The Common Criteria Users Forum is inviting representatives from Canadian government agencies to participate in a free round-table discussion about how the information assurance requirements of Canadian government agencies can be incorporated in international standards for IT security and the evaluation of IT products.
Specifically, we are hoping to engage individuals who have a working-level understanding of government IT security standards, procurement policies, or certification and accreditation, in a discussion about how Canadian government agencies can provide input into the development of Common Criteria Protection Profiles for IT products.
Note that we will not be discussing specific requirements, it is not a commercial or sales event, and there is no fee or obligation for attending. While this event is intended for Canada, the CCUF is looking to expand to other geographies.
Date, time, and location:
The meeting is being held on Friday, 17 May 2013 from 10:30 AM to noon, at Oracle, 45
O’Connor St Ottawa, ON K1P 1A4.
10:30 to 10:45 — Welcome and introductions
10:45 to 11:00 — A brief introduction to the Common Criteria and the CCUF
11:00 to noon — Round-table discussion
Read More »
Tags: CC, CCRA, CCUF, CEM, Common Criteria, Common Criteria Portal, Protection Profiles
Today more than ever, networks are transforming the way organizations operate and are touching more people through a wider range of devices than ever before. Achieving a secure infrastructure is increasingly complex with today’s mobility, collaboration and cloud services added to the mix. These new capabilities offer much operational efficiency and reduce costs, but they also introduce additional risk to the network. Read More »
Tags: certifications, Common Criteria, cybersecurity, Gene Keeling
On September 19 at Progress Report from the Supply Chain Security Technical Working Group (September 19 2012), a status report was presented from the Supply Chain Security Technical Work Group which was formed in March 2012 with the approval of the Common Criteria Development Board, in order to produce a Common Criteria Supporting Document that technical communities can use and adapt for their protection profiles.
The information and communications technology (ICT) supply chain has become increasingly complex, with logically long and geographically diverse routes, including multiple tiers of outsourcing. This leads to a significant increase in the number of organizations and individuals who “touch” a product, and thus, increase the likelihood that a product’s integrity will be compromised. Ensuring that ICT products from commercial software and hardware providers are free from vulnerabilities introduced via the product developer’s supply chain is an increasing concern which has manifested in proposed legislation and draft government regulations, as well as publicized attacks.
Exacerbating those concerns is the fact that awareness of supply chain risks and potential mitigations is not widely shared within the ICT industry, academia, government regulators, and product acquirers.
The product life cycle and its corresponding supply chain aspects extend from design to sourcing, manufacturing, distribution, delivery, installation, support, and end-of-life. Each stage presents potential threats of attack: the introduction of counterfeit products or components; elements of product taint, for example via malware or an integrity breach; disruptions to logistics and delivery; as well as tampered communications between the product developer and the customer or the customer and supplier.
The initial Supply Chain Security Supporting Document will describe several of these threats in more detail, specify additional threats, suggest assurance requirements, and recommend best practices for product manufacturers, evaluators, certifiers and end users.
As communities incorporate targeted material from the Supply Chain Supporting Document in protection profiles and vendors complete Common Criteria security evaluations against those protection profiles, customers will gain additional assurance of the product developer’s actions to secure their supply chain, and confidence in the manufactured product they are receiving; all under the globally accepted Common Criteria framework.
Tags: CC, Common Criteria, ICCC, secure supply chain
More and more, we ask technology to play critical roles in our businesses, and our lives. Pondering that for a moment, that dependance (versus use), requires careful thought on how much we trust that the technology is working as we want it, only as we want it, and nothing more. For many businesses or governments, testing via FIPS or Common Criteria increases that confidence level, combined with detailed operational plans to ensure running the services after they are installed is going correctly. For many technology vendors, innovation and commitment, can help here.
Our commitment at Cisco, and our innovation, for trustworthiness have never been stronger than they are today. Nearly 5 years ago, we started down a road which ultimately led to Cisco’s Secure Development Lifecycle (CSDL), and in our most recent FY12 SEC 10-K, acknowledged that work, our secure supply chain work, and our innovation efforts for Secure Boot and Anti-Tamper. For reference, that 10K, or 2012 Annual Report, is posted here: http://investor.cisco.com/
We foresaw the need for trustworthiness by listening to our customers, and we started early. Early results are in, and we’ve both reduced externally found security flaws, as well as increased the resiliency for multiple products anti-tamper. Have we done it on every product? Not yet, although rest assured, that’s exactly where we are going. I’ll keep you posted.
Tags: Common Criteria, CSDL, CSO, fips, John Stewart, secure development, secure supply chain, trustworthy systems
Last week I attended the ICCC in Paris where Ashit Vora, Manager, Security Assurance, Cisco discussed the Cloud and how Common Criteria can be used to help mitigate threats. The following is an excerpt from his presentation and food for thought on Cloud security.
More and more enterprises, including governments are moving their data “to the Cloud” in the hopes of saving infrastructure and maintenance costs. But is this at the risk of security? As both private and public Clouds become pervasive, security is going to be a major concern. Cloud infrastructure by definition has large amounts of information including proprietary information, competitive information, information of different classification levels, etc. In addition, the types of mechanism available to access the information in the Cloud, such as B.Y.O.D. (Bring Your Own Device), are increasing day by day. If the proper security mechanisms are not in place and validated, it could prove to be damaging to all users of the Cloud.
Read More »
Tags: Bring your Own Device (BYOD), cloud security, Common Criteria, ICCC