SlideShare una empresa de Scribd logo

EUCA 22 - Let's harmonize labs competence ISO 19896

Javier Tallón
Javier Tallón
Javier TallónSecurity Expert en jtsec Beyond IT Security

Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community. At ISO level, a new standard has been approved aiming to support this goal: ISO 19896. ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations. The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk. Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.

EUCA 22 - Let's harmonize labs competence ISO 19896

1 de 36
Descargar para leer sin conexión
EUCA 22 - Let's harmonize labs competence ISO 19896
EUCA 22 - Let's harmonize labs competence ISO 19896
❑ 1. Introduction
❑ 2. ISO/IEC 19896 Structure
❑ 3. ISO/IEC 19896 Part 1
❑ 4. ISO/IEC 19896 Part 3
❑ 5. ISO/IEC 19896 Part 3 - Annexes
❑ 6. Conclusions
Index
ISO/IEC
19896
❑ One important factor in assuring comparability of the results of
evaluations is to understand that the evaluation process
includes the specification of both objective and subjective
assurance measures.
❑ Hence the competence of the individual evaluators is
important when the comparability and repeatability of
evaluation results are the foundation for mutual recognition
Introduction
❑ ISO/IEC 17025 defines some competence requirements:
❑ 6.2.2 The laboratory shall document the competence requirements for each
function influencing the results of laboratory activities, including
requirements for education, qualification, training, technical knowledge,
skills and experience.
❑ 6.2.3 The laboratory shall ensure that the personnel have the competence to
perform laboratory activities for which they are responsible and to evaluate
the significance of deviations.
❑ 6.2.5 The laboratory shall have procedure(s) and retain records for:
❑ a) determining the competence requirements;
❑ …
❑ f) monitoring competence of personnel.
Introduction
❑ ISO/IEC 23532 further refines these requirements:
❑ 6.2.5.1 The evaluation laboratory shall have procedure(s) and retain records
for:
❑ a) determining the competence requirements for personnel in ISO/IEC
19896-3;
❑ …
❑ f) monitoring of competence of personnel.
❑ NOTE The laboratory shall review annually the competence of each
evaluator for each test method the evaluator is authorized to conduct. The
evaluator’s immediate supervisor, or a designee appointed by the
Labooratory Director, shall conduct annually an assessment and an
observation of performance for each evaluator. A record of the annual
review of each evaluator shall be dated and signed by the supervisor and the
employee. A description of competency review programs shall be
maintained in the management system.
Introduction
ISO
23532

Recomendados

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
 

Más contenido relacionado

Más de Javier Tallón

Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaJavier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria Javier Tallón
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easyJavier Tallón
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics reportJavier Tallón
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationJavier Tallón
 
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...Javier Tallón
 
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Javier Tallón
 
La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.Javier Tallón
 
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification.  Chapter IIIndustrial Automation Control Systems Cybersecurity Certification.  Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter IIJavier Tallón
 
2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?Javier Tallón
 

Más de Javier Tallón (20)

Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 
CCCAB - Making CABs life easy
CCCAB -  Making CABs life easyCCCAB -  Making CABs life easy
CCCAB - Making CABs life easy
 
ICCC21 2021 statistics report
ICCC21 2021 statistics reportICCC21 2021 statistics report
ICCC21 2021 statistics report
 
jtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentation
 
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
 
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
Demostrando la ciberseguridad de tus productos y sistemas mediante auditoría ...
 
La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.La certificación de ciberseguridad en Europa, un desafío común.
La certificación de ciberseguridad en Europa, un desafío común.
 
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
Industrial Automation Control Systems Cybersecurity Certification.  Chapter IIIndustrial Automation Control Systems Cybersecurity Certification.  Chapter II
Industrial Automation Control Systems Cybersecurity Certification. Chapter II
 
2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?
 

