malaysian common criteria evaluation & certification · pdf filedescription standard for...
TRANSCRIPT
![Page 1: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/1.jpg)
Malaysian Common Criteria Evaluation
& Certification (MyCC) Scheme
– Activities and Updates –
Copyright © 2010 CyberSecurity Malaysia
![Page 2: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/2.jpg)
Agenda
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 2
![Page 3: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/3.jpg)
Security Objectives
Question is….
Are those ICT products are secure enough
from threats and vulnerabilities??????
Copyright © 2010 CyberSecurity Malaysia 3
Try to answer the requirement of CIA triad….
![Page 4: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/4.jpg)
Security Techniques
Prevention access control
Detection auditing
Tolerance practicality
Copyright © 2010 CyberSecurity Malaysia 4
good prevention and detection both require good authentication as a foundation
![Page 5: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/5.jpg)
• Which one is better?
• Who are we trusted most?
• What is the criteria needed to standing on
International VS Local ICT Products
• What is the criteria needed to standing on same level?
Copyright © 2010 CyberSecurity Malaysia 5
![Page 6: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/6.jpg)
• Software and hardware may containhidden functions
•Danger exists when these secretcodes are not revealed
•Many incidents happened when
Unseen Danger
•Many incidents happened when attackers use these secret codes to gain access to the system
• Some ICT products claimed they have all the security functions, in fact they’re not.
Copyright © 2010 CyberSecurity Malaysia 6
![Page 7: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/7.jpg)
Direct Impact
Loss of
money
Copyright © 2010 CyberSecurity Malaysia 7
Bad
reputation
Low of Performance
![Page 8: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/8.jpg)
Current Pattern of Vulnerabilities
Copyright © 2010 CyberSecurity Malaysia 8
Figure 1: Number of Vulnerabilities in Network, OS and Applications
Source from: SANS – top
cyber security risks
![Page 9: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/9.jpg)
Why IT Security Evaluation is Important?
IT Security
Evaluation
Meet
government
requirements
Reduce
vulnerabilities
Easier product
selection process
Increased
confidence in
claimed security
Copyright © 2010 CyberSecurity Malaysia 9
Evaluationvulnerabilities
Access
international
markets
claimed security
functionality
Continuous
improvement of
security technology
IT Security Evaluation is one method of gaining confidence in the security
functions implemented by a product or system
![Page 10: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/10.jpg)
ICT Product Certification ICT Product Certification
BenchmarkBenchmark
![Page 11: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/11.jpg)
Comparisons of the available ICT product certification
Common Criteria
(CC)
CESG Claims
Tested Mark
(CCTM)
TUVIT Trusted
Product
ICSA Labs
Product
Certification
Description Standard for gaining assurance in the security of IT products and systems through
Provides UKgovernment quality mark for the public and private sectors based on accredited
Demonstrates the trustworthiness of products and systems. This trustworthiness is
Intended to significantly improve commercial computer security
Copyright © 2010 CyberSecurity Malaysia 11
systems through independent evaluation. To prove the validity of security functionality claims made by developers.
based on accredited independent testing, designed to prove the validity of security functionality claims made by vendors. In more colloquial terms, the CCTM is designed to assure public bodies that a product or service does ‘what it says on the box’.
trustworthiness is established on the basis of standards, technical directives and guidelines, lists of criteria or individual rules which correspond to the TÜViT product qualification concept.
computer security and trust.
Recognition Globally UK Germany US
![Page 12: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/12.jpg)
Comparisons of the available ICT product certification
Common Criteria
(CC)
CESG Claims Tested
Mark (CCTM)
TUVIT Trusted
Product
ICSA Labs
Product
Certification
List of products certified
Access control, detection, boundary protection, smart card, network devices and systems, data protection,
Connection protection, erasure and disposal, integrity protection, media & device authentication, media
Domain registration system, web kiosk , Tri-Party Collateral Management, Bank Management
Anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall
Copyright © 2010 CyberSecurity Malaysia 12
protection, databases, key mgmt systems, OS, digital signatures products
authentication, media & information protection, netwroklink protection
Management Console portal
PC firewall products
Link http://www.commoncriteriaportal.org/
http://www.cctmark.gov.uk/
http://www.tuvit.de/english/Overview.asp
http://www.icsalabs.com/
Logo
![Page 13: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/13.jpg)
What is the Common Criteria?
• A common structure & language for expressing product/system IT security requirements
(CC Part 1)
• A catalogue of standardised IT security requirement components & packages (security functional and security assurance requirements)
Copyright © 2010 CyberSecurity Malaysia 13
• Supported by a common methodology for gaining assurance that IT security requirements have been satisfied (CEM)
functional and security assurance requirements)
(CC Part 2 & Part 3)
![Page 14: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/14.jpg)
How did we get here?
