TURKISH COMMON CRITERIA CERTIFICATION SCHEME. Mustafa YILMAZ IT Test and Certification Department, TSE/TURKEY

Transcription

1 TURKISH COMMON CRITERIA CERTIFICATION SCHEME Mustafa YILMAZ IT Test and Certification Department, TSE/TURKEY

2 TURKISH COMMON CRITERIA CERTIFICATION SCHEME UPDATE-2015

3 Contents Organisational Updates Protection Profile Projects Completed On-going Products yet Certified On-Going Page 3

4 Brief information about TSE

5 Brief information about TSE TSE has been established in 1960 TSE prepare standards for every kind of item and products together with procedure and service. The Institute is related with Minister of Science,Industry and Technology

6 Brief information about TSE TSE is a public founding institution Its abbreviation and trademark is TSE. This mark can not be used without the permission of TSE in no way and under no condition.

7 The Task Of TSE To prepare and to get every kind of standard prepared To inspect the standards To publish the standards To perform the technical inspections and researches about standards, to follow up the resembling studies done in foreign countries,

8 The Task Of TSE To collaborate with universities and other scientific and technical associations and institutions, To conduct research on standards and to establish laboratories To train personnel in order to maintain and develop the standard works in the country and to open courses and arrange seminars To perform studies about metrology and calibration and to establish necessary laboratories

9 To Summarize The Services conducted by TSE Quality and System Certification Product and Service Site Certification Personnel Certification Laboratories Calibration Standard Preparation International Represantatives and Our Coorporations

10 Brief information about Information Technology Test and Certification Department

11 Aim Our aim is test and certify the organizations and products according to national and international standards.

12 Organization Chart

13 General Activities Give certificate about IT area Functional, Performance and Penetration Test about IT area Give seminar to increase public awareness Attend the CCDB,CCES,CCMC meeting to represent Turkey CCCS,attend NATO Meeting To coordinate Cyber Security Special Committe to create PP for many field Responsible for Cyber Security Action Plan 10-12

14 IT Certification Services TS ISO/IEC Common Criteria Site Security Certification TS ISO/IEC Security and Test Requirements for Cryptographic Modules TS IT- Electronic Records Management TS ISO/IEC SPICE First Level Security Certification TS ISO/IEC ITsoftware packagesquality requirements and testing TSE-PTE Penetration Tester Expert Certification Programme TS ISO/IEC Software Lıfe Cycle TS ISO/IEC System Life Cycle QWEB Certification TS ISO/IEC Ergonomics of human-system interaction

15 Certification Logos

16 Other Logos

17 TSE-Common Criteria Certification Scheme In 2003 TSE signed CCRA on behalf of Turkey as «Consuming Member» In 2005 TSE-CCCS was established. In 2008 TSE-CCCS was applied to CCRA for «Authorising member» In 2010 TSE-CCCS was assessed by CCRA «Shadow Assessment», with successful. In 2012 SCS-Turkey was established. In 2014,VPA Audit passed with success.

18 Organisational Updates CC Laboratories 4 licensed CC labs (ITSEFs) and Crypto Labs TUBITAK BİLGEM OKTEM EPOCHE&ESPRI CYGNACOM BEAM TEKNOLOJI 3 candidate ITSEFs Page 18

19 Other IT labs TUBITAK BILGEM UEKAE eid Test Laboratory METU CRYPTOLOGY Test Laboratory METU İBE Test Laboratory TUBİTAK BİLGEM YTKDM Page 19

20 Some of the trainings taken by TSE CCCS Certifiers -Cyber Security -Network Security -Cryptology -Certified Ethical Hacker -etc. Page 20

21 TSE-CCCS, Turkey CYBER SECURITY SPECIAL COMMITTEES, CYBER SECURITY SPECIAL COMMITTEES Established with govermental encourage 50 External independent Experts 25 Cyber Security projects, many of them are PPs Page 21

22 Projects within the Scope of Cyber Security Secure Web Applications Protection Profile Secure E-Commerce Protection Profile Internet Banking and Mobile Banking Security Criteria EDRMS(Electronic Document, Records Management System) Protection Profile (certified) Secure GIS (Geographic Information Systems) Protection Profile (completed) Basic Level Security Certification Site Security Certification E-Identity Protection Profile (completed) Page 22

