Swedish Scheme Update Dag Ströman, Head of CSEC

Transcription

1 Swedish Scheme Update Dag Ströman, Head of CSEC 1

2 CSEC - The Legal Base Swedish Parliament approval of the Government bill in May 2002, which stated: The Swedish Defence Materiel Administration, FMV, is suitable to be assigned the task of creating and maintaining a system for evaluation and certification according to Common Criteria FMV shall be responsible for licensing of evaluation facilities FMV shall operate a certification body and issue the certificates FMV shall engage in the international cooperation to assure and preserve the recognition of Swedish certificates FMV shall contribute internationally in the continued improvement of the evaluation methodology The certification body shall be eligible for accreditation by SWEDAC 2

3 Governmental Context 3

4 CSEC s Main Tasks Licensing of ITSEF Oversight of ITSEFs operations Training and support to ITSEF Oversight of evaluations Review evaluation reports Write certification reports Issue certificates Publish list of certificates Participate in international cooperation: Interpretation Harmonisation Standardisation Marketing of CC Maintain and develop the Scheme. Enforce the rules of the Scheme. 4

5 CSEC - Boards and Committees FMV Board of Directors Lead by FMV chairman of the board Establish policies and provides oversight that scheme operation are in accordance with directions from the government. Scheme Advisory Committee Lead by Head of CSEC Enable the participation of all parties significantly concerned in the development of policies and principles regarding the content and functioning of the certification system. See: SP-103 Terms of Reference for the Scheme Advisory Committee. Change Control Board Lead by Quality Manager The Change Control Board (CCB) is established to manage and control the CSEC procedures for change management and handling of nonconformities. 5

6 The Scheme An Overview CSEC 6

7 Full License Cond.. License Application The Licensing Process Agreement Agreement Preparation Organizational and legal setup Assessment Initial training Initial assessment Enter ISO accreditation Conditional license Trial evaluation Full license assessment Obtain ISO accreditation License Maintain License Conduct evaluations Train evaluators Re-assessments Termination 7

8 Evaluation and Certification Process Developer Sponsor ITSEF CB Pre-Evaluation Evaluation initial contact Feasibility study Acceptance of evaluation Certification Application Initial meeting Certification acceptance Conduct Conclusion Evaluation evidence Single Evaluation Report Single Evaluation Report Technical Oversight Report Final Evaluation Report Technical Oversight Report Certification Report Certificate 8

9 Scheme Publications 1(2) SP-001 Certification and Evaluation Scheme - Scheme Overview SP-002 Evaluation and Certification SP-003 Certificate Maintenance SP-004 Licensing of Evaluation Facilities SP-005 Mutual Recognition and International Liaison SP-007 Quality Manual SP-008 Charges and Fees SP-010 Certification Application - Form SP-021 ITSEF License Application Form SP-022 Evaluator Status Change Application Form 9

10 Scheme Publications 2(2) SP-024 Evaluator IT Security Competence Form SP-061 Certification Agreement Form SP-070 Conditions for the Use of Trademarks SP-079 Licensing Agreement Form SP-084 Sponsor's and Developer's Guide SP-089 Complaint Report Form SP-092 Appeal Report Form SP-094 Request for Interpretation Form SP-103 Terms of Reference for the Scheme Advisory Committee SP-136 Legal Dependencies SP-153 License Agreement 10

11 Current Status CSEC Staff, docs and procs in place. Four certifications running EN45011 accreditation close to completion CCRA Shadowing done in early Sep Labs Combitech and atsec Both got conditional license from CSEC Both accreditation close to completion. Both trial evaluations close to completion About 10 evaluators in the Scheme. 11

12 Cooperation with SEMA SEMA Swedish Emergency Management Agency Information booklet about CC & CCRA. Study to find CCRA Protection Profiles that could be suitable for use by Swedish government agencies. Cooperation with other Swedish government agencies to: Identify most common threats to IT-products used by Swedish gov. Identify most common IT-sec incidents caused by weaknesses of such IT-products. To be used as knowledge base during certifiers oversight of PP and Product evaluations. 12

13 Thanks for your attention. Q s? More info: 13