INFORMATION TECHNOLOGY. and CYBER SECURITY CERTIFICATION SERVICES TURKISH STANDARDS INSTITUTION

TURKISH STANDARDS INSTITUTION INFORMATION TECHNOLOGY and CYBER SECURITY CERTIFICATION SERVICES [email protected] - [email protected] Necatibey Cad. No:...
Author: Katrina Hampton
0 downloads 2 Views 13MB Size
TURKISH STANDARDS INSTITUTION

INFORMATION TECHNOLOGY and CYBER SECURITY CERTIFICATION SERVICES

[email protected] - [email protected] Necatibey Cad. No: 112 Bakanlýklar - ANKARA / TURKEY

www.tse.org.tr

TSE CRYPTO

• • • •

Determine that application meets the needs or not Provide the application’s intelligibility Provide the application’s correctness, security and effectiveness during it runs Check the system whether it works properly to system requirements or not.

3. Penetration and Security Testing

With the improvement in internet technologies, People are used to use internet for such important operations like banking and official procedure. In consequence of moving these important services to internet, the potential for crime in real life increasingly moves to this new virtual world. That’s why, security of internet has become crucial and indispensable. To provide security of internet, legal regulations related to cyber-crimes are prepared.

Laws Within the Scope of Cyber Crimes Law No. 5237: 5237.243: Penetration to cyber system in violation of the law and continue to stay in 5237.244: Prevention of operation, breaking down of cyber system or destroying, manipulation, making inaccessible of data or data placement to system or sending data in system to somewhere else or taking advantage in violation of the law using cyber system. 5237.235: Abuse of bank and credit card. Law No. 5651 regulates substantive and procedural related struggling over hosting and domain providers. But that kind of legal regulations are not enough to resolving problems. So, Performing penetration and security tests become indispensable for applications.

TURKISH STANDARDS INSTITUTION INFORMATION TECHNOLOGY and CYBER SECURITY CERTIFICATION SERVICES

TSE TS ISO/IEC 15408 IT - Security techniques Evaluation criteria for IT security (COMMON CRITERIA)

TS 13298 IT - Electronic records management

TS EN ISO 9241-151 Ergonomics of human-system interaction - Part 151: Guidance on World Wide Web user interfaces TSEK 194, TS ISO/IEC 40500 Guidelines on Web Content

Security Evaluation/Tests

12

Shortage of time, lack of awareness, insufficiency of information are some reasons of negligence of the security evaluations. • Security evaluation and security development are different things. CC process is the best example of this. In the CC process; both security functions’ tests (ATE) and impassibility of the security archit ecture (AVA) are evaluated. Both security development and security evaluation should be pieces of the

application development process. • While security evaluation is done in limited time attack surface is nearly limitless. Thus, security evaluation should be planned, programmed and organized and exactly targeted. • Security evaluations should be repeated periodically. Because application may contain modifications and there are always new attack methods. • The most crucial phase of the security evaluation is the reporting of the evaluation. Findings and evidences which are identified during evaluation should be targeted and repeated properly.

CRYPTO

TS ISO/IEC 15504 IT – Process Capability Determination – SPICE Organizational Maturity

TS ISO/IEC 19790-24759 IT — Security techniques – Security Requirements for Cryptographic Modules and Test Requirements for Cryptographic Modules

TS ISO/IEC 25051 IT - software packages-quality requirements and testing

First Level Security Certification

QWEB Certification

Site Security Certification

1

Part 1

Definitions & Vocabulary

TSE

Part 4

TS ISO IEC 15408 INFORMATİON TECHNOLOGY - SECURITY TECHNIQUES EVALUATION CRITERIA FOR IT SECURITY IT PRODUCTS SECURITY (COMMON CRITERIA)

2

Common Criteria Information technology -- Security techniques -- Evaluation criteria for IT security (ISO 15408) is the security standard which has been developed to identify product and/or systems security levels of Common Criteria information Technologies and to test independent laboratories, based on TCSEC and ITSEC standards and is accepted by International Organization For Standardization (ISO) in 1999 International Information Technologies Security Evaluation Standard. Turkish Standards Institution in the name of Turkey has accepted evaluations of certificate producer countries by signing in September 2003 Common Criteria Recognition Agreement signed by countries which accept this Standard and has implemented Common Criteria Certification Scheme which is established at Common Criteria Certification Scheme (CCCS) within TSE Product Certification Center. CCCS had a Shadow Certification by an Audit Group from CCRA on April 2010. IT products which have taken CC certificates from Turkish Standards Institution as National Common Criteria Certification Body according to the results of licensed TSE independent test laboratory, are obtaining safeguards in efficiency of security criteria to determine threats and in appliance of these criteria rightly on product. TS ISO IEC 15408 standard has 3 parts, Part1, Part2,and Part 3. Also there are 7 Evaluation Assurance Levels (EAL) as assurance increases proportional to increasing EAL numbers.