USTCSEC CC 1.0
CanadianInitiatives
‘89-’93
CTCPEC3
‘93
CommonCriteriaProject
FederalCriteria
CC 2.XISO15408CC 3.1
‘83, ‘85
The Orange
Book
‘96
ITSEC1.2
‘91
EuropeanNational
& RegionalInitiatives
‘89-’93
Project‘93--
ISOInitiatives
‘92--
Criteria
‘92
‘99 ‘06
![Page 15: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/15.jpg)
Common Criteria
Standard for gaining assurance in the security of IT products
through independent evaluation.
• A specifications language:
– Functionality. What is being evaluated?
Copyright © 2010 CyberSecurity Malaysia 15
– Functionality. What is being evaluated?
– Assurance. How much and what type of confidence is required in the TOE?
• A methodology
– Repeatable. Same results different time.
– Comparable. Same process different product.
– Allows mutual recognition among CCRA nations.
![Page 16: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/16.jpg)
Mutual Recognition
•Participants that represent a compliant Certification Body
•Mutually recognizes certified products/systems produced by the Certificate Authorising
Participants based on ISO/IEC 15408
UK
USAAUSTRALIA
CANADA FRANCEGERMANY
SPAIN
NORWAYNEW ZEALAND NETHERLANDS
KOREA
JAPAN
Certificate Authorising Participants
ITALY
SWEDEN
Copyright © 2010 CyberSecurity Malaysia 16
DENMARK GREECEINDIA
FINLAND HUNGARY
ISRAELSINGAPORE
TURKEY
Certificate Consuming Participants
Acceptance
As of Oct 2009
AUSTRIA
MALAYSIA
PAKISTAN
•Participants that have a national interest in recognising CC certificates produced by
the Certificate Authorising Participants based on ISO/IEC 15408
CZECH
REPUBLIC
![Page 17: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/17.jpg)
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 17
![Page 18: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/18.jpg)
MyCC Scheme
MyCC Scheme
STANDARDS MALAYSIA
(MS ISO/IEC
Malaysian Common Criteria
Certification Body (MyCB)
Common Criteria CCRA
Published
underJemaah Menteri, pada 8 Okt 08, menimbangkan Memorandum
daripada Menteri Sains, Teknologi dan Inovasi No.
592/2618/2008 dan bersetuju:
Copyright © 2010 CyberSecurity Malaysia 18
ICT Product or System
Evaluation Facility (EF)Evaluation Facility (EF)
Malaysian Security
Evaluation Facility
(MySEF)
STANDARDS MALAYSIA
(MS ISO/IEC 17025)
(MS ISO/IEC Guide 65)
Issued for
CC
Certificate
592/2618/2008 dan bersetuju:
i. Supaya CyberSecurity Malaysia, sebuah agensi di bawah
Kementerian Sains, Teknologi dan Inovasi dilantik sebagai
Badan Pensijilan Nasional tunggal bagi Skim Penilaian dan
Pensijilan Keselamatan ICT berdasarkan MS ISO/IEC
15408: 2005 Information Technology – Security Techniques
– Evaluation Criteria for IT Security; dan
ii. Supaya Badan Pensijilan Nasional ini dinamakan Badan
Pensijilan Common Criteria Malaysia (Malaysian Common
Criteria Certification Body)
![Page 19: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/19.jpg)
MyCC Scheme Mission
“to increase Malaysia’s competitiveness in
quality assurance of information security
based on the Common Criteria (CC)
Copyright © 2010 CyberSecurity Malaysia 19
based on the Common Criteria (CC)
standard and to build consumers’
confidence towards Malaysian
information security products”
![Page 20: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/20.jpg)
MyCC Scheme Background
• Project commenced in 2006 to establish the MyCC Scheme
– Driven from 9th Malaysian Plan (2006-2010)
– Supported by the National Cyber Security Policy
• Malaysia accepted as certificate consumer under the CCRA on 28 March 2007.CCRA on 28 March 2007.
• Malaysian Government accepted the Memorandum Jemaah Menteri No 592/2618/2008 from MOSTI and appointed CyberSecurity Malaysia as the sole certification body for MyCC Scheme.
• The MyCC commenced operations in August 2008.
• First evaluations commenced at EAL3/EAL4 to support application for certificate authorising status.