Último

Navigating the Never Normal Strategies for Portfolio Leaders
Navigating the Never Normal Strategies for Portfolio LeadersNavigating the Never Normal Strategies for Portfolio Leaders
Navigating the Never Normal Strategies for Portfolio LeadersOnePlan Solutions
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdfZ-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdfDomotica daVinci
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manualDomotica daVinci
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologySafe Software
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?
Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?
Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?GleecusTechlabs1
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Q1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIQ1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIMemory Fabric Forum
 
M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____Aathiraju
 
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptxEvolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptxKyle Willson
 
Bluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons workingBluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons workingshrey Ansh
 
Journey of Television in World & in India
Journey of Television in World & in IndiaJourney of Television in World & in India
Journey of Television in World & in IndiaAdarshAgarwal66
 
Manual sensor Zigbee 3.0 MOES ZSS-X-PIRL-C
Manual  sensor Zigbee 3.0 MOES ZSS-X-PIRL-CManual  sensor Zigbee 3.0 MOES ZSS-X-PIRL-C
Manual sensor Zigbee 3.0 MOES ZSS-X-PIRL-CDomotica daVinci
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 
Semiconductor Review Magazine Feature.pdf
Semiconductor Review Magazine Feature.pdfSemiconductor Review Magazine Feature.pdf
Semiconductor Review Magazine Feature.pdfkeyaramicrochipusa
 

Último (20)

Navigating the Never Normal Strategies for Portfolio Leaders
Navigating the Never Normal Strategies for Portfolio LeadersNavigating the Never Normal Strategies for Portfolio Leaders
Navigating the Never Normal Strategies for Portfolio Leaders
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdfZ-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
Z-Wave Fan coil Thermostat Heltun_HE-HT01_User_Manual.pdf
 
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
Zi-Stick UBS Dongle ZIgbee from  Aeotec manualZi-Stick UBS Dongle ZIgbee from  Aeotec manual
Zi-Stick UBS Dongle ZIgbee from Aeotec manual
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 
Breaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI TechnologyBreaking Barriers & Leveraging the Latest Developments in AI Technology
Breaking Barriers & Leveraging the Latest Developments in AI Technology
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?
Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?
Unlocking the Cloud's True Potential: Why Multitenancy Is The Key?
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Q1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIQ1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AI
 
M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____M.Aathiraju Self Intro.docx-AD21001_____
M.Aathiraju Self Intro.docx-AD21001_____
 
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptxEvolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
 
5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion5 Tech Trend to Notice in ESG Landscape- 47Billion
5 Tech Trend to Notice in ESG Landscape- 47Billion
 
Bluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons workingBluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons working
 
Journey of Television in World & in India
Journey of Television in World & in IndiaJourney of Television in World & in India
Journey of Television in World & in India
 
Manual sensor Zigbee 3.0 MOES ZSS-X-PIRL-C
Manual  sensor Zigbee 3.0 MOES ZSS-X-PIRL-CManual  sensor Zigbee 3.0 MOES ZSS-X-PIRL-C
Manual sensor Zigbee 3.0 MOES ZSS-X-PIRL-C
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 
Semiconductor Review Magazine Feature.pdf
Semiconductor Review Magazine Feature.pdfSemiconductor Review Magazine Feature.pdf
Semiconductor Review Magazine Feature.pdf
 

