Challenges in the Information Age



Similar documents
BSI - Federal Office for Information Security. Evaluation and Certification of IT Security Technology in Germany

ISO The international IT security standard. Marcel Weinand / Marcel Weinand

Update on the German Scheme

CERTIFIED. SECURE SOFTWARE DEVELOPMENT with COMMON CRITERIA

Common Criteria Evaluations for the Biometrics Industry

Information Security Standards by Dr. David Brewer Gamma Secure Systems Limited Diamond House, 149 Frimley Road Camberley, Surrey, GU15 2PS

BSI-DSZ-CC-S for. Dream Chip Technologies GmbH Germany. Dream Chip Technologies GmbH

Malaysian Common Criteria Evaluation & Certification (MyCC) Scheme Activities and Updates. Copyright 2010 CyberSecurity Malaysia

BSI-DSZ-CC-S for. GLOBALFOUNDRIES Singapore Pte. Ltd. GLOBALFOUNDRIES Singapore Pte. Ltd.

National Plan for Information Infrastructure Protection

Technical information on the IT security certification of products, protection profiles and sites

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT

Protection Profile Digital Tachograph Vehicle Unit (VU PP) Version 1.0 BSI-CC-PP

Security Compliance: Making the Proper Decisions

JTEMS A Community for the Evaluation and Certification of Payment Terminals

BSI-PP for. Protection Profile Secure Signature-Creation Device Type 1, Version developed by

Agenda. Emphasized text to show one more strong point on this slide TAKE-AWAY MESSAGE

Certification Report. NXP Secure Smart Card Controller P40C012/040/072 VD

The Challenge of Raising Business Value through Objective Evaluation of IT Security, & Japan s IT Security Policy

Smart grid cyber security certification

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28),

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

NIAP CC Evaluation & Validation Scheme: Scheme Home. From the United States:

Supporting CSIRTs in the EU Marco Thorbruegge Head of Unit Operational Security European Union Agency for Network and Information Security

Monitoring the Information Economy

SUMMARY OF THE ESTONIAN INFORMATION SYSTEM S AUTHORITY ON ENSURING CYBER SECURITY IN 2012

Electronic Citizen Identities and Strong Authentication

EUROPEAN WORKSHOP ON INDUSTRIAL COMPUTER SYSTEMS

The ratification of the Kyoto-protocol in Turkey and its implementation into domestic law

How many students study abroad and where do they go?

ISO/IEC for secure mobile web applications

1. Perception of the Bancruptcy System Perception of In-court Reorganisation... 4

2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee , Bonn

Higher education institutions as places to integrate individual lifelong learning strategies

IT Security Certification and Criteria Progress, Problems and Perspectives

Spoof Detection and the Common Criteria

Compliance Risk Management IT Governance Assurance

Government at a Glance 2015

Open Smart Card Infrastructure for Europe

Information security audit (IS audit) - A guideline for IS audits based on IT-Grundschutz

BSI-DSZ-CC for. tru/cos tacho v1.1. from. Trueb AG

ERASMUS+ MASTER LOANS

Innovative means to exchange telecom fraud and network security risks information

TOWARDS PUBLIC PROCUREMENT KEY PERFORMANCE INDICATORS. Paulo Magina Public Sector Integrity Division

A Structured Comparison of Security Standards

Foreign Taxes Paid and Foreign Source Income INTECH Global Income Managed Volatility Fund

BSI-DSZ-CC for. Microsoft Forefront Unified Access Gateway 2010 (CC) Version / Build from. Microsoft Corporation

Norway Post s Electronic ID Case study on authentication. Oslo 17. June 1999 Terje Kolnes, Norway Post

Security Audit VIS Central System. Summary Report

Exploring the Landscape of Philippine Cybersecurity

Cloud Computing - Starting Points for Privacy and Transparency

Insurance corporations and pension funds in OECD countries

BSI Baseline Protection Manual - How to measure IT-Security -

National Information Assurance Program (NIAP) Evolution

Preventing fraud and corruption in public procurement

Common Criteria V3.1. Evaluation of IT products and IT systems

SC2 BIOECONOMY in Horizon 2020

The value of accredited certification

October 30, How IT, Including the Cloud and IOT, Can Drive Canadian Economic Growth. Dr. Robert D. Atkinson, President, ITIF.

