TURKISH COMMON CRITERIA CERTIFICATION SCHEME. Mustafa YILMAZ IT Test and Certification Department, TSE/TURKEY

TURKISH COMMON CRITERIA CERTIFICATION SCHEME Mustafa YILMAZ IT Test and Certification Department, TSE/TURKEY

TURKISH COMMON CRITERIA CERTIFICATION SCHEME UPDATE-2015

Contents Organisational Updates Protection Profile Projects Completed On-going Products yet Certified On-Going Page 3

Brief information about TSE

Brief information about TSE TSE has been established in 1960 TSE prepare standards for every kind of item and products together with procedure and service. The Institute is related with Minister of Science,Industry and Technology

Brief information about TSE TSE is a public founding institution Its abbreviation and trademark is TSE. This mark can not be used without the permission of TSE in no way and under no condition.

The Task Of TSE To prepare and to get every kind of standard prepared To inspect the standards To publish the standards To perform the technical inspections and researches about standards, to follow up the resembling studies done in foreign countries,

The Task Of TSE To collaborate with universities and other scientific and technical associations and institutions, To conduct research on standards and to establish laboratories To train personnel in order to maintain and develop the standard works in the country and to open courses and arrange seminars To perform studies about metrology and calibration and to establish necessary laboratories

To Summarize The Services conducted by TSE Quality and System Certification Product and Service Site Certification Personnel Certification Laboratories Calibration Standard Preparation International Represantatives and Our Coorporations

Brief information about Information Technology Test and Certification Department

Aim Our aim is test and certify the organizations and products according to national and international standards.

Organization Chart

General Activities Give certificate about IT area Functional, Performance and Penetration Test about IT area Give seminar to increase public awareness Attend the CCDB,CCES,CCMC meeting to represent Turkey CCCS,attend NATO Meeting To coordinate Cyber Security Special Committe to create PP for many field Responsible for Cyber Security Action Plan 10-12

IT Certification Services TS ISO/IEC 15408 Common Criteria Site Security Certification TS ISO/IEC 19790-24759 Security and Test Requirements for Cryptographic Modules TS 13298 IT- Electronic Records Management TS ISO/IEC 15504 SPICE First Level Security Certification TS ISO/IEC 25051 ITsoftware packagesquality requirements and testing TSE-PTE Penetration Tester Expert Certification Programme TS ISO/IEC 12207 Software Lıfe Cycle TS ISO/IEC 15288 System Life Cycle QWEB Certification TS ISO/IEC 9241-151 Ergonomics of human-system interaction

Certification Logos

Other Logos

TSE-Common Criteria Certification Scheme In 2003 TSE signed CCRA on behalf of Turkey as «Consuming Member» In 2005 TSE-CCCS was established. In 2008 TSE-CCCS was applied to CCRA for «Authorising member» In 2010 TSE-CCCS was assessed by CCRA «Shadow Assessment», with successful. In 2012 SCS-Turkey was established. In 2014,VPA Audit passed with success.

Organisational Updates CC Laboratories 4 licensed CC labs (ITSEFs) and Crypto Labs TUBITAK BİLGEM OKTEM EPOCHE&ESPRI CYGNACOM BEAM TEKNOLOJI 3 candidate ITSEFs Page 18

Other IT labs TUBITAK BILGEM UEKAE eid Test Laboratory METU CRYPTOLOGY Test Laboratory METU İBE Test Laboratory TUBİTAK BİLGEM YTKDM Page 19

Some of the trainings taken by TSE CCCS Certifiers -Cyber Security -Network Security -Cryptology -Certified Ethical Hacker -etc. Page 20

TSE-CCCS, Turkey CYBER SECURITY SPECIAL COMMITTEES, CYBER SECURITY SPECIAL COMMITTEES Established with govermental encourage 50 External independent Experts 25 Cyber Security projects, many of them are PPs Page 21

Projects within the Scope of Cyber Security Secure Web Applications Protection Profile Secure E-Commerce Protection Profile Internet Banking and Mobile Banking Security Criteria EDRMS(Electronic Document, Records Management System) Protection Profile (certified) Secure GIS (Geographic Information Systems) Protection Profile (completed) Basic Level Security Certification Site Security Certification E-Identity Protection Profile (completed) Page 22

