A summary of WP4 of the CRISP project - Analysis of core dimensions - Security, Trust, Efficiency and Freedom Infringement

1. WP4 Key Outcomes
Berlin, 4th September 2015
Irene Kamara
Vrije Universiteit Brussel (LSTS)

2. Overview
Aims and structure of WP4
Key findings of WP4
Input for next WPs
2

3. Aims of WP4
 To identify and analyse the core issues associated with certification
 To come up with the requirements by which existing evaluation and
certification schemes could be used and possibly further developed,
enhanced, adapted and integrated for the assessment and
certification of products used for physical security of people and
infrastructures (i.e. best practice).
 Three deliverables & five tasks
 Other important elements:
 Legal study for each of the four tasks
 STEFi – Security-Trust-Efficiency-Freedom Infringements
 S.W.O.T. analysis
 Three case studies: drones, alarm systems and CCTV
3

4. Key outcomes
 STEFi criteria repository (D.4.3)
 Legal demands for security PSS on four STEFi
dimensions (D.4.1)
 Best practices of existing security evaluation and
certification schemes (D.4.3)
 Key issues relating to certification (D.4.1, D.4.3)
 Shortcomings and threats of existing schemes (D.4.3)
 Risks for CRISP scheme and methodology (D.4.2)
 Recommendations for security certification schemes
(D.4.3)
 Potential impact of security PSS to freedoms and rights,
especially data protection & privacy (D.4.2)
4

5. 1. Shortcomings of existing schemes
 Majority of schemes: no clauses on freedoms and rights
 Efficiency aspect usually not considered
 Limited availability of scheme documentation : lack of
transparency
 Schemes built on national or local regulations only 
obstacle for harmonisation
 Lack of transparency regarding validity or renewal of
certificate
5

6. 2. Recommendations
 Open and transparent scope, rules and processes.
 Strong monitoring mechanisms to supervise the compliance
of the PSS with the certification rules and its normative
references.
 Accountability mechanisms: clear distribution of responsibilities
 Reliable normative references, such as European standards
 Governance which involves several stakeholders
 Multinational participation in the development process of the scheme
to guarantee its pan-European nature
 Differentiation of testing and evaluation levels for different security
functions/needs
 Open and transparent scope, rules and processes
 Thorough rules on documentation to ensure accuracy and openness
to the interested parties
 Publication of the revoked and expired certificates
6

7. 3. Role of certification in enhancing end-user trust in
security PSS
 Trust both in terms of the PSS and the certification
body/process
 Certification that guarantees technical reliability and
safety
 Transparency obligations to the security product
manufacturers
 Certification that supports Privacy by Design
 Accountability
 Independence of the certification body
 Involvement of stakeholders
 Regular review of compliance and up-to-date auditing
procedures
7

8. 4. Other key findings
 Legal gap in regulating certification in Europe
 Schemes not always stand-alone documents, but often
complemented by other documentation (such as guidance, general
rules, other scheme rules etc.)
8
“a minimum set of legal rules in the form of legal
obligations could provide the market, and mainly the
consumers of the certified products, with the legal
certainty and boost the trust and confidence for the
certified products”
“Fragmentation in scheme documentation has an
impact on the comprehensiveness of the
requirements they test”

9. 5. STEFi requirements scoring in existing
schemes
 Security is the most addressed dimension as expected –risk
management requirements score higher
 Trust not directly addressed –mainly achieving trust by proving
respect to rights and legislation
 Reliability and perception (observability) score higher
 Transparency and user/ scrutinised awareness score lower
 Efficiency
 General efficiency indicators, unintended economic effects and
customisation of the PSS to the user needs score high
 Energy efficiency and interoperability score low
 Fi: data protection & data security requirements addressed more
often compared to other rights. But not all STEFi attributes fulfiled
 Location of data, equal treatment, profiling and automated decision
score higher
 Non-discrimination, presumption of innocence score lower
9

10. STEFi requirements scoring in existing schemes
 Codes of conduct and normative parts tend to include
some of the societal aspects
 But: quite often the societal aspects are not audited –
only as reference/recommendation
 Standards and certification schemes: technical aspects
 Gap can be filled from CRISP scheme
10

11. Thank you