1 / 22

Update on the German Scheme

Update on the German Scheme. Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security). September 25, 2007. Irmela Ruhrmann Head of Division Certification, Approval and Conformity Testing Gereon Killian Head of Certification Body. BSI Certification.

ailsa
Download Presentation

Update on the German Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Update on the German Scheme Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security) September 25, 2007 Irmela Ruhrmann Head of Division Certification, Approval and Conformity Testing Gereon Killian Head of Certification Body

  2. BSI Certification The Federal Office for Information Security (BSI) was established by the German Parliament in 1991.§ 3 of the Act on the Establishment of the BSI, dated 17.12.1990 (Federal Law Bulletin I p. 2834) defines the tasks of BSI.

  3. Act on Establishment of BSI (BSIG: December 1990) Decrees of the Federal Minister of the Interior (e.g. handling of cryptographic problems) BSI Certification BSI Certification Ordinance (BSI ZertV) Schedule of Costs (BSI-KostV)

  4. Kriterien für die Bewertung der Sicherheit von Systemen der Informationstechnik (ITSEC) Juni 1991 German Certification Scheme IT-SECURITY CRITERIA History S 1989: Green Book of BSI 1991: Information Technology Security Evaluation Criteria (ITSEC) 1999: Common Criteria (CC) V2.1 - Standard ISO/IEC 15408 2004: Common Criteria (CC) V2.4 - ASE/APE Trial Use Version 2005: CC V 3.0 Trial Use Version 2005: Common Criteria (CC) V2.3 - Standard ISO/IEC 15408 2006: CC V 3.1 Approved by MC in September 2006 Common Criteria for Information Technology Security Evaluation Part I: Introduction and general model May 1998 Version 2.0 CCIB-98-026

  5. German Certification Scheme BSI-Certificate Supported by • accredited evaluation facilities • licensed auditors • international committees for - criteria development and harmonisation - mutual recognition Product Certification ISO 27001 / BSI IT BP BSI TR BSI as Federal Office for Information Security ISO 27001 Certification in compliance with BSI Baseline Protection Product Certificates BSI Certificate - confirms product specific security functionality and quality (CC/PP) - confirms system interoperability and functional aspects (TR) confirms functioning and effective IT security management Customer, User, Operator In the BSI Certification Scheme, ISO 27001 in compliance with BSI Baseline Protection and Product Certification are intended to be complementary

  6. German Certification Scheme BSI Accreditation - Evaluation Facilities (1) CC and/or ITSEC ITSEFs: • Atos Origin GmbH • atsec information security GmbH • brightsight bv (former TNO-ITSEF BV) • CSC Deutschland Solutions GmbH • datenschutz nord GmbH • DFKI (German Research Institution for Artificial Intelligence) GmbH • media transfer AG • secunet SwissIT AG • SRC Security Research & Consulting GmbH • Tele-Consulting security | networking | training GmbH (TC) • T-Systems GEI GmbH • TÜV Informationstechnik (TÜVIT) GmbH • Industrieanlagen-Betriebsgesellschaft mbH (IABG) (only ITSEC)

  7. German Certification Scheme BSI Accreditation - Evaluation Facilities (2) BSI TR 03104 (ePass production data aquisition, quality check and data transmission) • Fraunhofer Institut für Angewandte Optik und Feinmechanik BSI TR 03105 (ePassport Conformity Testing) • CETECOM ICT Services GmbH • Secunet Security Networks AG ITSEF for evaluations against BSI-TR (BSI Technical Guidelines)

  8. German Certification Scheme Acquisition Policies for CC Certified Products EU Commission: • Digital Tachograph: Directive equivalent to law • Infosec Technical and Implementation Guidance • on the use of Common Criteria within NATO NATO: • Airbus A 400M • Eurofighter 2000 Multilateral Defense: UN/G8: • G8 - Principles on Critical Infrastructure Protection Germany • Digital Signature Law • Health Cards and related products • ePassport and eID documents Acquisition Policies in EU/Germany at this point in time concern special areas (defense, health sector, ID cards) Trend: increasing importance

  9. Smartcard Reader • Smartcard Controller German Certification Scheme Product-types Certified / under Certification Software Products Hardware Products • Operating Systems - Mainframe - Midsize • Tachograph Components - Motion Sensor, - Vehicle Unit, - Smartcard • PC Security Products - Security Shells - Integrity Protection • Data Communication Products • Firewalls • Biometric Security Products - (Voice Identification) • Signature Applications • Smartcard with OS and Applications