Copyright © 2010 CyberSecurity Malaysia 20
![Page 21: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/21.jpg)
MyCC Scheme Services
• Security evaluation and certification of ICT products, systems and protection profiles
– Certify results of evaluations conducted against v3.1 of the Common Criteria (ISO/IEC 15408)
– Results published on MyCC Scheme Certified Products Register (MyCPR)
• Maintenance of assurance for security certified ICT products and systems
– In accordance with CCRA requirements for assurance continuity
– Maintenance addenda published on MyCC Scheme Certified Products Register (MyCPR)
• Recognition of certificates for special purpose
– In accordance with MyCC Scheme Policy
Copyright © 2010 CyberSecurity Malaysia 21
![Page 22: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/22.jpg)
MyCC Scheme Roles
• CyberSecurity Malaysia– Owner of the MyCC Scheme
– CEO CyberSecurity Malaysia is the MyCC Scheme Head
• MyCC Scheme Management Board– At least five members, chair of the Board will rotate annually
– Provide strategic advice, guidance and recommendations to the – Provide strategic advice, guidance and recommendations to the MyCC Scheme Head
• Malaysian Common Criteria Certification Body (MyCB)– A department within CyberSecurity Malaysia
– Manages the MyCC Scheme
– Certifies results of evaluations performed by licensed MySEFs
– Manages CCRA requirementsCopyright © 2010 CyberSecurity Malaysia 22
![Page 23: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/23.jpg)
MyCC Scheme Roles
• Malaysian Security Evaluation Facilities (MySEFs)– Organisations licensed by the MyCB to conduct evaluations of
products and systems using the Common Criteria
• Sponsor– The person or organisation that engages a MySEF to perform an – The person or organisation that engages a MySEF to perform an
evaluation
• Developer– The person or organisation that has developed the product,
system or protection profile
• Consumer– The person or organisation that procures or uses the product or
system
Copyright © 2010 CyberSecurity Malaysia 23
![Page 24: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/24.jpg)
MyCC Scheme Benefits
• Improve the competitiveness of Malaysian ICT products in a global ICT
market
• Enhance Malaysia’s reputation as a provider of ICT security assurance
Copyright © 2010 CyberSecurity Malaysia 24
• Enhance Malaysia’s reputation as a provider of ICT security assurance
services globally
• Gain access to international markets for Malaysian ICT products
• Enhance the security of Malaysian information infrastructure
• Enhance the security of Malaysian ICT products
![Page 25: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/25.jpg)
MyCC Scheme Process
Overview
Malaysian Common Criteria Certification Body (MyCB)
Accept/ Reject
Application
Accept
Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme
Consumer
Certified Target of Evaluation
(TOE)Oversight Certify
Publish Evaluation Details
Conduct Technical Review
Attend Testing & Site Visit
Review Technical Report
Develop Certification
Report
Copyright © 2010 CyberSecurity Malaysia 25
Accept
Sponsor/ Developer
Target of Evaluation
(TOE)
Protection Profile (PP)
(TOE)
Certified Protection Profile (PP)
Oversight Certify
Plan Execute Close
Malaysian Security Evaluation Facility (MySEF)
Review Inputs
Submit Application
Evaluate Evidence
Submit to Technical Review
Submit Technical Report
Closedown
![Page 26: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/26.jpg)
MyCC Scheme Publications
Policy
Strategy
MyCC Scheme Policy
(MyCC_P1)
MyCC Scheme
Certified Products
Register
MyCC Scheme
Evaluation Facility
MyCC Scheme
Customer Manual
Copyright © 2010 CyberSecurity Malaysia 26
Manual
Procedures
Register
(MyCC_P2)
Evaluation Facility
Manual (MyCC_P3)
Customer Manual
(MyCC_P4)
MyCC Scheme Certification Manual
(MyCC_P5)
Publicly available documents at www.cybersecurity.my/mycc
![Page 27: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/27.jpg)
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 27
![Page 28: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/28.jpg)
International Market
As of 21 July 2010, there are 1,265 CC certified products and systems in the world. These products are certified from 14 CCRA Authorising countries and recognised globally especially by 26 CCRA countries. Type of products being certified are:
• Access control devices and system
• Boundary protection devices and systems
• Database
• ICs, smart cards and smart card related devices and systems
• Network and network related devices and systems
• Biometric systems and devices
• Data protection
• Detection devices and systems
• Key Management systems
• Operating systems
• Products for Digital Signatures
• Other devices and systems
• Trusted Computing Reference: www.commoncriteriaportal.org
Copyright © 2010 CyberSecurity Malaysia 28
![Page 29: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/29.jpg)
International Market
Finding from the schemes benchmarking:
� the US Government mandated the use of CC certified products for
government agencies. Policies and instructions that are related with
the use of CC certified products that can be found from their web
site (http://www.niap-ccevs.org/)
Copyright © 2010 CyberSecurity Malaysia 29
� the Australia and New Zealand Government also established ACSI
33 and NZSIT 400: Australia and New Zealand ICT Security Policies
which provides policies and guidance to government agencies on
how to protect their ICT systems and guidance on ICT product
selection. CC Certified ICT products are the preferred choice for
securing government information because of the added assurance
that security evaluation provides.