EUCA 22 - Let's harmonize labs competence ISO 19896

  • 3. ❑ 1. Introduction ❑ 2. ISO/IEC 19896 Structure ❑ 3. ISO/IEC 19896 Part 1 ❑ 4. ISO/IEC 19896 Part 3 ❑ 5. ISO/IEC 19896 Part 3 - Annexes ❑ 6. Conclusions Index ISO/IEC 19896
  • 4. ❑ One important factor in assuring comparability of the results of evaluations is to understand that the evaluation process includes the specification of both objective and subjective assurance measures. ❑ Hence the competence of the individual evaluators is important when the comparability and repeatability of evaluation results are the foundation for mutual recognition Introduction
  • 5. ❑ ISO/IEC 17025 defines some competence requirements: ❑ 6.2.2 The laboratory shall document the competence requirements for each function influencing the results of laboratory activities, including requirements for education, qualification, training, technical knowledge, skills and experience. ❑ 6.2.3 The laboratory shall ensure that the personnel have the competence to perform laboratory activities for which they are responsible and to evaluate the significance of deviations. ❑ 6.2.5 The laboratory shall have procedure(s) and retain records for: ❑ a) determining the competence requirements; ❑ … ❑ f) monitoring competence of personnel. Introduction
  • 6. ❑ ISO/IEC 23532 further refines these requirements: ❑ 6.2.5.1 The evaluation laboratory shall have procedure(s) and retain records for: ❑ a) determining the competence requirements for personnel in ISO/IEC 19896-3; ❑ … ❑ f) monitoring of competence of personnel. ❑ NOTE The laboratory shall review annually the competence of each evaluator for each test method the evaluator is authorized to conduct. The evaluator’s immediate supervisor, or a designee appointed by the Labooratory Director, shall conduct annually an assessment and an observation of performance for each evaluator. A record of the annual review of each evaluator shall be dated and signed by the supervisor and the employee. A description of competency review programs shall be maintained in the management system. Introduction ISO 23532
  • 7. ❑ ISO/IEC 23532 further refines these requirements: ❑ 6.2.6.1 Laboratory evaluator collectively shall have knowledge or experience for any specific technologies upon which an evaluation is conducted in ISO/IEC 19896-3:2018 ❑ 6.2.7 The evaluation laboratory shall maintain a competent administrative and technical personnel appropriate for ISO/IEC 15408- based IT security evaluations. The laboratory shall maintain position descriptions, training records, and resumes for responsible supervisory personnel and laboratory evaluators who influence the outcome of security evaluations. Introduction ISO 23532
  • 8. ❑ ISO 19896 IT security techniques — Competence requirements for information security testers and evaluators — ❑ Part 1 Introduction, concepts and general requirements ❑ Part 2 Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers ❑ Part 3 Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators ISO/IEC 19896 Structure ISO 23532 ISO 19896
  • 9. ❑ Part 1 Introduction, concepts and general requirements ❑ Elements of competence ❑ Competency levels ❑ Measurement of elements of competence ❑ Annex A: Example structures for describing competence requirements ❑ Annex B: Example records of experience and competence ISO/IEC 19896 Structure ISO 23532 ISO 19896
  • 10. ❑ Part3Knowledge,skillsandeffectivenessrequirementsforISO/IEC15408 evaluators ❑ BaselinefortheminimumcompetenceofISO/IEC15408evaluatorsfor eachelementofcompetence(knowledge,skills,experience,…) ❑ AnnexA(informative)Technologytypes:knowledgeandskills ❑ AnnexB(informative)Examplesofknowledgerequiredforevaluating SARs ❑ AnnexC(informative)Examplesofknowledgerequiredforevaluating SFRs ISO/IEC 19896 Structure ISO 23532 ISO 19896
  • 11. ❑ The standard defines 5 elements of competence and 4 competency levels ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 Knowledge Skills Experience Education Effectiveness 1
  • 12. ❑ Elements of competence ❑ Knowledge: facts, information, truths, principles of understanding acquired through experience or education ❑ Of the standard ❑ Of the testing or evaluation methods ❑ Policies and procedures of relevant approval authorities ❑ Of IT product architecture and design in relevant technology areas ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 13. ❑ Elements of competence ❑ Skills: ability to perform a task or activity with a specific intended outcome acquired through education, training, experience or other means ❑ Understanding the boundaries, documentation analysis, selection of appropriate testing methods, calibrating and using tools, build a test environment, performing testing, interpreting results, write reports, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 