Collaborations with different working groups to improve cyber security certifications

Blog

18
- Nov
2020
Posted by: jtsec Team
[Cybersecurity research]
Collaborations with different working groups to improve cyber security certifications

Cybersecurity is an area that is continually advancing at a rapid pace. Therefore, certifications must be modified to conform as closely as possible to reality and current events.

At jtsec we believe that collaborating in different working groups with different companies at a global level is the ideal way to contribute to the improvement and updating of the different cybersecurity certifications, mainly those that are more standardized worldwide.

A real example, the creation of a patch management extension for ISO/IEC 15408 and ISO/IEC 18045

Common Criteria (ISO/IEC 15408), is the most recognized and used cybersecurity standard internationally, accepted in more than 30 countries. At jtsec we are both consultants and evaluators (lab) for this methodology.

In this project we have the collaboration of Sebastian Fritsch, Head of CC Laboratory at the German cybersecurity consultancy and laboratory Secuvera for the creation of an extension for patch management for ISO/IEC 15408 and ISO/IEC 18045.

In this specific case, there is the problem that these standards do not allow re-certification of updates or products with security patches. Neither ISO/IEC 15408 nor ISO/IEC 18045 (or EMC) contain dedicated methods or assessment activities that support the evaluation of minor changes or minor updates. One of the most important aspects in the context of patch management and security updates is the characterization of changes in minor and major updates.

Thanks to the intense work of our Technical Manager, Javier Tallón and Sebastian, a serious problem was detected, which consisted of the fact that, after a new vulnerability was detected in a product, there was a time frame (until a new evaluation process was completed), in which the user had to choose between using a certified product or a safe product.

The solution offered is based on three pillars:

  • A pre-defined security problem that manufactureres can use in their security declarations.

  • Adding additional functional requirements (FPT_PAM) that address the patch or update functionality of the base TOE.

  • Adding additional life cycle requirements (ALC_PAM) to obtain a commitment from developers to consistently monitor bugs or issues after the release of the base TOE, but also to encourage developers to consistently generate evidence for future re-certification.

    Other working groups of which jtsec is a member

    We are involved in different working groups, we strong believe that the certifications should be increasingly accessible to all types of companies and that they should be valid in as many countries as possible.

  • Editors and co-leaders of the report of recommendations to create a certification scheme for Industrial Automation and Control Systems (IACS).

  • Members of SCCG (Stakeholder Cybersecurity Certification Group) of the European Commission.

  • Editors of JTC13 WG3: “Cybersecurity Evaluation Methodology for ICT products”.

  • Members of the Ad-hoc SOG-IS Working Group of the European Commission and Rappourteurs of the Sub-Working Group 7 on Harmonisation of the Implementation of ISO 17025.

  • Members of the WG3 de ISO SC27 and editors of the Technical Report “Towards Creating an Extension for Patch Management for ISO/IEC 15408 and ISO/IEC 18045”

    All our efforts are aimed at building a more cyber-secure world and sharing our experience is the way to achieve it.

    • tags
    jtsec Team/Staff

    jtsec: Beyond IT Security Team


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    Jan 17, 2025
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    jtsec & Applus+ Laboratories at ICCC24
    Nov 14, 2024
    jtsec & Applus+ Laboratories at ICCC24
    How to use the CCN product catalog to improve your company's security
    Oct 14, 2024
    How to use the CCN product catalog to improve your company's security
    Common Criteria Statistics 2023
    June 17, 2024
    Common Criteria Statistics 2023
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    CATEGORIES