Securing VoIP Networks using graded Protection Levels

ERASMUS+ MASTER LOANS

EUF STATISTICS. 31 December 2013

Cyber Security Strategy for Germany

Common Criteria Explained Series Common Criteria Guidance for Developers Evaluation Assurance Level 4. January 2013, v 1.42

Reporting practices for domestic and total debt securities

Mutual Recognition Agreement of Information Technology Security Evaluation Certificates

Finland must take a leap towards new innovations

BSI-DSZ-CC for. IBM Tivoli Access Manager for e-business version FP4 with IBM Tivoli Federated Identity Manager version 6.2.

Bellevue University Cybersecurity Programs & Courses

ACP-NEP Co-ord (Smith, Lyn C2) Military Goods: A400M Collaborative Programme OPEN GENERAL EXPORT LICENCE APRIL 2014

Information Technology Security Evaluation Criteria ( ITSEC ) Critères d'évaluation de la securitie des systémes informatiques

Fostering Information Security Awareness Among Responding Countries

How To Manage Information Technology

National Infrastructure Security Co-ordination ordination Centre. Peter Burnett Head of Information Sharing

Cyber security Indian perspective & Collaboration With EU

Details for the structure and content of the ETR for Site Certification. Version 1.0

SUSE Linux Enterprise 12 Security Certifications

Inclusive Economic Growth and Sustainability

Information Sheet. Ref. No: J0-TR-51611

National Cyber Security Policy -2013

VS-NUR FÜR DEN DIENSTGEBRAUCH (RESTRICTED)

Egyptian Best Practices Securing E-Services

Legislative Council Panel on Information Technology and Broadcasting. Hacking and Virus Activities and Preventive Measures

Delegation in human resource management

Electricity, Gas and Water: The European Market Report 2014

Measurements and indicators for healthcare IT. Leif Panduro Jensen, MD, MHM Director of Centre, Rigshospitalet, Copenhagen, DK

BSI-DSZ-CC For. Red Hat Enterprise Linux, Version 5.6 Virtualization with KVM. from. Red Hat, Inc.

Status quo des 'Memorandum of Understanding' zwischen APMG und IPMA. Mag. Brigitte Schaden, IPMA Chairman pma Vorstandsvorsitzende

BSI-DSZ-CC for. IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2. from. IBM Corporation

The Economic Impact of Cloud Computing in the EU

EUREKA Funding Schema in Turkey. Hüseyin GÖREN EUREKA National Project Coordinator

Trends in Digitally-Enabled Trade in Services. by Maria Borga and Jennifer Koncz-Bruner

H2020 "Secure Societies" Work Programme Digital Security 2015

Pre-Commercial Procurement (PCP)

Statewatch Briefing ID Cards in the EU: Current state of play

APPENDIX A: COUNTRY REPORTS

The Austrian Citizen Card

41 T Korea, Rep T Netherlands T Japan E Bulgaria T Argentina T Czech Republic T Greece 50.

IFI SPONSOR & PARTNER OPPORTUNITIES CELEBRATING 50 YEARS

Common Criteria. Introduction Magnus Ahlbin. Emilie Barse Emilie Barse Magnus Ahlbin

Transcription:

Federal Office for Information Security The Role of the BSI in the German IT-Security Market Challenges in the Information Age Office History, Tasks and Services Information & Awareness Programme Baseline Security Product Certification Projects with Industry on IT-Security Bernd Kowalski Bundesamt für Sicherheit in der Informationstechnik (BSI) Federal Office for Information Security San Francisco, February 23rd 2004 Bernd Kowalski 23.02.2004 Folie 1 Challenges in the Information Age ICT changes social and commercial structures ICT gets major impact on national economy. Business infrastructures depend on reliability of ICT. e-business and e-government redefine relationship to business partners, customers and citizens. Electronic Funds Transfer and e-payment replace banknotes and other traditional payment systems. Smartcards & Biometrics push electronic passport-management. ICT is essential to manage all national critical infrastructures like traffic, energy, chemical, healthcare, telco, emergency etc. Providing reliability and control of national ICT-infrastructures will be a question of national security and sovereignty. Bernd Kowalski 23.02.2004 Folie 2

Challenges in the Information Age Threats to National ICT Infrastructures Security weaknesses in IT-Systems. Difficulty to detect attacks and attackers. Security investments jeopardize commercial success. More than 80% of critical IT-infrastructures are private. Difficulty of national regulations in a global competitive environment. IT-infrastructures are highly interdependent, e.g.: Weaknesses of customers`/citizens` systems may be used to attack industrial or governmental systems (DDoS). Bernd Kowalski 23.02.2004 Folie 3 Challenges in the Information Age German Government Initiatives Define Security of information systems as a part of national security. Rules for the certification and approval of IT-Security systems. Provide services for the security of government IT-systems. Support industry and citizens to increase their IT-Security level. Commit to Public Private Partnerships (PPP`s) to increase the security of critical national IT-infrastructures. Provide for a strong and independent IT-Security industry. Bernd Kowalski 23.02.2004 Folie 4