  10. German Certification Scheme Market development of CC certified Products

  11. German Certification Scheme Market development of CC certified Products

  12. German Certification Scheme Types of certification procedures • Certification parallel to the product development • Certification of a finished product • Assurance Continuity • Re-evaluation • Maintenance (mostly on HW/Smartcard, a few on SW, one on PP)

  13. German Certification Scheme Recent Certificates (Examples 1) • Infineon Smartcard-Controller (SLE66CL180PE, SLE66CL180PEM, SLE66CL180PES, SLE66CL81PE, SLE66CL81PEM, SLE66CL80PE, SLE66CL80PEM, SLE66CL80PES, SLE66CL41PE) • Renesas Smartcard-Controller (AE55C1 (HD65255C1) • SuSE LINUX Operating Systems (SUSE Linux Enterprise Server V 8, with ServiceProductsPack 3) • Microsoft Exchange Server, Data bank server (Database Engine of Microsoft SQL Server) Firewall (ISA Server), Directory-Server • IBM Operating Systems, e.g. z/OS, AIX, PR/SM, Directory-Server, Tivoli Access Manager

  14. German Certification Scheme Recent Certificates (Examples 2) • GeNUA Firewall (GeNUScreen 1.0) • NXP Smartcard Controller Semiconductors(P5CD080V0B, P5CN080V0B and Germany P5CC080V0B) • Sharp Smartcard Controller (SM4148) • Océ Printer Controller (Océ SRA TechnologiesController Version 3, Bundle 8.02) • OPENLiMiT Signature application softwareSign Cubes AG(SignCubes base components 2.1) • Siemens VDO Tachograph(Digital Tachograph DTCO 1381, Release 1.2a)

  15. German Certification Scheme Recent Maintenance Examples

  16. German Certification Scheme Important Certification Projects (1) ePassport • The new German ePass includes biometrics with latest contactless smartcard (ISO 14443) and IT-security technology. • TOE: RFID-Controller (HW), embedded-SW (OS), MRTD (ICAO) application. • Life-Cycles: development, manufacturering, personalisation, operation. • IT-Security Certification according to CC PPs and conformity-tested according to Technical Guideline. Technical Guideline: BSI-TR 03105 „ePassport Conformity Testing“ (TR-ePass) Protection Profile: Machine Readable Travel Document with „ICAO Application“ Extended Access Control, Version 1.1

  17. German Certification Scheme Important Certification Projects (2) National eHealth-Card Key Security Components to be certified: • eGK - Electronic Health Card for 80 Mio. citizens replacing the KVK (health insurance card). • HPC - Health Professional Card for more than 500.000 health professionals. • SMC - Security Module Card to be used by an institution under control by a health professional. • B4HC - Bit4Health Connector, provides access to the central telematics infrastructure. according to certified Protection Profiles

  18. German Certification Scheme Important Certification Projects (3) Digital Tachograph Certification requirements according to EU Directive: • specified in „Generic Security Targets“ • in conformity with the Common Criteria Protection Profile concept • ITSEC, E3 high • Common Criteria (CC), EAL 4+ Technical Components: • Motion Sensor • Vehicle Unit • Tachograph Card (workshop/service, police, driver)

  19. German Certification Scheme Other Recent Protection Profile Developments • PP on Software for protection of personal video data - Closed Circuit Television (CCT) • Electronic Voting PPs (CC V2.3 / CC V3.1) • PP for USB-data storage devices • Mobile Synchronization Services PP • Security IC Platform Protection Profile (CC V3.1)

  20. German Certification Scheme Important Projects inside the BSI Certification Scheme • ISO 9001 - Certification according to industry rules QM-System of CB has been certified • Site Certification:Introduction in the German scheme 4th quarter 2007 • Guidance for Developer’s Documents • Update of Scheme Interpretations for CC V3.1 ongoing

  21. Perspectives & Conclusions • Certification improves IT-Security & IT-Product quality • World-wide increasing number of certificates and PPs • Success factors: • Common Criteria as an International Standard • Regulations and Public Acquisition policy promote product certification • Certification required by the Public and Private Sector • Certification Policy is part of the National Plan for Information Infrastructure Protection in Germany • Complete product platforms of IT market leaders get certified • New CC-versions and scheme-efforts make certification less complex • Optimisation of CB internal process enhances efficiency • Increasing effort in development of Protection Profiles

  22. Contact Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security) Godesberger Allee 185-189 53175 Bonn Tel: +49 (0)3018 9582 111 Fax: +49 (0)3018 10 9582 5477 zerti@bsi.bund.de www.bsi.bund.de www.bsi.bund.de/gshb/zert

More Related