TURKISH COMMON CRITERIA CERTIFICATION SCHEME Mustafa YILMAZ IT Test and Certification Department, TSE/TURKEY
TURKISH COMMON CRITERIA CERTIFICATION SCHEME UPDATE-2015
Contents Organisational Updates Protection Profile Projects Completed On-going Products yet Certified On-Going Page 3
Brief information about TSE
Brief information about TSE TSE has been established in 1960 TSE prepare standards for every kind of item and products together with procedure and service. The Institute is related with Minister of Science,Industry and Technology
Brief information about TSE TSE is a public founding institution Its abbreviation and trademark is TSE. This mark can not be used without the permission of TSE in no way and under no condition.
The Task Of TSE To prepare and to get every kind of standard prepared To inspect the standards To publish the standards To perform the technical inspections and researches about standards, to follow up the resembling studies done in foreign countries,
The Task Of TSE To collaborate with universities and other scientific and technical associations and institutions, To conduct research on standards and to establish laboratories To train personnel in order to maintain and develop the standard works in the country and to open courses and arrange seminars To perform studies about metrology and calibration and to establish necessary laboratories
To Summarize The Services conducted by TSE Quality and System Certification Product and Service Site Certification Personnel Certification Laboratories Calibration Standard Preparation International Represantatives and Our Coorporations
Brief information about Information Technology Test and Certification Department
Aim Our aim is test and certify the organizations and products according to national and international standards.
Organization Chart
General Activities Give certificate about IT area Functional, Performance and Penetration Test about IT area Give seminar to increase public awareness Attend the CCDB,CCES,CCMC meeting to represent Turkey CCCS,attend NATO Meeting To coordinate Cyber Security Special Committe to create PP for many field Responsible for Cyber Security Action Plan 10-12
IT Certification Services TS ISO/IEC 15408 Common Criteria Site Security Certification TS ISO/IEC 19790-24759 Security and Test Requirements for Cryptographic Modules TS 13298 IT- Electronic Records Management TS ISO/IEC 15504 SPICE First Level Security Certification TS ISO/IEC 25051 ITsoftware packagesquality requirements and testing TSE-PTE Penetration Tester Expert Certification Programme TS ISO/IEC 12207 Software Lıfe Cycle TS ISO/IEC 15288 System Life Cycle QWEB Certification TS ISO/IEC 9241-151 Ergonomics of human-system interaction
Certification Logos
Other Logos
TSE-Common Criteria Certification Scheme In 2003 TSE signed CCRA on behalf of Turkey as «Consuming Member» In 2005 TSE-CCCS was established. In 2008 TSE-CCCS was applied to CCRA for «Authorising member» In 2010 TSE-CCCS was assessed by CCRA «Shadow Assessment», with successful. In 2012 SCS-Turkey was established. In 2014,VPA Audit passed with success.
Organisational Updates CC Laboratories 4 licensed CC labs (ITSEFs) and Crypto Labs TUBITAK BİLGEM OKTEM EPOCHE&ESPRI CYGNACOM BEAM TEKNOLOJI 3 candidate ITSEFs Page 18
Other IT labs TUBITAK BILGEM UEKAE eid Test Laboratory METU CRYPTOLOGY Test Laboratory METU İBE Test Laboratory TUBİTAK BİLGEM YTKDM Page 19
Some of the trainings taken by TSE CCCS Certifiers -Cyber Security -Network Security -Cryptology -Certified Ethical Hacker -etc. Page 20
TSE-CCCS, Turkey CYBER SECURITY SPECIAL COMMITTEES, CYBER SECURITY SPECIAL COMMITTEES Established with govermental encourage 50 External independent Experts 25 Cyber Security projects, many of them are PPs Page 21
Projects within the Scope of Cyber Security Secure Web Applications Protection Profile Secure E-Commerce Protection Profile Internet Banking and Mobile Banking Security Criteria EDRMS(Electronic Document, Records Management System) Protection Profile (certified) Secure GIS (Geographic Information Systems) Protection Profile (completed) Basic Level Security Certification Site Security Certification E-Identity Protection Profile (completed) Page 22
Projects within the Scope of Cyber Security Secure Access Module Protection Profile (completed) Secure IC Protection Profile (completed) Embedded Operating System Protection Profile Determining Criteria for Software Developers and Test Engineers-SCRUM and ISTQB Cloud Computing Standard (completed) Healthcare Information Management Systems Protection Profile (completed) SSL Criteria Page 23