Office History and Structure History and Figures Office founded by law in 1991. Associated with the Federal Ministery of Interior. Annual budget: 45 Mio. Employees: 380. Location: Bonn. The BSI is the German Federal IT Security Authority associated with national and international partners in the field of Cryptography, Internet-Security and Certification. Bernd Kowalski 23.02.2004 Folie 5 Tasks and Services Tasks by Law Analysis of IT-threats and -risks. Improve national IT-Security in cooperation with industry. Security Evaluation and Certification of IT systems. Provide the protection of classified information. Operation of central security services like Keymanagement. Bernd Kowalski 23.02.2004 Folie 6

Tasks and Services BSI as a part of the national IT-Security Environment Federal Government Suppliers Directives National IT-Infrastructure Deliverables Initiatives Services Citizens, Public Sector, Industry Partners Bernd Kowalski 23.02.2004 Folie 7 Services: Tasks and Services Citizens (consuming IT-Security) Webportal service www.bsi-für-bürger.de, information about Internet security issues Gov`t & Industry: (consuming IT-Security) baseline security standard Grundschutz, for corporate IT-infrastructures with medium-level requ. Critical Information Infrastructure Protection: provide means for extraordinary security events. Warning & Alerting services in case of security events: Federal-CERT serving the German Federal Gov`t. Devices & services to protect classified communication in gov`t & industry. Counter-eavesdropping services&standards for Fed.Gov`t, incl. physical -, emission -, mobile security Manufacturers & Service Prov`s: (offering IT-Security) Security Certification&Approval of IT-Products&Systems Bernd Kowalski 23.02.2004 Folie 8

Information & Awareness Programme IT security: Situation in Germany IT-Market Total Market: 12 Bio. Security: 1,2 Bio. Government: 25% each IT-penetration: 52% households have a PC 44% have an internet access 32 Mio. people are online IT-Threats: increasing IT-dependency data privacy viruses & spam computer crime: 57.000 cases in 2002 (BKA-Federal Bureau of Criminal Investigation) Bernd Kowalski 23.02.2004 Folie 9 Information & Awareness Programme Citizen Awareness Programme BSI provides information for different target groups: citizens (general): www.bsi-fuer-buerger.de = Webportal + CD-ROM children & teens: (new project) Partner Communication Channels: other print & online media manufacturers like Fujitsu-Siemens D21 PPP-programme Bernd Kowalski 23.02.2004 Folie 10

Mechanismenstärke hoch mittel niedrig Architektur E1 E-Stufen und Mechanismenstärke E2 Quellcode Tests der Mechnismen E3 E4 E5 Feinentwurf Konfigurations- kontrollsystem Tests enger Zusam- menhang Sicherheits- zwischen modell Feinentwurf und semiformale Quellcode Entwicklungs- methoden formale Endwick- lungsmethoden E6 E-Stufe Information & Awareness Programme Small & Medium Enterprises and Administrations public administration: e-government manual www.e-government-manual.de private businesses: IT baseline protection manual www.bsi.bund.de/gshb Bernd Kowalski 23.02.2004 Folie 11 Vertrauen Funktionalität Funktionalität IT Baseline Protection Introduction Problems and motivation: Increasing number of IT-Security incidents with loss of business. Limited corporate IT-budgets and -competence, esp. in SMEs. Business partners want to check the IT-security level of cooperating institutions by an independant method. Traditional risk analysis methods are complex & not reusable. Objectives: IT-Sec.guidelines applicable & affordable for standard IT- Method: infrastr. Define standard types of IT-components, threats & safeguards. Give practical advice how to implement these safeguards. Result: Modular concept: threat & safeguard catalogue per component. Applicable to common IT-infrastr. in public & private sectors. Bernd Kowalski 23.02.2004 Folie 12

IT Baseline Protection Tools General Guideline Overview and awareness program for CEOs. Handbook Available in CD, Online and printed format. Software Toolkit Menu-based planning tool. Gets you to your individual security soluition. Web Tutorial Provides an overview on baseline protection. Introduces the concept of the SW-Toolkit. Available on the Web. www.bsi.bund.de/gshb Bernd Kowalski 23.02.2004 Folie 13 Objectives Product Certification Evaluation of security features of IT-Products. Improve both security and quality of IT-infrastructures. Independant and trustworthy product evaluation and certification. Consideration of national security requirements. Strategic support for national IT-Security industry. Legal Framework BSI is the national authority for the German certification scheme. No general legal obligation to purchase certified products. Except: approval of products for the processing of classified information. Bernd Kowalski 23.02.2004 Folie 14

