9ICCC IT security starts here - Common Criteria · Microsoft PowerPoint - TSI-Presentation.ppt...
Transcript of 9ICCC IT security starts here - Common Criteria · Microsoft PowerPoint - TSI-Presentation.ppt...
TÜV Informationstechnik GmbH
9ICCC
IT security starts here:At the building structure and its mission critical infrastructure
Joachim Faulhaber & Wolfgang Peter
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 1
Agenda
ScopeRisc potentialsPhysical security requirementsApplication of the criteria catalogue
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 2
Class ALC: Life-cycle support
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 3
ALC_DVS: Development security
Objectives
Development security is concerned with physical, procedural, personnel, and other security measures that may be used in the development environment to protect the TOE and its parts. It includes the physical security of thedevelopment location and…
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 4
Data Center
9ICCC
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 5
Diversity of security
procedural security
IT security
physical security
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 6
Physical security standards
Depth of coverage between standards about 80%Differences in the methodologySlightly different focuses
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 7
Security Objectives
Confidentiality
Integrity
Availability
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 8
Risk potentials
Forcemajeure
Operatingmalfunctions
Crime
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 9
Crime
BurglarySabotageVandalismAttack
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 10
Force majeure
FireWater Corrosive gasesExplosionRubble loadsLightning strikesEarthquakes
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 11
Operating malfunctions
Lack of electrical supply byBreakdownSwitching operationsOverloading
Air conditioning breakdownCommunication breakdownSafety equipment breakdownMagnetic stray fieldsRadio frequencies
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 12
Comprehensive security for all physical aspects of data centers
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 13
TSI requirements
Security technologyBurglar alarm systemAccess control systemVideo systemSecurity service
Building
Zoning designFire-SealsArrangementDoors/windowsFire protectionLightning protection
Environment
Traffic routesWaterIndustryWarehouseTopography
Fire protectiontechnology
Fire alarm systemFire extinguishing systemAlarm equipmentField of application
Energy supply
RoutesDistributorsOvervoltage protectionUninterruptible power supplyStandby generator
Air conditioning
Supply engineeringReliability
Circ. air cooler / heat exchangerRoom monitoring
Outside air supply
Organisation
ProceduresFunction tests
MaintenanceAllocation
Qualification
Documentation
Security conceptEmergency concept
Fire protection conceptMaintenance concept
Building plansCircuit diagram
Air-conditioning and vent. diagram
Data networks
Redundant feedsRoutes
Overvoltage protectionred. central components
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 14
Cornerstones of infrastructure measures
Precaution
Detection
ReactionAlarm relayingFire extinguishing systemsStarting standby generator unitetc.
Overvoltage protectionIntrusion detectionUPSetc.
But alsoplanning certification
Fire alarmTemperature sensorsAccess controletc.
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 15
Evaluation result
Level1: medium protection requirements (according to the BSI infrastructure requirements of the baseline protection manual)Level2: extended protection requirements (extended requirements to all above mentioned aspects)Level3: high protection requirements (complete redundancy of essential components, no single point of failures, climate limits according to EN 1047-2)Level4: very high protection requirements (advanced access control, no adjacent hazard potentials, with minimal intervention time)
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 16
Creating trust
Processing industry
Customers and markets
Courts of LawBank
InsuranceBoard
Liability questions
Suppliers
Market positioning
Basel II
Conditions
Persuasion
IT-operator
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 17
Excerpt of TSI certified datacenters
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 18
Summary
The matter of physical securityMethodology & structural approachApplication of parts of the criteria to CC site visits
© TÜV Informationstechnik GmbH – Member of TÜV NORD Group J. Faulhaber, W. Peter 9ICC 19
TÜV Informationstechnik GmbHMember of TÜV NORD Group
Joachim FaulhaberDeputy Division ManagerTÜViT, Certification
Wolfgang PeterDirector Evaluation Body for IT SecurityTÜViT, Information Security
Langemarckstr. 2045141 Essen, Germany
Phone: +49 201 8999 – 584Fax: +49 201 8999 – 555E-Mail: [email protected]: www.tuvit.net