23 Projects within the Scope of Cyber Security Secure Access Module Protection Profile (completed) Secure IC Protection Profile (completed) Embedded Operating System Protection Profile Determining Criteria for Software Developers and Test Engineers-SCRUM and ISTQB Cloud Computing Standard (completed) Healthcare Information Management Systems Protection Profile (completed) SSL Criteria Page 23

24 Projects within the Scope of Cyber Security Determining administrative criteria for companies and staff which do penetration tests (completed) Preparing Test Criteria and Security Requirements for Biometric Products and PP (completed) E-Passport PP (completed) Data Centers (System Rooms) Certification IT Products Vulnerability Gap Library Determining Technical Criteria for Penetration Tests (completed) Web Services PP (completed) Smart Meter-Gateway PP (certified) Page 24

25 Projects within the Scope of Cyber Security New Generation Cash Register Fiscal Application Software PP (certified) Mobile Application PP Central Log Management Pardus Migration Expert Certification Computer Forensics Expert Certification Page 25

26 Products Certified 34 products certified On-going 32 products are under evaluation Many products are in application Page 26

27 PPs on Evaluation Secure IC PP Healthcare Information System Software Secure Web Applications Protection Profile Secure E-Commerce Protection Profile Secure GIS (Geographic Information Systems) Protection Profile E-Identity Protection Profile (completed) Secure Access Module Protection Profile (completed) E-Passport PP (completed) Page 27

28 Licensed ITSEFs TÜBİTAK BİLGEM OKTEM License Date: Location: Kocaeli / TURKEY Contact person: Gül AYDIN EPOCHE&ESPRI License Date: Location: Madrid / SPAIN Contact person: Miguel BANON Page 28

29 Licensed ITSEFs CYGNACOM SOLUTIONS INC. License Date: Location: VA / USA Contact person: Nithya RACHAMADUGU BEAM TEKNOLOJI A.Ş. License Date: Location: Ankara / TURKEY Contact person: Mehmet ÇAKIR Page 29

30 Ongoing Evaluations (1 of 8) UKTÜM v7.01 TÜBİTAK BİLGEM UEKAE Secure IC EAL 5+ (AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM UKiS v2.2 TÜBİTAK BİLGEM UEKAE Contact based Smart Card EAL 4+ (AVA_VAN.5, ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Z32HCD2S NATIONZ INC. Secure IC EAL 4+ (AVA_VAN.5, ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 30

31 Ongoing Evaluations (2 of 8) CHANGE v1.1 E DATA New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM HCRX v1.1 HUGİN New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Healthcare Information Management Systems Protection Profile Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 31

32 Ongoing Evaluations (3 of 8) Secure Communication Module for Water Tracking Systems PP Secure Communication Module EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Korugan UTM COMODO Unified Threat Management EAL 2+ (ALC_FLR.2) ITSEF: BEAM TEKNOLOJI Crunchy Enterprise PostgreSQL Database Management System EAL 2+ (ALC_FLR.2) CYGNACOM SOLUTIONS Page 32

33 Ongoing Evaluations (4 of 8) PFAS v1.2 New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM SIEM GUI v1.1.6 with NATEK SIEM Server NATEK Security Information and Event Management EAL 3 ITSEF: TÜBİTAK BİLGEM OKTEM Toshiba nf Fiscal Microcode v0.9 POS Perakende EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 33

34 Ongoing Evaluations (5 of 8) Wincor Nixdorf Beetle (OptiPOS) WINCOR NIXDORF EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Application Firmware of Secure Smartcard Reader for National Electronic Identity Verification System Protection Profile Security Information and Event Management EAL 4+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM AKiS v2.2.7n TÜBİTAK BİLGEM OKTEM EAL 4+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 34

35 Ongoing Evaluations (6 of 8) Netsafe Management Software Netsafe EAL 4+ (ALC_FLR.2) ITSEF: BEAM TEKNOLOJI Aselsan Digital Tachograph Vehicle Unit ASELSAN EAL 4+ (ATE_DPT.2, AVA_VAN.5) ITSEF: EPOCHE & ESPRI E-Belgem Electronic Documents Management System TÜBİTAK BİLGEM OKTEM EAL 3+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 35