Product Certification Why should manufactures apply for a certificate? Improve product quality and security. Use public product certificate for product marketing. Government requirements in certain areas: German Signature Law, EU- and NATO-Directives etc. Why should Buyers request for a certified product? Product has been evaluated by an independant, accredited body. Manufacturer is responsible for evaluation expenses not the buyer. Certificate may help to provide evidence for resistance against certain threats. Bernd Kowalski 23.02.2004 Folie 15 History Kriterien für die Bewertung der Sicherheit von Systemen der Informationstechnik (ITSEC) Juni 1991 Product Certification Certification Criteria 1985: US-Orange Book IT-Security acquisition requirements from the US DoD for special systems. 1989: The BSI Greenbook for Germany. 1991: European Information Technology Security Evaluation Criteria (ITSEC). Common Criteria for Information Technology Security Evaluation Part I: Introduction and general model May 1998 Version 2.0 CCIB-98-026 1999: Common Criteria (CC) V2.1 - the first agreed international certification standard published under ISO/IEC 15408 Bernd Kowalski 23.02.2004 Folie 16

Certificate producing and accepting nations Product Certification The Common Criteria Community Certificate accepting nations DSD Australia/ Newsealand BSI Germany DCSSI France CESG United Kingdom CSE Canada USA NIAP CCRA = Common Criteria - Recognition Arrangement Hungary Finland Greece Israel Italy Netherlands Norway Spain Sweden Austria Turkey Bernd Kowalski 23.02.2004 Folie 17 Product Certification Contributors in the Certification procedure Manufacturer: requests for a certificate provides complete product documentation Evaluation Facility: design evaluation, penetration tests audits in development and production evaluation report to certification body Certification body: develop certif. criteria together with CCRA-partners accept evaluation report, issue product certificate Bernd Kowalski 23.02.2004 Folie 18

Product Certificates recently issued by the BSI: Infineon Smartcard-Controller (Smart Card IC SLE66CX322P) Gemplus Smart Card Betriebssystem(GemXpressoPro E64PK) SuSE Betriebssystem (Linux) IBM Betriebssysteme, Directory-Server, Tivoli Microsoft Firewall GeNUA Firewall Product Certification Utimaco PC-Sicherheitsprodukte Renesas (Hitachi) Smartcard-Controller (AE43C Version 01) Philips Smartcard-Controller (P16WX064V0C) G + D Tachosmart Card (STARCOS 2.4 Tach.Card Applic.) Bernd Kowalski 23.02.2004 Folie 19 Product Certification European Projects with obligations to apply CC-Certification: EU Commission: NATO: Multilateral Defense: UN: Digital Tachograph: legally binding Directive several activities several projects Principles on Critical Infrastructure Protection D: Several governmental projects, German Digital Signature Law Bernd Kowalski 23.02.2004 Folie 20

Product Certification US-Government Obligations to use CC-Certification: FACT SHEET NSTISSP No. 11 National Information Assurance Acquisition Policy By July 2002 - the acquisition of all COTS IA and IA-enabled IT products to be used on systems specified, shall be limited only to those which have been evaluated and validated [acc to CC, NIST/NSA/NIAP or FIPS program]. CCRA Legend: COTS: Commercial of the shelf IA: Information Assurance NST/ISSP: National Security Telco and Info Systems Security Policy The US-Directive #11 might have a significant future impact on the global IT market. Bernd Kowalski 23.02.2004 Folie 21 Projects with Industry on IT-Security Selected Projects from the National PPP-Programme IVBB voice & data network for the federal government. Root Certification Authority (CA) for German Governments. European Bridge CA for secure communication between Government and Industry. Federal CERT Community with Large and Medium Enterprises. Others on Smartcards, Biometrics etc. Bernd Kowalski 23.02.2004 Folie 22

Contact Thank You for Your Attention! Bernd Kowalski Bundesamt für Sicherheit in der Informationstechnik Godesberger Allee 185-189 53175 Bonn Phone: +49 0 228 9582-700 Fax: +49 0 228 9582-455 Bernd.Kowalski@bsi.bund.de www.bsi.de Bernd Kowalski 23.02.2004 Folie 23

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information