Test Techniques BS 7925-2

Part 2

BS 7925-2

BS 7925-1

Part 3

Test Documentation IEEE 829

IEEE 1008

determining applications‘ performance levels under regular circumstances. The questions that Performance testing intents to answer; • Does it meet with system requirements? • How does system work under regular circumstances? • How does increments in system data traffic affect functionality and operation time? • In which user level does performance problems occur? • Which component of the system causes decrement in performance levels? In general, Performance testing process likes; • Determining structure of the system to be tested • Determining normal and maximum load levels • Creating scenarios and virtual users • Selecting test tool to be used • Running the test • Analysis and interpretation of test results 2.

Functional testing

Functional testing is the test which looks at an application’s functions whether they’re working properly. It refers to user’s requests whether they meet the application. It illustrates the user’s moves and tries to be ensure that process ways are working properly and requests are appropriate. There are input sets and expected output sets proper the requirements that identified formerly. Outputs from tests and pass/fail criteria are considered and one decide upon these whether application pas the test or not. Purpose of the Functional testing;

11

International Standard provides for four increasing, qualitative levels of security requirements intended to cover a wide range of potential applications and environments. The security requirements cover areas relative to the design and implementation of a cryptographic module. These areas include:

• cryptographic module specification; • cryptographic module ports and interfaces; • roles, services, and authentication; • finite state model; • physical security; • operational environment; • cryptographic key management; • self-tests; • design assurance; • mitigation of other attacks. This standard defines 4 security levels. The module can claim conformity one of these levels depending on its security requirements. The first level requires basic security requirements. On the other hand if the module takes fourth security level certificate, this module meets the all of the security requirements in the standard. TSE conducts CAVP(Cryptographic Algorithm Validation Program) and CMVP(Cryptographic Module Validation Program). If the vendor wants to apply CMVP, its module has to include at least one validated cryptographic algorithm. Otherwise, it has to apply CAVP.

TS ISO IEC 15504 SPICE INFORMATION TECHNOLOGY — PROCESS ASSESSMENT SOFTWARE PROCESS IMPROVEMENT AND CAPABILITY DETERMINATION

Turkish Standards Institution, with its task awareness about creating and generalizing standards, has brougth TS ISO IEC 15504/SPICE trading, assessment and certification functions to Turkey with an expert team which has licence named “International SPICE Certification Body” ,and so has taken very important step to grow up the term of “Software Quality” in Turkey.Also TSE has started to do SPICE assesments and give certificates

The goal of SPICE model is to provide a common principle for different software evaluating models and methods. Thereby, the results of evalutions may be able to be reported in a common language.

Evaluation system is similar Common Criteria Evaluation System. There are three different groups. These are Certification Body, Evaluator and Vendor. TS ISO/IEC 24759 standart is used as a guidance document by laboratory and vendor. In this aspect, this standard is similar to Common Evaluation Methodology.

10

TSE-CMVP: Cryptographic Module Validation Program TSE-CAVP: Cryptographic Algorithm Validation Program

SOFTWARE TESTING LABORATORY ISO/IEC 29119 software testing standard, that will lead software testings, is preparing based on the standards IEE 829, IEEE 1008, BS 7925-1/-2 and IEEE 1028. The draft of standard contains these parts: 1.

Performance testing

Performance testing is the measurement of system’s performance when system is under load and assurance of expected system performance. Performance testing aims working out the bottlenecks of the system overload via such systems like code and database while

The reference model describes the required essential targets of software engineering at the upper level and is applied to all software companies which wants to purvey, develop, operate, improve a software and aims to create sufficiency to support a software. The model does not base on a specific organisation structure, management philosophy, software life-cycle, software technology or a specific development methodology. gerekmektedir.