36 Ongoing Evaluations (7 of 8) Datakom DTC-100 Digital Tachograph Vehicle Unit DATAKOM EAL 4+ (ATE_DPT.2, AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM Akgün Healthcare Information System AKGÜN Yazılım EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Secure IC Protection Profile EAL 5+ (ALC_DVS.2, AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM Page 36

37 Ongoing Evaluations (8 of 8) NCR e10 ENCORE EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 37

38 Protection Profiles Completed 8 PPs have been certificed PP for Smart Card Access Device Firmware IP Cash Register PP Electronic Document and Records Management Software PP Protection Profile for Smart Meter of Turkish Electricity Advanced Metering Infrastructure Page 38

39 Protection Profiles Completed 8 PPs have been certificed New Generation Cash Register Fiscal Application Software New Generation Cash Register Fiscal Application Software v1.8 New Generation Cash Register Fiscal Application Software v2.0 New Generation Cash Register Fiscal Application Software-2 v1.3 Page 39

40 On-going Protection Profiles 11 PPs are under development Page 40

41 Projects within the Scope of Cyber Security Site Security Certification Two external experts worked for this project Providing the certification of developing campus of products subjects to Common Criteria Certification An approach to reduce cost and time for CC Page 41

42 Projects within the Scope of Cyber Security First Level Security Certification Two external expert worked for this project A security evaluation program aiming simple,fast and effective evaluation Evaluation time is normally 35 man/days. Total time is 8 weeks for certification. Page 42

43 Projects within the Scope of Cyber Security Healthcare Information Management Systems PP Six external experts (in different disciplines) have been working for this project Providing a standardization on Health Informatics Systems PP is being evaluated Page 43

44 Projects within the Scope of Cyber Security Secure GIS (Geographic Information Systems) Protection Profile Two external experts have been working for this project Providing a standardization on Geographic Informatics Systems and determining minimum security requirements Page 44

45 Projects within the Scope of Cyber Security Preparing Test Criteria and Security Requirements for Biometric Products One Internal,Six external experts have been working for this project Contribution of the Establishment Turkish National Police Developing new generation biometric sensor,implementing attacks and detecting countermeasures by developing test methods Determining minimum security requriments for biometric products Preparing Protectection Profile for Biometric Products Page 45

46 Projects within the Scope of Cyber Security Cloud Computing Standard, Security Criteria Two external experts have been working for this project Developing Cloud IT standard and criteria by analysing security risks,assests. Page 46

47 Projects within the Scope of Cyber Security Ethical Hacker Certification Evaluating staff and companies which do penetration tests in terms of administrative criteria Checking if white hat hackers provide criteria or not In the scope of this certification program has been determined administrative and technical criteria for penetration tests and testers Page 47

48 Secure IC PP Projects within the Scope of Cyber Security One external expert Determining criteria for execution and storage of the embedded OS,data storage and communication with external work. Page 48

49 Projects within the Scope of Cyber Security Health Management Systems PP Five external expert Determining minimum security criteria for web-based health information sytems application software Page 49

50 Projects within the Scope of Cyber Security Pardus Migration Expert Certification Evaluating staff which manage migration to Pardus OS in governmental organizations Page 50

51 Projects within the Scope of Cyber Security Computer Forensics Experts Certification Evaluating staff and companies which do forensics examinations Project include Ministry of Justice, General Directorate of Police Page 51

52 SCS-TURKEY SMART CARD SECURITY TURKEY CONSOURTIUM, December 2012 SCS-Turkey`s Members: TSE-CCCS TÜBİTAK BİLGEM UEKAE (Smart Card Developers) TÜBİTAK BİLGEM OKTEM (ITSEF) 3 UNIVERSITIES Many developers Page 52

53 To summarise CC; 34 products certified 8 PPs are certified 32 ongoing products 11 PPs are being developed More contacts with national & international vendors Page 53

54 CRYPTO MODUL VALIDATION PROGRAM & CRYPTO ALGORITHM VALIDATION PROGRAM TSE-CMVP TSE-CAVP, Turkey ISO/IEC and ISO/IEC Crypto Modul Evaluation and Certifications Approved labs. Epoche & Espri Tübitak Bilgem OKTEM Cygnacom METU Cryptology Lab. Page 54

55 THANK YOU Mariye Umay AKKAYA Zümrüt Müftüoğlu Mustafa YILMAZ- Turkish Standards Institution IT & Common Criteria Certification Scheme, TURKEY 55