14. ❑ Elements of competence ❑ Experience: involvement at a practical level with projects related to the field of competence ❑ Education: process of receiving or giving systematic instruction, especially at a school or university ❑ Effectiveness: ability to apply knowledge and skills in a productive manner ❑ Accuracy of test results, ability to repeat, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 15. ❑ Competency levels ❑ Assigned for each competence area of 19896-3 ❑ Level 1 Associate: works under supervision ❑ Level 2 Professional: requires supervision in just a few areas ❑ Level 3 Manager: works unsupervised in most testing or evaluation areas, supervises level 1 and 2 ❑ Level 4 Principal: fully competent for at least one technology area, able to communicate with stakeholders, works unsupervised in all areas, supervise other levels. ❑ Overall level of competency may determine designation of professional capability: Technician/Evaluator/Senior Evaluator/Lead Evaluator ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 16. ❑ Measurements of elements of competence ❑ Measuring is mandatory, how to do it is not mandatory ❑ Knowledge: 19896-3 provides a measurable body of knowledge. ❑ We may decide who will measure: The CAB-CB? The ITSEF? Third parties? ❑ Training records and professional certifications ❑ Skills: ❑ Lab proficiency-testing programme (as required by 17025) ❑ Feedback from other skilled personnel ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 17. ❑ Measurements of elements of competence ❑ Experience: ❑ Records of projects completed ❑ Education: ❑ Certificates issued by organizations recognized as legitimate by the approval authority ❑ Effectiveness: ❑ Time needed, nonconformities, adaptability , accuracy, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 18. ❑ Provides baseline for the minimum competence of ISO/IEC 15408 evaluators for each element of competence (knowledge, skills, experience,…) ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3 Knowledge Skills Experience Education Effectiveness ISO/IEC 15408 & ISO/IEC 18045 For specific SARs For specific SFRs For specific Technologies Assurance Paradigm Information Security
  • 19. ❑ Knowledge: what an evaluator knows and can describe ❑ ISO/IEC 15408 and ISO/IEC 18045 ❑ Terms and definitions ❑ Protection profiles and packages ❑ SFRs and SARs ❑ The evaluation process ❑ Method and activities ❑ The assurance paradigm ❑ The evaluation authority: policies, recognition agreements, supporting documents, … ❑ The evaluation scheme: interpretations, guidance policies, … ❑ The lab and it’s management system: policies, process and procedures; methods; competence requirements. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 20. ❑ Knowledge: what an evaluator knows and can describe ❑ The technology being evaluated ❑ Common security architectures for each technology type. (See Informative Annex A Technology types: Knowledge and skills, based on classical CC categories). ❑ Protection Profiles, packages and supporting documents ❑ Since it is continually evolving, it is not possible to identify requirements for each technology, but can be obtained through experience. Experience can be developed by: ❑ Education ❑ Working as a trainee ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3 ❑ Working as developer ❑ Performing research
  • 21. ❑ Knowledge: what an evaluator knows and can describe ❑ Each lab may define their technology types and requirements. ❑ Information Security: security principles, attacks, attack potential, SDLC, testing, vulnerabilities, … ❑ Knowledge required for SARs (See Informative Annex B Examples of knowledge for SARs) ❑ Knowledge required for specific SFRs (See Informative Annex C Examples of knowledge for SFRs) ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 22. ❑ Skills: what an evaluator is able to do ❑ Basic evaluation skills ❑ Evaluation methods: sampling, analysis, recording results, … ❑ Evaluation tools: report generation, specialized tools ❑ Core evaluation skills given in ISO/IEC 15408-3 and ISO/IEC 18045 ❑ Evaluation principles: impartiality, objectivity, repeatability, reproducibility ❑ Evaluation methods and activities (knowledge of the ISO 18045 verbs like check/confirm/demonstrate/….) ❑ Skills required when evaluation specific SARs ❑ General: ability to write ORs ❑ For each assurance component specific skills are required (mandatory) ❑ E.g. VAN.3 Flaw hypothesis development ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 23. ❑ Skills: what an evaluator is able to do ❑ Skills required when evaluation specific SFRs (mandatory) ❑ General: ability to understand and test for conformance and search for vulnerabilities ❑ E.g. FCS being able to determine if crypto algorithms and protocols are implemented correctly ❑ Skills needed when evaluating specific technologies. ❑ See Informative Annex A Technology types: Knowledge and skills, based on classical CC categories. ❑ Like in Knowledge, skills can be obtained through experience. