome, 25 september 2007
History of Common Criteria
TCSEC (USA)1983 - 1985
Canada, first initiative1989 - 1993
NIST - MSFR1990
Federal Criteria1992
Common Criteria Project, 1993
Common Criteriaver. 1.0, 1996
Common Criteriaver. 2.0, 1998
ISO 1540808/06/1999
CTCPEC 31993
National and Regional European Initiatives,
1989 – 1993
ISO Initiatives
1992
ITSEC 1992
Rome, 25 september 200710
8th June 1999
CC is approved as
International Standard ISO 15408
History of Common Criteria
Rome, 25 september 2oo711
Nations taking part to the Common Criteria Recognition Arrangement
Australia Canada
Germany Greece
Finland France
Israel Italy
Netherlands New Zealand Norway
Spain U.S.A.United Kingdom
Common Criteria participant Nations
Australia, Canada, Finland,
France, Germany,
Greece, Israel, Italy, Netherland,
New Zealand, Norway, Great Britain, Spain,
U.S.A. Austria, Sweden
Hungary, Turkey
Czech Republic,
Japan
India, Singapore
Korea, Denmark
Malaysia
2000 2002 2003 2004 2005 2006 2007
Year
(14)
(2) (2) (2) (2) (2)
(1)Par
tici
pan
t n
atio
ns
Rome, 25 september 2007
12
Variations during 2007 yearVariations during 2007 year
New Entrant– Malaysia
Status change– Sweden
– Singapore
Interested in adhesion to CCRA– Tunisia
– Belgium
13
Rome, 25 september 2007
How are Countries divided ?How are Countries divided ? Certificate Authorizing Participants
– Australia - New Zealand, Canada, France, Germany , Japan, Korea,
Netherland, Norway, Spain, Sweden(*), UK, USA.
Certificate Consuming Participants– Austria, Czech Republic, Denmark , Finland, Greece, Hungary,
Israel, Italy, India, Malaysia, Singapore, Turkey.
(*) shadow certification in progress
14
Rome, 25 september 2007