1 / 11

Updates on Korean Scheme

The 8 th ICCC in Rome, Italy. Updates on Korean Scheme. IT Security Certification Center, National Intelligence Service. Introduction to ITSCC. ITSCC(IT Security Certification Center) is…

shana-noble
Download Presentation

Updates on Korean Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The 8th ICCC in Rome, Italy Updates onKorean Scheme IT Security Certification Center, National Intelligence Service

  2. Introduction to ITSCC • ITSCC(IT Security Certification Center) is… • Aiming at enhancing the IT security in government organizations by evaluating and certifying commercial IT security products that government organizations plan to procure • The certification body of Korea for security certification, responsible for proper operation of the Korean Evaluation and Certification Scheme(KECS) • Our Six Main Roles • Issue Common Criteria certificates for IT security products • Regulate the procurement of products within government • Plan and develop Protection Profiles for IT security products • Approve IT security evaluation facilities • Operate the training and education program for evaluators • Participate in CC related international cooperation

  3. Korean Procurement Policy • Government organizations must procure certified IT security products since 1 Jan. 2006 • To promote the use of Common Criteria in Korea • To encourage Korean developers to produce sound security products that meet the international standards • Although this policy certainly contributed to the provision of improved confidence in commercial IT security products… • Encountered a problem • The number of products applying for CC certificates far-exceeded the evaluation capacity we can afford • This means products have to wait for a long time in the queue before actual evaluation work begins

  4. New Evaluation Facilities(1) • Most obvious and effective solution was to expand evaluation capacity of the country • There was only one evaluation facility, KISA(Korea Information Security Agency), which had been established by law • In Dec. 2006, introduced a new procedure to approve evaluation facilities by amending the Korean Standard Lab. Accreditation Program • As a result, we have two more evaluation facilities • Early this year, KTL(Korea Testing Laboratory) and KOSYAS(Korea System Assurance) applied for approval • After accredited against ISO 17025, KTL and KOSYAS were finally approved as an evaluation facility on 29 June and 9 August, respectively

  5. New Evaluation Facilities(2) • Established the CC evaluator’s license program • To produce quality IT security evaluators in order to meet demands from new evaluation facilities • Also, the need for systematic training and education of evaluators arose to ensure the quality of their work • Three types of evaluator status * In addition, we also teach top-notch graduate students to educate them as CC evaluators with high standard from this semester

  6. Domestic Certification • Introduced a domestic certification scheme to shorten the evaluation time itself • Intended to deal with the products having waited or being expected to wait in the evaluation queue for quite a long time, say, more than a year • Identical to CC except that sampling-based evaluation is used for some components rather than full examination, being able to save evaluation time up to four weeks • The domestic scheme can only be regarded as a temporary solution because… • It still requires the same developer’s evidence as CC • And there is no significant reduction in evaluation time at the expense of internationally recognized CC certification * Note : This domestic scheme is outside the scope of the conference

  7. Provision of PPs • Timely provide PPs that are very needed by IT security product developers • We believe guiding developers to build products correctly and rightly can significantly reduce the evaluation time as it can reduce potential ORs raised by evaluators • In view of this, ITSCC develops 4 Protection Profiles a year for the products with a large demand from government organizations and a high potential for market growth • AND a high potential for market growth * PPs can be downloaded from www.kecs.go.kr (in Korean)

  8. CEMS (1) • Improve the management process of evaluation and certification by employing an automated document management system called CEMS • Handled documents manually because EF and CB are located very closely and therefore preferred in-person contact • However, manual handling of deliverables between CB and EF was partly responsible for inevitable delays in evaluation • Moreover, location of new EFs are widely separated across the city and therefore electronic communication becomes necessary • Therefore, started to build the CEMS system • Supports electronic management of documents • And also some essential functions of project management such as real time monitoring of progress * CEMS : Certification and Evaluation Management System

  9. CEMS (2) • CEMS is a web-based client-server system, running on Windows Server with IIS and MS-SQL • It consists of two subsystems, called CMS and EMS • CMS stands for Certification Management System while EMS stands for Evaluation Management System • CMS can only be accessible to certifiers inside the CB • EMS communicates with evaluation facilities’ own system through secure communication channels CEMS

  10. CEMS (3) • Main Features of CEMS developed so far: • Online document management and storage • Real-time monitoring of work progress • Management of document templates • CEMS user management and audit functions • Backup and other system maintenance • With the help of CEMS, we expect to achieve the improved efficiency in evaluation and certification and reduction in evaluation and certification time • For anyone interested in CEMS, demonstration is available at out booth outside

  11. Conclusion Q & A IT Security Certification Center www.kecs.go.kr

More Related