Projects within the Scope of Cyber Security Secure Access Module Protection Profile (completed) Secure IC Protection Profile (completed) Embedded Operating System Protection Profile Determining Criteria for Software Developers and Test Engineers-SCRUM and ISTQB Cloud Computing Standard (completed) Healthcare Information Management Systems Protection Profile (completed) SSL Criteria Page 23

Projects within the Scope of Cyber Security Determining administrative criteria for companies and staff which do penetration tests (completed) Preparing Test Criteria and Security Requirements for Biometric Products and PP (completed) E-Passport PP (completed) Data Centers (System Rooms) Certification IT Products Vulnerability Gap Library Determining Technical Criteria for Penetration Tests (completed) Web Services PP (completed) Smart Meter-Gateway PP (certified) Page 24

Projects within the Scope of Cyber Security New Generation Cash Register Fiscal Application Software PP (certified) Mobile Application PP Central Log Management Pardus Migration Expert Certification Computer Forensics Expert Certification Page 25

Products Certified 34 products certified On-going 32 products are under evaluation Many products are in application Page 26

PPs on Evaluation Secure IC PP Healthcare Information System Software Secure Web Applications Protection Profile Secure E-Commerce Protection Profile Secure GIS (Geographic Information Systems) Protection Profile E-Identity Protection Profile (completed) Secure Access Module Protection Profile (completed) E-Passport PP (completed) Page 27

Licensed ITSEFs TÜBİTAK BİLGEM OKTEM License Date: 10.05.2008 Location: Kocaeli / TURKEY Contact person: Gül AYDIN EPOCHE&ESPRI License Date: 14.06.2012 Location: Madrid / SPAIN Contact person: Miguel BANON Page 28

Licensed ITSEFs CYGNACOM SOLUTIONS INC. License Date: 14.03.2013 Location: VA / USA Contact person: Nithya RACHAMADUGU BEAM TEKNOLOJI A.Ş. License Date: 10.08.2015 Location: Ankara / TURKEY Contact person: Mehmet ÇAKIR Page 29

Ongoing Evaluations (1 of 8) UKTÜM v7.01 TÜBİTAK BİLGEM UEKAE Secure IC EAL 5+ (AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM UKiS v2.2 TÜBİTAK BİLGEM UEKAE Contact based Smart Card EAL 4+ (AVA_VAN.5, ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Z32HCD2S NATIONZ INC. Secure IC EAL 4+ (AVA_VAN.5, ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 30

Ongoing Evaluations (2 of 8) CHANGE v1.1 E DATA New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM HCRX v1.1 HUGİN New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Healthcare Information Management Systems Protection Profile Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 31

Ongoing Evaluations (3 of 8) Secure Communication Module for Water Tracking Systems PP Secure Communication Module EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Korugan UTM COMODO Unified Threat Management EAL 2+ (ALC_FLR.2) ITSEF: BEAM TEKNOLOJI Crunchy Enterprise PostgreSQL Database Management System EAL 2+ (ALC_FLR.2) CYGNACOM SOLUTIONS Page 32

Ongoing Evaluations (4 of 8) PFAS v1.2 New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM SIEM GUI v1.1.6 with NATEK SIEM Server 6.0.6 NATEK Security Information and Event Management EAL 3 ITSEF: TÜBİTAK BİLGEM OKTEM Toshiba 4610-2nf Fiscal Microcode v0.9 POS Perakende EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 33

Ongoing Evaluations (5 of 8) Wincor Nixdorf Beetle (OptiPOS) WINCOR NIXDORF EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Application Firmware of Secure Smartcard Reader for National Electronic Identity Verification System Protection Profile Security Information and Event Management EAL 4+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM AKiS v2.2.7n TÜBİTAK BİLGEM OKTEM EAL 4+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 34

Ongoing Evaluations (6 of 8) Netsafe Management Software Netsafe EAL 4+ (ALC_FLR.2) ITSEF: BEAM TEKNOLOJI Aselsan Digital Tachograph Vehicle Unit ASELSAN EAL 4+ (ATE_DPT.2, AVA_VAN.5) ITSEF: EPOCHE & ESPRI E-Belgem Electronic Documents Management System TÜBİTAK BİLGEM OKTEM EAL 3+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 35

Ongoing Evaluations (7 of 8) Datakom DTC-100 Digital Tachograph Vehicle Unit DATAKOM EAL 4+ (ATE_DPT.2, AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM Akgün Healthcare Information System AKGÜN Yazılım EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Secure IC Protection Profile EAL 5+ (ALC_DVS.2, AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM Page 36

