Updates on
Korean SchemeIT Security Certification Center, National Intelligence Service
The 8The 8thth ICCC in Rome, Italy ICCC in Rome, Italy
IT Security Certification Center
Introduction to ITSCC
ITSCC(IT Security Certification Center) is… Aiming at enhancing the IT security in government organizations
by evaluating and certifying commercial IT security products that government organizations plan to procure
The certification body of Korea for security certification, responsible for proper operation of the Korean Evaluation and Certification Scheme(KECS)
Our Six Main Roles Issue Common Criteria certificates for IT security products Regulate the procurement of products within government Plan and develop Protection Profiles for IT security products Approve IT security evaluation facilities Operate the training and education program for evaluators Participate in CC related international cooperation
IT Security Certification Center
Korean Procurement Policy
Government organizations must procure certified IT security products since 1 Jan. 2006 To promote the use of Common Criteria in Korea
To encourage Korean developers to produce sound security products that meet the international standards
Although this policy certainly contributed to the provision of improved confidence in commercial IT security products…
Encountered a problem The number of products applying for CC certificates far-
exceeded the evaluation capacity we can afford
This means products have to wait for a long time in the queue before actual evaluation work begins
IT Security Certification Center
New Evaluation Facilities(1)
Most obvious and effective solution was to expand evaluation capacity of the country There was only one evaluation facility, KISA(Korea Information
Security Agency), which had been established by law
In Dec. 2006, introduced a new procedure to approve evaluation facilities by amending the Korean Standard Lab. Accreditation Program
As a result, we have two more evaluation facilities Early this year, KTL(Korea Testing Laboratory) and
KOSYAS(Korea System Assurance) applied for approval
After accredited against ISO 17025, KTL and KOSYAS were finally approved as an evaluation facility on 29 June and 9 August, respectively
IT Security Certification Center
Established the CC evaluator’s license program To produce quality IT security evaluators in order to meet
demands from new evaluation facilities
Also, the need for systematic training and education of evaluators arose to ensure the quality of their work
Three types of evaluator status
* In addition, we also teach top-notch graduate students to educate them as CC evaluators
with high standard from this semester
New Evaluation Facilities(2)
Type Issuing Condition Entitled Activity
TraineeEvaluator
Successful completion of 10-day education and having passed a written exam
Can participate in CC evaluation under supervision of higher grade evaluators
(Formal)Evaluator
Participated in one or more EAL3 evaluation
Can perform evaluation of products up to EAL3
Senior Evaluator
Participated in two or more EAL4 evaluations AND worked over 3 years as an evaluator
Can perform evaluation of products up to EAL4 and become an evaluation team leader
IT Security Certification Center
Domestic Certification
Introduced a domestic certification scheme to shorten the evaluation time itself Intended to deal with the products having waited or being
expected to wait in the evaluation queue for quite a long time, say, more than a year
Identical to CC except that sampling-based evaluation is used for some components rather than full examination, being able to save evaluation time up to four weeks
The domestic scheme can only be regarded as a temporary solution because… It still requires the same developer’s evidence as CC
And there is no significant reduction in evaluation time at the expense of internationally recognized CC certification
* Note : This domestic scheme is outside the scope of the conference
IT Security Certification Center
Provision of PPs Timely provide PPs that are very needed by IT security
product developers We believe guiding developers to build products correctly and rightly can
significantly reduce the evaluation time as it can reduce potential ORs raised by evaluators
In view of this, ITSCC develops 4 Protection Profiles a year for the products with a large demand from government organizations and a high potential for market growth
• AND a high potential for market growth
* PPs can be downloaded from www.kecs.go.kr (in Korean)
2006 2007(not competed yet)
• Antivirus with a networked admin console
• WLAN authentication system• Anti-spam system• Enterprise Security
Management(ESM)
• Web application firewall• e-Cover for electronic
passport• Enterprise digital right
management system• USB authentication token
IT Security Certification Center
CEMS (1)
Improve the management process of evaluation and certification by employing an automated document management system called CEMS Handled documents manually because EF and CB are located
very closely and therefore preferred in-person contact
However, manual handling of deliverables between CB and EF was partly responsible for inevitable delays in evaluation
Moreover, location of new EFs are widely separated across the city and therefore electronic communication becomes necessary
Therefore, started to build the CEMS system Supports electronic management of documents
And also some essential functions of project management such as real time monitoring of progress
* CEMS : Certification and Evaluation Management System
IT Security Certification Center
CEMS (2)
CEMS is a web-based client-server system, running on Windows Server with IIS and MS-SQL
It consists of two subsystems, called CMS and EMS CMS stands for Certification Management System while EMS
stands for Evaluation Management System CMS can only be accessible to certifiers inside the CB EMS communicates with evaluation facilities’ own system
through secure communication channels
CEMSCEMS
IT Security Certification Center
CEMS (3)
Main Features of CEMS developed so far: Online document management and storage
Real-time monitoring of work progress
Management of document templates
CEMS user management and audit functions
Backup and other system maintenance
With the help of CEMS, we expect to achieve the improved efficiency in evaluation and certification and reduction in evaluation and certification time
For anyone interested in CEMS, demonstration is available at out booth outside
IT Security Certification Center
Conclusion