jtsec | Blog | Cybersecurity requirements for remote video identification tools for the issuing of qualified electronic certificates.

- May

2021

Posted by: José Ruiz

Cybersecurity requirements for remote video identification tools for the issuing of qualified electronic certificates.

COVID-19 has demanded during this last year, due to the physical limitations of personal travel, the use of video-identification tools to carry out formalities with Public Administrations and private companies. For this reason, in Spain, a series of measures were approved on a transitory and exceptional basis in March 2020, enabling a remote identification system for obtaining a qualified certificate Finally, these measures have been settled in a regulation that came into force in May 2021 which also provides for the security requirements to be met by these products.

What security requirements must a video identification tool meet?

The ministerial order establishes that, in order to adapt in an agile way to the continuous advance of technology, the verification of the security level of the video identification system or product has to follow the requirements of annex F.11 (Video identification tools) of the Taxonomy of STIC products regarding the ICT Security Guide CCN-STIC-140, of the CCN (Spanish National Cryptologic Center) of high category.

The fundamental security requirements that a video identification solution must meet in order to be included in the CPSTIC catalog are as follows:

General identification process.

Identification of the applicant.

Validation of identity documents.

Audit requirements.

Secure communications.

Reliable administration.

Identification and authentication.

Protection of credentials and sensitive data.

How to include a video identification product in the CPSTIC catalog?

There are two certifications that allow access to the catalog, LINCE and Common Criteria. This is the reference Catalog for Cybersecurity ICT Products in Spain:

Common Criteria: the certification must obtain, as a minimum, an EAL 2 security level to be able to access the Catalog at high level.

LINCE: LINCE certification allows access to the medium level.

Evaluating a video identification solution

At jtsec we are in the process of evaluating a video identification product under the LINCE methodology, , thus being pioneers in evaluating this family of products. As a leading laboratory in LINCE evaluations, our experience and training will help you to make the certification process as agile as possible, thus reducing the time and resources required by our customers.

If you want to obtain a valid cybersecurity certification for your video identification tool, we will be happy to help you.

tags

José Ruiz/CTO

Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.