Ongoing Evaluations (8 of 8) NCR e10 ENCORE EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 37

Protection Profiles Completed 8 PPs have been certificed PP for Smart Card Access Device Firmware IP Cash Register PP Electronic Document and Records Management Software PP Protection Profile for Smart Meter of Turkish Electricity Advanced Metering Infrastructure Page 38

Protection Profiles Completed 8 PPs have been certificed New Generation Cash Register Fiscal Application Software-2 1.1 New Generation Cash Register Fiscal Application Software v1.8 New Generation Cash Register Fiscal Application Software v2.0 New Generation Cash Register Fiscal Application Software-2 v1.3 Page 39

On-going Protection Profiles 11 PPs are under development Page 40

Projects within the Scope of Cyber Security Site Security Certification Two external experts worked for this project Providing the certification of developing campus of products subjects to Common Criteria Certification An approach to reduce cost and time for CC Page 41

Projects within the Scope of Cyber Security First Level Security Certification Two external expert worked for this project A security evaluation program aiming simple,fast and effective evaluation Evaluation time is normally 35 man/days. Total time is 8 weeks for certification. Page 42

Projects within the Scope of Cyber Security Healthcare Information Management Systems PP Six external experts (in different disciplines) have been working for this project Providing a standardization on Health Informatics Systems PP is being evaluated Page 43

Projects within the Scope of Cyber Security Secure GIS (Geographic Information Systems) Protection Profile Two external experts have been working for this project Providing a standardization on Geographic Informatics Systems and determining minimum security requirements Page 44

Projects within the Scope of Cyber Security Preparing Test Criteria and Security Requirements for Biometric Products One Internal,Six external experts have been working for this project Contribution of the Establishment Turkish National Police Developing new generation biometric sensor,implementing attacks and detecting countermeasures by developing test methods Determining minimum security requriments for biometric products Preparing Protectection Profile for Biometric Products Page 45

Projects within the Scope of Cyber Security Cloud Computing Standard, Security Criteria Two external experts have been working for this project Developing Cloud IT standard and criteria by analysing security risks,assests. Page 46

Projects within the Scope of Cyber Security Ethical Hacker Certification Evaluating staff and companies which do penetration tests in terms of administrative criteria Checking if white hat hackers provide criteria or not In the scope of this certification program has been determined administrative and technical criteria for penetration tests and testers Page 47

Secure IC PP Projects within the Scope of Cyber Security One external expert Determining criteria for execution and storage of the embedded OS,data storage and communication with external work. Page 48

Projects within the Scope of Cyber Security Health Management Systems PP Five external expert Determining minimum security criteria for web-based health information sytems application software Page 49

Projects within the Scope of Cyber Security Pardus Migration Expert Certification Evaluating staff which manage migration to Pardus OS in governmental organizations Page 50

Projects within the Scope of Cyber Security Computer Forensics Experts Certification Evaluating staff and companies which do forensics examinations Project include Ministry of Justice, General Directorate of Police Page 51

SCS-TURKEY SMART CARD SECURITY TURKEY CONSOURTIUM, December 2012 SCS-Turkey`s Members: TSE-CCCS TÜBİTAK BİLGEM UEKAE (Smart Card Developers) TÜBİTAK BİLGEM OKTEM (ITSEF) 3 UNIVERSITIES Many developers Page 52

To summarise CC; 34 products certified 8 PPs are certified 32 ongoing products 11 PPs are being developed More contacts with national & international vendors Page 53

CRYPTO MODUL VALIDATION PROGRAM & CRYPTO ALGORITHM VALIDATION PROGRAM TSE-CMVP TSE-CAVP, Turkey ISO/IEC 19790 and ISO/IEC 24759-Crypto Modul Evaluation and Certifications Approved labs. Epoche & Espri Tübitak Bilgem OKTEM Cygnacom METU Cryptology Lab. Page 54

THANK YOU Mariye Umay AKKAYA uakkaya@tse.org.tr Zümrüt Müftüoğlu zmuftuoglu@tse.org.tr Mustafa YILMAZ- mustafayilmaz@tse.org.tr Turkish Standards Institution IT & Common Criteria Certification Scheme, TURKEY 55