3. Aims of WP4
To identify and analyse the core issues associated with certification
To come up with the requirements by which existing evaluation and
certification schemes could be used and possibly further developed,
enhanced, adapted and integrated for the assessment and
certification of products used for physical security of people and
infrastructures (i.e. best practice).
Three deliverables & five tasks
Other important elements:
Legal study for each of the four tasks
STEFi – Security-Trust-Efficiency-Freedom Infringements
S.W.O.T. analysis
Three case studies: drones, alarm systems and CCTV
3
4. Key outcomes
STEFi criteria repository (D.4.3)
Legal demands for security PSS on four STEFi
dimensions (D.4.1)
Best practices of existing security evaluation and
certification schemes (D.4.3)
Key issues relating to certification (D.4.1, D.4.3)
Shortcomings and threats of existing schemes (D.4.3)
Risks for CRISP scheme and methodology (D.4.2)
Recommendations for security certification schemes
(D.4.3)
Potential impact of security PSS to freedoms and rights,
especially data protection & privacy (D.4.2)
4
5. 1. Shortcomings of existing schemes
Majority of schemes: no clauses on freedoms and rights
Efficiency aspect usually not considered
Limited availability of scheme documentation : lack of
transparency
Schemes built on national or local regulations only
obstacle for harmonisation
Lack of transparency regarding validity or renewal of
certificate
5
6. 2. Recommendations
Open and transparent scope, rules and processes.
Strong monitoring mechanisms to supervise the compliance
of the PSS with the certification rules and its normative
references.
Accountability mechanisms: clear distribution of responsibilities
Reliable normative references, such as European standards
Governance which involves several stakeholders
Multinational participation in the development process of the scheme
to guarantee its pan-European nature
Differentiation of testing and evaluation levels for different security
functions/needs
Open and transparent scope, rules and processes
Thorough rules on documentation to ensure accuracy and openness
to the interested parties
Publication of the revoked and expired certificates
6
7. 3. Role of certification in enhancing end-user trust in
security PSS
Trust both in terms of the PSS and the certification
body/process
Certification that guarantees technical reliability and
safety
Transparency obligations to the security product
manufacturers
Certification that supports Privacy by Design
Accountability
Independence of the certification body
Involvement of stakeholders
Regular review of compliance and up-to-date auditing
procedures
7
8. 4. Other key findings
Legal gap in regulating certification in Europe
Schemes not always stand-alone documents, but often
complemented by other documentation (such as guidance, general
rules, other scheme rules etc.)
8
“a minimum set of legal rules in the form of legal
obligations could provide the market, and mainly the
consumers of the certified products, with the legal
certainty and boost the trust and confidence for the
certified products”
“Fragmentation in scheme documentation has an
impact on the comprehensiveness of the
requirements they test”
9. 5. STEFi requirements scoring in existing
schemes
Security is the most addressed dimension as expected –risk
management requirements score higher
Trust not directly addressed –mainly achieving trust by proving
respect to rights and legislation
Reliability and perception (observability) score higher
Transparency and user/ scrutinised awareness score lower
Efficiency
General efficiency indicators, unintended economic effects and
customisation of the PSS to the user needs score high
Energy efficiency and interoperability score low
Fi: data protection & data security requirements addressed more
often compared to other rights. But not all STEFi attributes fulfiled
Location of data, equal treatment, profiling and automated decision
score higher
Non-discrimination, presumption of innocence score lower
9
10. STEFi requirements scoring in existing schemes
Codes of conduct and normative parts tend to include
some of the societal aspects
But: quite often the societal aspects are not audited –
only as reference/recommendation
Standards and certification schemes: technical aspects
Gap can be filled from CRISP scheme
10