Upload File

1 omissions and errors in the cc who got it right? 8iccc denise cater

  • Home
  • Documents
  • 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater
14
1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

Upload: rhoda-hunter

Post on 12-Jan-2016

223 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

1

Omissions and errors in the CC

Who got it right?

8ICCCDenise Cater

Page 2: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

2

Security Standards

ISO alone have issued:• ISO15408 – Common Criteria• ISO19092 – Financial Service – Security• ISO19790 – Security Requirements for

Cryptographic modules (FIPS 140)• ISO27001 – Information Security Management• ISO27002 (formerly ISO 17799) – ISMS best

practice

Page 3: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

3

http://www.bitsinfo.org/
http://www.icsalabs.com/icsa/icsahome.php
http://www.commoncriteriaportal.org/
http://www.commoncriteriaportal.org/
Page 4: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

4

Many standards: One CC

• Catalogue of security components:– Functional– Assurance

• Focus on repeatability– Voluminous guidance for consistent

application– Scheme rules and interpretations

=“Heavy” process

Page 5: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

5

Payment Industry Security Standards

• Payment Card Industry (PCI) Data Security Standard

• EMV (Europay, Mastercard, Visa) Specifications

• APACS PIN Entry Device PP

APACS

Page 6: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

6

APACS application of CC

• Own Certification Body– Appointment of labs– Issuing of certificates

• Focus on CC– Less emphasis on CEM

• Concentration of efforts– Design and testing seen as paramount– Procedural requirements seen as supporting

Page 7: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

7

Smartcard Industry

• Developed PPs

• Generated own interpretations– Adopted as CC Supporting

Documents– Included own Attack Potential

Table

• Examples of Smartcard Specific Attacks

Page 8: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

8

Smartcard Industry

• Took the CC and gave specific guidance for their industry

• A lot of focus placed on penetration testing

• Identified additional stages in lifecycle/delivery

Page 9: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

9

Adapt to Adopt

• Both industries have made changes to use CC– Interpretations– Greater emphasis in some areas, less in

others

Page 10: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

10

Who got it right?

• The CC of course!– Providing a catalogue that Industry and

other schemes can draw upon

• But, also Industry/other schemes– Focus on areas of specific interest– Light-touch on other areas

Page 11: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

11

Who got it wrong?

• Those who requested EALs to be included in CC (for backwards compatibility)– Led to “incorrect” use of CC– Initially less PPs developed as just

concentrated on assurance level

Page 12: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

12

Who got it wrong?

• Authors of the CEM or CC Schemes?– Too prescriptive– Forcing evaluators to complete work units

at level of detail that is not always necessary

– Time spent on “meeting the CEM” that would be better spent on testing and vulnerability analysis

Page 13: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

13

In summary

• CC got it right

• CC got it wrong

But, Industry can adapt the CC to adopt it

Page 14: 1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater

14

Thank you

Denise Cater

[email protected]


Sophie Cater Portfolio

Should Omissions Be Penalized

Cater Pak Le (Autosaved)

ERRORS AND OMISSIONS EXCEPTED

Errors, Omissions and Clarifications - GGSU and Omissions PRB 2008.doc · Web viewThis Errors, Omissions and Clarifications (EOC) Report has been prepared in the main to address the

Cellular Communication Denise M. Green Denise Green

Elaine Cater : Home

BUSINESS AND INDUSTRY CATERING - Cater Cater

Jean Cater, Assistant Director

Common Design Omissions

Cater pillar Machine Fluids Recommendations

Flit cater

AT SWe Cater To

keyboarding errors of omissions, additions

6 claire cater

D. Stephen Cater TWI LTD

ERRORS AND OMISSIONS INSURANCE

prace - cater

CATER PILLAR_CATALOGUE.pdf

Errors & Omissions School Leaders Program Content

We Cater (856) 489-1181

Errors & Omissions for Insurance Agents

Cater Soft

LES ZONES HUMIDES - cater-com.fr

Design Professionals’ Errors & Omissions … Professionals’ Errors & Omissions INSURANCE Coverage: ... DESIGN PROFESSIONALS’ ERRORS & OMISSIONS INSURANCE COVERAGE . ... Rylands

Omissions, Causation, and Modality

Cater Book 2

Omissions of-emissions-presentation

Contradictions and omissions

Errors & Omissions

Tl Guide Hungry Cater Activity

Suzy Cater SYS Academy 2021

Denise Boudreau-Scott & Denise Kish - HCANJ · 4/9/2014 1 Patient-Centered Care: A Transformation Not a Checklist! Denise Boudreau-Scott & Denise Kish

The Navy List · THE NAVY LIST 30 JUNE 1982 ERRORS AND OMISSIONS ... Naval Aide-de-Camp to The Queen O'FARRELL, James Aloysius, AM CDRE MACLEOD, Barbara Denise, AM CAPT ... BAIRSTOW,

Lecture 5 - Pub Bodies - Omissions