Establishing Standards and Certi
Establishing Standards and Certification for IT Products
(L-R) Mr. Sujith Haridas, DDG, CII, Mr. Kiran Karnik, Chairman, CII National
Committee on Telecom and Broadband and Chairman, ICCC India Steering Committee,
Dr. Gulshan Rai, Director General, ICCC, and Mr. N E Prasad, Director General,
STQC, addressing the industry members during the 1st ICCC Steering Committee
Members in New Delhi.
India Accepted as
Certificate Authorizing Nation.
On August 30th 2013, the CCRA Management
Committee voted ‘yes’ to accept India as a certificate authorizing participant
in the CCRA. India, along with other 16
countries, has become a member CCRA as a Certificate authorizing nation. As per
the article 1 of the CCRA, Certificates issued by one member countries are
accepted in other countries without re-certification. Only Government Body can
be the Certification Body of the country and in India, DEITY/STQC is the
certification body. With this acceptance, 17 Certificate Authorizing
Schemes operate under the CCRA.
What is Common Criteria?
The Common Criteria for Information Technology
Security Evaluation (abbreviated as Common Criteria or CC) is an international
standard (ISO/IEC 15408) for computer security certification. It is currently in
version 3.1.revision 4. The Common Criteria is a framework, in which computer
system users can specify their security functional and assurance requirements,
vendors can then implement and/or make claims about the security attributes of
their products, and testing laboratories can evaluate the products to determine
if they actually meet the claims. In other words, Common Criteria provides
assurance that the process of specification, implementation and evaluation of a
computer security product has been conducted in a rigorous and standard manner.
Common Criteria is used
as the basis for a Government driven certification scheme and typically
evaluations are conducted for the use of Government agencies and critical
infrastructure.
Where Common Criteria can be applied?
Common criteria can be applied for evaluation IT
product or system satisfying a defined set of security requirements.
Common Criteria Evaluation and
Certification
Common Criteria evaluation is an
impartial assessment of an IT product by an independent body. This provides
users of such products with confidence in the security functionality provided.
It also provides users with a metric to compare the security capabilities of
products that they are intending to buy. The IT products to be evaluated are
referred to as the Target of Evaluation (TOE).Certification provides independent
confirmation of the validity of evaluation results, and thereby ensures
comparability of these results across all evaluations under the scheme and
facilitates mutual recognition of results between national schemes.
Certification confirms that the TOE needs its security target to the claimed
assurance level and that the evaluation has been conducted in accordance with
the Standard of the scheme i.e. Common Criteria (eq.: ISO 15408). The
participation in the scheme and its associated evaluation & certification
activities is strictly voluntary (unless mandated by government policy or
regulations). In addition, organizations may undertake alternative activities to
use Common Criteria and to demonstrate product conformance to IT security
requirements.
Objectives and Certification Body in India
The Certification Body is the
STQC Directorate, Department of Electronics and Information Technology, Govt. of
India. The Certification Body has been established under the official
administration procedures of Govt. of India to meet the requirements of ISO
Guide 65.
Department of Electronics and Information
Technology, STQC Directorate have the following objectives in developing,
operating & maintaining Common Criteria based IT Security Evaluation &
Certification Scheme:
-
To meet the needs of government and industry for
cost-effective evaluation of IT products;
-
To encourage the formation of commercial
security testing laboratories
-
To ensure that security evaluations of IT
Security products are performed to consistent standards;
-
To improve the availability of evaluated IT
Security products.
Common Criteria is
the driving force for the widest available mutual recognition of secure IT
products. Common Criteria (CC) was produced by the willing to unify the security
evaluation standards existing in the mid-1990's by the governments of Canada,
France, Germany, Netherlands, UK, and U.S. By unifying security evaluation
criteria, the objective was to avoid re-evaluation of products addressing
international markets.
The Common
Criteria Recognition Agreement (CCRA) was designed to advance the following
objectives, by bringing about a situation in which IT products and protection
profiles which earn a Common Criteria certificate can be procured or used
without the need for further evaluation. It seeks to provide grounds for
confidence in the reliability of the judgements on which the original
certificate was based by requiring that a Certification/Validation Body (CB)
issuing Common Criteria certificates should meet high and consistent standards.
Value and benefits of certification
Common Criteria certification
cannot guarantee security, but it can ensure that claims about the security
attributes of the evaluated product were independently verified. In other words,
products evaluated against a Common Criteria standard exhibit a clear chain of
evidence that the process of specification, implementation, and evaluation has
been conducted in a rigorous and standard manner.
The
scheme is intended to serve many communities of interest with very diverse roles
and responsibilities.
-
IT product developers,
-
IT security Product vendors,
-
Value-added resellers of IT security product,
-
Systems integrators for IT security
infrastructure,
-
IT security researchers,
-
Acquisition/procurement authorities of IT
Security product,
-
Consumers of IT Security products
CC Evaluation Centers in India
Government of India, Ministry of Communications &
IT, Department of Electronics and Information Technology has set up test center
in Kolkata.
CC Evaluation center: ERTL(E), Block-DN, Sector-V,
Salt Lake, Kolkata-700091
Router
Operating System SEOS
Version: 11.1.2.3 release no: 713 running on Ericsson
SmartEdge Series Router SE100, SE600, SE1200, SE1200H by
Ericsson India Private Limited,
Fort Fox
Hardware Data Diode (FFHDD), by
FOX-IT BV,
Network Operating System
Software(NOS), by Hewlett
Packard India Ltd are some of the global products certified in Common Criteria
Test Laboratory, ERTL(EAST), Kolkata India.
* * * * * *