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 24. ❑ Experience ❑ Experience is gained during the first and subsequent evaluations performed by an evaluator. ❑ Also during consultancy or product development ❑ Education ❑ At a minimum ❑ Tertiary education with at least 3 years of IT studies ❑ Experience which provided equivalent knowledge skills and effectiveness ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 25. ❑ Effectiveness ❑ Timely evaluations, e.g. time needed to develop or execute a test ❑ Accurate evaluations, e.g. comments received during validation ❑ Reports contain rationales and references with direct and focused language quickly understandable by the intended reader of the report. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 26. ❑ Effectiveness ❑ Evaluator shall be able to apply knowledge and skills in a productive manner: aptitude, initiative, enthusiasm, willingness, … ❑ Required evaluation principles: impartiality, objectivity, repeatability, reproducibility ❑ Scheme guidance and procedures are followed ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 27. ❑ Annex A, technology types: knowledge and skills ❑ Knowledge ❑ Knowledge required by evaluators working with specific technologies. List concepts that shall be known by evaluators for each classic CC technology category. ❑ PPs related to technology type ❑ Evaluation methods and activities related to the technology type ❑ Technological standards related to the technology type ❑ The depth of knowledge depends on the assurance classes (e.g. Evaluators doing ALC may require less knowledge) ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 28. ❑ Annex A, technology types: knowledge and skills ❑ Knowledge ❑ E.g. Databases ❑ Concepts of data base management systems architecture ❑ Access control methods ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 29. ❑ Annex A, technology types: knowledge and skills ❑ Skills ❑ Mostly related to ATE ❑ Skills required by evaluators working with specific technologies ❑ Performance of evaluation methods and activities associated with the technology type ❑ Being able to understand related technological standards ❑ Lists the skills that shall be build upon evaluators for each classic CC technology category ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 30. ❑ Annex A, technology types: knowledge and skills ❑ Skills ❑ E.g. Databases ❑ Being able to correctly configure the database management system (DBMS) platforms ❑ Being able to use structure query language (SQL) or other database query languages. ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 31. ❑ Annex B, examples of knowledge for SARs ❑ Minimum knowledge required for each SAR class. E.g. ❑ ADV_ARC.1: ❑ Self-protection property ❑ Domain separation property ❑ Non-bypassability property ❑ Secure architecture and design concepts ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 B
  • 32. ❑ Annex C, examples of knowledge for SFRs ❑ Minimum knowledge required for each SFR class. E.g. ❑ FCO (Communication) Class ❑ Proof origin ❑ Non-repudiation of origin ❑ Non-repudiation of receipt ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 C
  • 33. ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 B C A Annex A - Informative Technology types SARs SFRs Knowledge Skills Annex B - Informative Annex C - Informative Section 5.3 - Mandatory Section 5.4 - Mandatory
  • 34. ❑ 1.- Define each job position for each evaluator level including the requirements in terms of competence ❑ 2.- Record the education and experience of each evaluator ❑ Validate years of education or experience based on well-known person certifications? ❑ 3.- Track the knowledge you transmit to your team ❑ 4.- Assess the skills through questionnaires ❑ 5.- Evaluate the effectiveness through internal reviews and intercomparisons ❑ 6.- Put it all together! How to implement in 6 easy steps?
  • 35. ❑ The ISO 19896 framework for competency is a good framework but every lab shall define their technology types and knowledge (/skills) requirements because some are kind of ‘artificial’, specially Annex A. ❑ A competence management system can be used just to pass audits, not being really useful. Lab managers already know their evaluators, but this may not scale. Garbage in – Garbage out. ❑ It is difficult to reflect some intangible skills like the “killer instinct” or the skill to report. There is always some subjectivity. Conclusions
  • 36. jtsec Beyond IT Security Granada & Madrid – Spain hello@jtsec.es www.jtsec.es “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie Contact