![Page 30: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/30.jpg)
Local Market
• Malaysian Government is encouraging local ICT products to be evaluated and certified:
• Development of policy of buy Malaysian ICT security products or solution for the CNII. This policy encourage the use of certified ICT security products.encourage the use of certified ICT security products.
• Security evaluation and certification financial assistance for local ICT developers.
Copyright © 2010 CyberSecurity Malaysia 30
![Page 31: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/31.jpg)
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 31
![Page 32: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/32.jpg)
MyCC Scheme Implementation Plan
• Implementation will occur in three phases spanning five years and beyond
• Development – ends with CCRA certificate authorising acceptance
• Growth – ends with establishment of at least one MySEF external to CyberSecurity Malaysia
• Maturity – sufficient range of certified products and
Copyright © 2010 CyberSecurity Malaysia 32
• Maturity – sufficient range of certified products and several licensed MySEFs operating such that policy mandate is possible Jan - Dec 2008Aug - Dec 07
1: Development
Jan - Dec 2009 Jan - Dec 2010 Jan - Dec 2011 Jan - Dec 2012 Jan - Dec 2013 Jan - Dec 2014 Jan - Dec 2014
2 Growth
3 Maturity
Overlap because of possible
early increase in number of labs
10thMalaysian Plan9
thMalaysian Plan
![Page 33: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/33.jpg)
MyCC Scheme Objective
MyCC SCHEME
Certifying ICT products against CC Standard and using CC
MyCBMyCB
(MALAYSIAN COMMON CRITERIA (MALAYSIAN COMMON CRITERIA
CERTIFICATION BODY)CERTIFICATION BODY)
MySEFsMySEFs
(MALAYSIAN SECURITY (MALAYSIAN SECURITY
EVALUATION FACILITIES)EVALUATION FACILITIES)
ICT products security evaluation against CC Standard and using CC Standard and using CC
Evaluation Methodology (CEM)against CC Standard and using CC Evaluation Methodology
(CEM)
CCRA CERTIFICATE AUTHORISING PARTICIPANT
![Page 34: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/34.jpg)
Security Evaluation and Certification Project (1)
• To become the CCRA Authorising member, we need to
evaluate and certify 2 ICT products for at least 1 EAL3
and 1 EAL4. This is called Trial Evaluation and
Certification.
• There are 3 ICT products in evaluation:
– Firewall (EAL3)– Firewall (EAL3)
– Single sign-on application (EAL4)
– Smartcard OS (EAL4+)
![Page 35: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/35.jpg)
Security Evaluation and Certification Project (2)
• To stimulate the Malaysian economy, Malaysian
Government has accepted CyberSecurity Malaysia
proposal on ICT product security evaluation and
certification.
• The implementation of the Malaysia 2nd Economic • The implementation of the Malaysia 2 Economic
Stimulus Package is 2 years (2009 – 2010).
• Under this project, MyCC Scheme has to evaluates and
certifies local ICT products for EAL1 and EAL2.
![Page 36: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/36.jpg)
Security Evaluation and Certification Project (2)
As of July 2010 No of Product
Registered financial assistance application 103
Selected for pitching 44
Successful financial assistance application 27
• Status of 2nd Economic Stimulus Package projects:
Products in acceptance phase (evaluation application review by MyCB)
13
Products accepted by MyCC Scheme and kickoff evaluation
5
![Page 37: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/37.jpg)
CCRA Certificate Authorising Participant
• Malaysia has submitted the application for CCRA
Certificate Authorising membership in Dec 2009.
• The application has been accepted by CCRA in March
2010.2010.
• Shadow Certification assessment by CCRA members
for MyCC Scheme is planned to be conducted in Oct
2010.
![Page 38: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/38.jpg)
1. Understand
– Why we need product evaluation and certification
– ICT Product Certification Benchmark
– Common Criteria Recognition Arrangement
Agenda
– Common Criteria Recognition Arrangement
2. What is the MyCC Scheme and its components?
3. What is the potential market for certified CC products?
4. Way forward
Copyright © 2010 CyberSecurity Malaysia 38
![Page 39: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/39.jpg)
![Page 40: Malaysian Common Criteria Evaluation & Certification · PDF fileDescription Standard for gaining ... (MS ISO/IEC Malaysian Common Criteria Certification Body ... Malaysian Common Criteria](https://reader030.vdocuments.net/reader030/viewer/2022020204/5ab1b3417f8b9a00728ca6c5/html5/thumbnails/40.jpg)
Corporate Office:
CyberSecurity Malaysia,
Level 8, Block A,Mines Waterfront Business Park,No 3 Jalan Tasik, The Mines Resort City,43300 Seri Kembangan,43300 Seri Kembangan,Selangor Darul Ehsan, Malaysia.
T +603 8946 0999F +603 8946 0888
www.cybersecurity.my
Copyright © 2010 CyberSecurity Malaysia 40