Learn from the Expert Observation during Shadow Certification Assessment

Transcription

1 Ministry of Science, Technology and Innovation Learn from the Expert Observation during Shadow Certification Assessment Nor Radziah Jusoh Malaysian Common Criteria Certification Body (MyCB) 22 July 2010 Copyright 2010 CyberSecurity Malaysia

2 Welcome to Kuala Lumpur = KL = Kay Ell Copyright 2010 CyberSecurity Malaysia 2

3 Objective To gain knowledge on the Common Criteria Arrangement Recognition (CCRA) process; To plan and execute internal audit based on CCRA s operating procedure; and To improve existing MyCC s process for Malaysia Shadow Assessment s preparation Copyright 2010 CyberSecurity Malaysia 3

4 Why Shadow Certification Assessment To determine the country/scheme (Consuming member) applying for Producing/Authorizing member comply with CCRA requirements 3 phases : preparation, site visit and report Copyright 2010 CyberSecurity Malaysia 4

5 Verdict Pass Pass plus recommendations Action required before pass Reject Copyright 2010 CyberSecurity Malaysia 5

6 CCRA Requirements 1. General Requirements 2. Administrative Structure 3. Organizational Structure 4. Certification Body s Personnel 5. Documentation and Change Control 6. Records 7. Certification Procedures 8. Accreditation and Licensing of Evaluation Facilities 9. Requirements of Evaluation Facilities 10. Quality Manual 11. Confidentiality 12. Publications 13. Appeals or Conciliation 14. Periodic Review/Annual Review 15. Misuse of Common Criteria Certificates 16. Withdrawal of Common Criteria Certificates Copyright 2010 CyberSecurity Malaysia 6

7 Background Turkish Standard Institute (TSE), Ankara, Turkey April 2010 Netherland Lead Assessor France - Assessor Malaysia - Observer Singapore - Observer Copyright 2010 CyberSecurity Malaysia 7

8 A bit about Turkish Standard Institute = TSE TSE ~ SIRIM in Malaysia Governmental and a non-profit organization Established in 1960 Perform studies encourage quality products and services in conformance with the standards and produce certifications Copyright 2010 CyberSecurity Malaysia 8

9 The one that we met President Secretary General Assistant Secretary General Head of Product Certification Center Head of Sector Certification Group Electro-Technical Sector Certification Director Auxiliary Expert of Common Criteria Quality System Officer of Electro-Technical Sector Product Certification System Management Director Product Certification System Management Personel Officer Product Certification System Management Implementation Officer Product Certification System Management Documentation Officer Product Certification System Management Training Officer CCCS System and Documents/Recording Officer and (Inspection and Certification Expert) CCCS Security Officer and (Inspection and Certification Expert) CCCS Inspection and Certification Expert Copyright 2010 CyberSecurity Malaysia 9

10 The one we assess Product Certification Center (PCC) Electrotechnical Sector Certification Directorate Common Criteria Certification Scheme (CCCS) ~ Malaysian Common Criteria Certification Body (MyCB) The Turkish Common Criteria Certification Scheme ~ The Malaysian Common Criteria Evaluation and Certification Scheme (MyCC) Copyright 2010 CyberSecurity Malaysia 10

11 Their lab TÜBĐTAK National Electronic and Cryptology Research Institute (UEKAE) Common Criteria Test Center (OKTEM) ~ Malaysian Security Evaluation Facility (MySEF) Government Established in 2001 TS ISO/IEC accreditation from TURKAK since 2005 TURKAK (Turkish Accreditation Agency) ~ Department of Standard Malaysia Trial evaluation product: Electronic Certificate Management Infrastructure (EAL 4+) National Smart Card IC (EAL 5+) Copyright 2010 CyberSecurity Malaysia 11

12 12-13 April 2010 Opening meeting Presentation of Scheme Presentation and review of personnel management procedures Presentation and review of lab accreditation & licensing process Presentation and review of confidentiality procedures and measures Discussion and interview Copyright 2010 CyberSecurity Malaysia 12

13 14 16 April 2010 Presentation and introduction of trial product certification process Review of product certifications records Discussion and interview of certifier(s) Shadow team discussions, report completion Closing meeting Copyright 2010 CyberSecurity Malaysia 13

14 Copyright 2010 CyberSecurity Malaysia 14

15 There s always room for improvement Training Common Criteria, technical and relevant softskill training Certifier s ability to challenge evaluator during certification phase Certifier s ability to challenge lab during licensing phase Hiring expert to assists certifier for specific skills during certification and licensing projects Strong procedures, manuals and guidelines along the certification process Copyright 2010 CyberSecurity Malaysia 15

16 Turkish Standard Institute April 2010 Copyright 2010 CyberSecurity Malaysia 16

17 Enjoys your lunch today *This pictures served as illustration only Copyright 2010 CyberSecurity Malaysia 17

18 Ministry of Science, Technology and Innovation Corporate Office: CyberSecurity Malaysia, Level 8, Block A, Mines Waterfront Business Park, No 3 Jalan Tasik, The Mines Resort City, Seri Kembangan, Selangor Darul Ehsan, Malaysia. T F Copyright 2010 CyberSecurity Malaysia 18