3

TS 13298 ELECTRONIC DOCUMENT MANAGEMENT

TSE also performs service at certification of Standard of TS 13298 Electronic Document Management. This Standard includes items below in order to detect required standards for protection of properties of produced or producable electronic documents into organisations: • • • • • • •

Required system components for Electronic Document Management System (EDMS) Required document management techniques and applications for EDMS Necessities that enables management of electronic documents Necessities that enables maintaining management functions of non-electronic documents in electronic environment. Diplomatic properties of electronic documents which are mandatory Precautions that ensure the judicial legality of electronic documents Completing required system infrastructures to use electronic signature and stamp

TS ISO IEC 25051 INFORMATION TECHNOLOGIES SOFTWARE PRODUCT QUALITY CERTIFICATION

4

TSE also performs service at certification of Standard of Software Product Quality Certification. This Standard is able to be applied on software products like text processors, spreadsheets, database programs, graphic products and programs about technical or scientific functions. TS ISO IEC 25051; Consists of • •

Properties of software products (quality properties) Guidance that shows how this software product is tested.

Does not include the processes of production of software products.



Qweb is the IQNet system for the certification of e-business activities world-wide

Major benefits for companies or consumers using services and buying goods on the internet are: • The site is reliable and legally registered • the e-business service is of the best quality • the selling conditions and delivery terms are clear and true • security and privacy are applied for the treatment of personal and financial data • customer’s complaints are taken into consideration and appropriately dealt with • consumers may recur to out-of-court dispute settlement.

TS EN ISO 9241-151 ERGONOMICS OF HUMAN-SYSTEM INTERACTION GUIDANCE ON WORLD WIDE WEB USER INTERFACES It is widely accepted that usability is a key factor in successful website design but until now there has been no internationally agreed standard that specifically addressed the usability of World Wide Web (WWW or Web) user interfaces. This part of ISO 9241 provides guidance on the human-centred design of software Web user interfaces with the aim of increasing usability. Web user interfaces address either all Internet users or closed user groups such as the members of an organization, customers and/or suppliers of a company or other specific communities of users. The recommendations given in this part of ISO 9241 focus on the following aspects of the design of Web user interfaces: high-level design decisions and design strategy; content design; navigation and search; content presentation.

CRYPTO

TS ISO IEC 19790 AND TS ISO IEC 24759 (EQUİVALENT TO FIPS 140-2,3) INFORMATION TECHNOLOGY - SECURITY TECHNIQUES SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES AND TEST REQUIREMENTS FOR CRYPTOGRAPHIC MODULES

In Information Technology there is an ever-increasing need to use cryptographic mechanisms such as the protection of data against unauthorised disclosure or manipulation, for entity authentication and for nonrepudiation. The security and reliability of such mechanisms are directly dependent on the cryptographic modules in which they are implemented. This

9

QWEB CERTIFICATION Rapid changes in Information Technologies, effects human life, but not only humans also companies those provides public service are adapting their skills for new conditions by developing and using new methods and technics. E-business activities are increasing day by day in case of transparency, accountability, openness, improvement of service quality, reducing waste of time and resources. e-Commerce

As defined by OECD An e-commerce transaction is the sale or purchase of goods or services, conducted over computer networks by methods specifically designed for the purpose of receiving or placing of orders, e-commerce concept is interested by private sector recent years. Most of companies are marketting and selling their products and services on ineternet. Some transactions are widely running online like; buyers’ investigetion before buying, companies’s meetings and deals, payment transactions, fulfillment of liabilities, delivery procedures, after sale maintenance, support. Increasing number of e-business and e-commerce acivities are bringing need of standards and certification. By Qwebmark certification trustability, quality of service, security level and transparency will go higher.