Projects within the Scope of Cyber Security Determining administrative criteria for companies and staff which do penetration tests (completed) Preparing Test Criteria and Security Requirements for Biometric Products and PP (completed) E-Passport PP (completed) Data Centers (System Rooms) Certification IT Products Vulnerability Gap Library Determining Technical Criteria for Penetration Tests (completed) Web Services PP (completed) Smart Meter-Gateway PP (certified) Page 24
Projects within the Scope of Cyber Security New Generation Cash Register Fiscal Application Software PP (certified) Mobile Application PP Central Log Management Pardus Migration Expert Certification Computer Forensics Expert Certification Page 25
Products Certified 34 products certified On-going 32 products are under evaluation Many products are in application Page 26
PPs on Evaluation Secure IC PP Healthcare Information System Software Secure Web Applications Protection Profile Secure E-Commerce Protection Profile Secure GIS (Geographic Information Systems) Protection Profile E-Identity Protection Profile (completed) Secure Access Module Protection Profile (completed) E-Passport PP (completed) Page 27
Licensed ITSEFs TÜBİTAK BİLGEM OKTEM License Date: 10.05.2008 Location: Kocaeli / TURKEY Contact person: Gül AYDIN EPOCHE&ESPRI License Date: 14.06.2012 Location: Madrid / SPAIN Contact person: Miguel BANON Page 28
Licensed ITSEFs CYGNACOM SOLUTIONS INC. License Date: 14.03.2013 Location: VA / USA Contact person: Nithya RACHAMADUGU BEAM TEKNOLOJI A.Ş. License Date: 10.08.2015 Location: Ankara / TURKEY Contact person: Mehmet ÇAKIR Page 29
Ongoing Evaluations (1 of 8) UKTÜM v7.01 TÜBİTAK BİLGEM UEKAE Secure IC EAL 5+ (AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM UKiS v2.2 TÜBİTAK BİLGEM UEKAE Contact based Smart Card EAL 4+ (AVA_VAN.5, ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Z32HCD2S NATIONZ INC. Secure IC EAL 4+ (AVA_VAN.5, ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 30
Ongoing Evaluations (2 of 8) CHANGE v1.1 E DATA New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM HCRX v1.1 HUGİN New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Healthcare Information Management Systems Protection Profile Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 31
Ongoing Evaluations (3 of 8) Secure Communication Module for Water Tracking Systems PP Secure Communication Module EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Korugan UTM COMODO Unified Threat Management EAL 2+ (ALC_FLR.2) ITSEF: BEAM TEKNOLOJI Crunchy Enterprise PostgreSQL Database Management System EAL 2+ (ALC_FLR.2) CYGNACOM SOLUTIONS Page 32
Ongoing Evaluations (4 of 8) PFAS v1.2 New Generation Cash Register Fiscal Application Software EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM SIEM GUI v1.1.6 with NATEK SIEM Server 6.0.6 NATEK Security Information and Event Management EAL 3 ITSEF: TÜBİTAK BİLGEM OKTEM Toshiba 4610-2nf Fiscal Microcode v0.9 POS Perakende EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 33
Ongoing Evaluations (5 of 8) Wincor Nixdorf Beetle (OptiPOS) WINCOR NIXDORF EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Application Firmware of Secure Smartcard Reader for National Electronic Identity Verification System Protection Profile Security Information and Event Management EAL 4+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM AKiS v2.2.7n TÜBİTAK BİLGEM OKTEM EAL 4+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 34
Ongoing Evaluations (6 of 8) Netsafe Management Software Netsafe EAL 4+ (ALC_FLR.2) ITSEF: BEAM TEKNOLOJI Aselsan Digital Tachograph Vehicle Unit ASELSAN EAL 4+ (ATE_DPT.2, AVA_VAN.5) ITSEF: EPOCHE & ESPRI E-Belgem Electronic Documents Management System TÜBİTAK BİLGEM OKTEM EAL 3+ (ALC_DVS.2) ITSEF: TÜBİTAK BİLGEM OKTEM Page 35
Ongoing Evaluations (7 of 8) Datakom DTC-100 Digital Tachograph Vehicle Unit DATAKOM EAL 4+ (ATE_DPT.2, AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM Akgün Healthcare Information System AKGÜN Yazılım EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Secure IC Protection Profile EAL 5+ (ALC_DVS.2, AVA_VAN.5) ITSEF: TÜBİTAK BİLGEM OKTEM Page 36
Ongoing Evaluations (8 of 8) NCR e10 ENCORE EAL 2 ITSEF: TÜBİTAK BİLGEM OKTEM Page 37
Protection Profiles Completed 8 PPs have been certificed PP for Smart Card Access Device Firmware IP Cash Register PP Electronic Document and Records Management Software PP Protection Profile for Smart Meter of Turkish Electricity Advanced Metering Infrastructure Page 38
Protection Profiles Completed 8 PPs have been certificed New Generation Cash Register Fiscal Application Software-2 1.1 New Generation Cash Register Fiscal Application Software v1.8 New Generation Cash Register Fiscal Application Software v2.0 New Generation Cash Register Fiscal Application Software-2 v1.3 Page 39
On-going Protection Profiles 11 PPs are under development Page 40
Projects within the Scope of Cyber Security Site Security Certification Two external experts worked for this project Providing the certification of developing campus of products subjects to Common Criteria Certification An approach to reduce cost and time for CC Page 41
Projects within the Scope of Cyber Security First Level Security Certification Two external expert worked for this project A security evaluation program aiming simple,fast and effective evaluation Evaluation time is normally 35 man/days. Total time is 8 weeks for certification. Page 42
Projects within the Scope of Cyber Security Healthcare Information Management Systems PP Six external experts (in different disciplines) have been working for this project Providing a standardization on Health Informatics Systems PP is being evaluated Page 43
Projects within the Scope of Cyber Security Secure GIS (Geographic Information Systems) Protection Profile Two external experts have been working for this project Providing a standardization on Geographic Informatics Systems and determining minimum security requirements Page 44
Projects within the Scope of Cyber Security Preparing Test Criteria and Security Requirements for Biometric Products One Internal,Six external experts have been working for this project Contribution of the Establishment Turkish National Police Developing new generation biometric sensor,implementing attacks and detecting countermeasures by developing test methods Determining minimum security requriments for biometric products Preparing Protectection Profile for Biometric Products Page 45
Projects within the Scope of Cyber Security Cloud Computing Standard, Security Criteria Two external experts have been working for this project Developing Cloud IT standard and criteria by analysing security risks,assests. Page 46
Projects within the Scope of Cyber Security Ethical Hacker Certification Evaluating staff and companies which do penetration tests in terms of administrative criteria Checking if white hat hackers provide criteria or not In the scope of this certification program has been determined administrative and technical criteria for penetration tests and testers Page 47
Secure IC PP Projects within the Scope of Cyber Security One external expert Determining criteria for execution and storage of the embedded OS,data storage and communication with external work. Page 48
Projects within the Scope of Cyber Security Health Management Systems PP Five external expert Determining minimum security criteria for web-based health information sytems application software Page 49
Projects within the Scope of Cyber Security Pardus Migration Expert Certification Evaluating staff which manage migration to Pardus OS in governmental organizations Page 50
Projects within the Scope of Cyber Security Computer Forensics Experts Certification Evaluating staff and companies which do forensics examinations Project include Ministry of Justice, General Directorate of Police Page 51
SCS-TURKEY SMART CARD SECURITY TURKEY CONSOURTIUM, December 2012 SCS-Turkey`s Members: TSE-CCCS TÜBİTAK BİLGEM UEKAE (Smart Card Developers) TÜBİTAK BİLGEM OKTEM (ITSEF) 3 UNIVERSITIES Many developers Page 52
To summarise CC; 34 products certified 8 PPs are certified 32 ongoing products 11 PPs are being developed More contacts with national & international vendors Page 53
CRYPTO MODUL VALIDATION PROGRAM & CRYPTO ALGORITHM VALIDATION PROGRAM TSE-CMVP TSE-CAVP, Turkey ISO/IEC 19790 and ISO/IEC 24759-Crypto Modul Evaluation and Certifications Approved labs. Epoche & Espri Tübitak Bilgem OKTEM Cygnacom METU Cryptology Lab. Page 54
THANK YOU Mariye Umay AKKAYA uakkaya@tse.org.tr Zümrüt Müftüoğlu zmuftuoglu@tse.org.tr Mustafa YILMAZ- mustafayilmaz@tse.org.tr Turkish Standards Institution IT & Common Criteria Certification Scheme, TURKEY 55