8

Qweb Mark The purpose of the Qweb certification scheme is to develop and raise trust & confidence in electronic business. Also ensuring security and privacy for the treatment of personal and financial data. Qweb is the e-business certification system that allows for a real growth of companies towards quality and security with increasing attention to customer’s needs Advantages

Major benefits for companies offering goods, services and information on the Internet are: • • • • • •

the e-business activity conforms to the best available standards with a mouse click the certification is validated and information are given about the company, the certification body and the activity which is carried out. priority is given to the customer’s expectations the e-business activity is secure, reliable and customer-friendly the company can rely upon the customer’s confidence as a competitive advantage

WEB CONTENT ACCESSIBILITY GUIDELINES TSEK 194 - ISO/IEC 40500:2012 Web Content Accessibility Guidelines (WCAG) TSEK 194 - ISO/IEC 40500:2012 covers a wide range of recommendations for making Web content more accessible. Following these guidelines will make content accessible to a wider range of people with disabilities, including blindness and low vision, deafness and hearing loss, learning disabilities, cognitive limitations, limited movement, speech disabilities, photosensitivity and combinations of these. Following these guidelines will also often make your Web content more usable to users in general. WCAG - TSEK 194 success criteria are written as testable statements that are not technologyspecific. Guidance about satisfying the success criteria in specific technologies, as well as general information about interpreting the success criteria, is provided in separate documents. Web Content Accessibility Guidelines (WCAG) is developed through the W3C process in cooperation with individuals and organizations around the world, with a goal of proving a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally. WCAG is primarily intended for: • Web content developers (page authors, site designers, etc.) • Web authoring tool developers • Web accessibility evaluation tool developers • Others who want or need a standard for web accessibility Related resources are intended to meet the needs of many different people, including policy makers, managers, researchers, and others.

5

SITE SECURITY CERTIFICATION One of the parts of the IT products’s security is the security of the environment on which they developed. Security of the environment on which product developed is ensured with Site Security Certification Programme. Thanks to this certification, “CC certification without TOE” and “the reuse of the ‘Site Security Certification’ at the TOE evaluation” are provided in order to verify that predefined environment meets with the CC requirements related to ALC class. The purpose is the saving at the time and the cost. The scope of this certification program is defined below; • Definition of the evaluation of the environments on which products are subject to Common Criteria Certification are developed, and yet processes, criterias and metodologies about the certification. • To make the evaluation/certification of the environment without any TOE modularly • Results of the certification process can be used at a succeeding Common Criteria product evaluation • Provide of reusable evaluations about the ALC Site Security Certification consists of 3 basic procedures defined below; • Site Security Certification Procedure: Includes all mandatory phases in order to issue the “Site Security Certification” to a development environment or a part of it. • Integration Procedure: Defines the procedure of the usage for merging all certified and/or uncertified parts of a lifecycle to make a bigger asset. • Procedure of the Integration of the Site Security Certifications: Provide reusability of the certified ALC materials for a defined TOE evaluation

6

In brief, Site Security Certification is the security certification of the environments which took part of various products’ development and use these evaluation results to simplify the differenet TOE evaluation processes in terms of the time and the cost.

FIRST LEVEL SECURITY CERTIFICATION One of the major subject in cyber technologies is 1st Level Security Certification. 1st Level Security Certification is a security evaluation programme that aims a simple, fast and effective security evaluation. Participants in the 1st Level Security Certification process are: • the sponsor; • the evaluation facility; • the certification body within ANSSI; • optionally the developers of the product submitted for evaluation.

The Certification Body draws up the procedures, forms, guides, etc., that allow the 1st Level Security Certification to be implemented, elaborates the criteria and general methods of evaluation for 1st Level Security Certification and licenses evaluation facilities that satisfy the criteria listed in the licensing procedure of the certification body. The evaluation facility is licensed by TSE (Certification Body) only for the technical areas in which it has proved to hold sufficient expertise. The evaluation facility evaluates the product by its technical experts and reports findings to Certification body. First Level Security criteria defines minimum security requirements that a product or system should has. A product evaluation should verify that product provide security specifications stated in security target and all security functions reach “base” level strength at least and contains no vulnerability in evaluation. Evaluation has two basic targets: • To identify the suitability of security specification of product. • To determine effectiveness of security functions that is served by the product Evaluation has two additional target if basic security functions of the product is performed by crypto mechanisms: In scope of Crypto Module/Algorithm Verification Programme of TSE, in the tests that are performed suitable to test requirement for TS ISO/IEC 24759 Crypto module, Crypto mechanisms of product: • To identify the suitability of security requirements of TS ISO/IEC 19790 Crypto. • To identify these mechanisms are applied correctly by product according to definitions. Evaluation is related to items below; • Current documentation; • General Vulnerability Databases of the vulnerabilities which should be tested or at least known • The Product itself that set up on a test platform represents the predicted usage environment

7

Suggest Documents