Evaluation requirement for IT security

Evaluation requirement for IT Security refers to the procedure of conducting regular reviews and checks of IT systems to ensure compliance with organizational security policies, standards, and procedures, as well as industry best practices.

India has a few IT evaluation requirements, including Common Criteria (CC) Certification, Indian Common Criteria Certification Scheme (IC3S), IoT System Certification Scheme (IoTSCS).

Common Criteria (CC) Certification:

Common criteria can be applied for the evaluation of an IT product or system satisfying a defined set of security requirements. The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1. In this framework, computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they meet the claims. In other words, Common Criteria ensures that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous and standard manner.

The Indian Standard (Second Revision) which is identical to ISO/IEC 27001: 2022 ‘Information security, cybersecurity and privacy protection — Information security management systems — Requirements’ issued by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) jointly was adopted by the Bureau of Indian Standards on the recommendations of the Information Systems Security and Privacy Sectional Committee, and approval of the Electronics and Information Technology Division Council.

Indian Common Criteria Certification Scheme (IC3S):

The Indian Common Criteria Certification Scheme (IC3S) is a third-party evaluation and certification service for IT security products and protection profiles (PP) to evaluate and certify IT products against Common Criteria Standards.

A Protection Profile (PP) is a document, typically created by a user or user community, that identifies security requirements for a class of security devices relevant to that user for a particular purpose. Product vendors can choose to implement products that comply with one or more PPs, and have their products evaluated against those PPs. In such a case, a PP may serve as a template for the product’s Security Target (ST), or the authors of the ST will at least ensure that all requirements in relevant PPs also appear in the target’s ST document. Customers looking for particular types of products can focus on those certified against the PP that meet their requirements.

Certification body: The STQC Directorate in the Ministry of Electronics and Information Technology, Government of India is the Certification body for issuing IC35. This certificate confirms that the product meets the claimed assurance level and that the evaluation was conducted by the Common Criteria. Another benefit is common criteria certificate is that the Certificates issued by one-member countries are accepted in other countries without re-certification

The process for the IC3S includes Identification of the TOE, Security policy, Assumptions, Evaluated configuration, Document evaluation, Product testing, Evaluation results, and Validator comments.

TOE:

Target of Evaluation (TOE) is an information system, part of a system or product, and all associated documentation that is the subject of a security evaluation. The evaluation serves to validate claims made about the target. To be of practical use, the evaluation must verify the target’s security features.

Security Policy:

A security policy is a set of rules and practices that define how to keep an organization’s systems, information, and employees secure. The document covers a variety of areas, including physical security, network security, personnel security, and administrative security which are continuously updated and changing as technologies, vulnerabilities, and security requirements change.

Assumption:

The network device is assumed to be physically protected in its operational environment and not subject to physical attacks that compromise security and/or interfere with the device’s physical interconnections and correct operation. The device is assumed to provide networking functionality as its core function and not provide functionality/services that could be deemed as general-purpose computing. For example, the device should not provide a computing platform for general-purpose applications (unrelated to networking functionality). A standard/generic network device does not provide any assurance regarding the protection of traffic that traverses it. The intent is for the network device to protect data that originates on or is destined to the device itself, including administrative data and audit data. Traffic that is traversing the network device, destined for another network entity, is not covered by the NDcPP. It is assumed that this protection will be covered by cPPs for particular types of network devices (e.g., firewalls). The Security Administrator(s) for the network device are assumed to be trusted and to act in the best interest of security for the organization.

Evaluated configuration:

This document describes the steps required to duplicate the configuration of the device running Junos OS when the device is evaluated.

Document evaluation:

Document evaluation is a part of the Indian Common Criteria Certification Scheme (IC3S), which is an independent third-party service that evaluates IT products’ security functions and mechanisms including documentation evaluation, testing, and vulnerability assessment.

Product Testing:

Product testing is the evaluation of an existing product or a new prototype to assess key areas like performance, quality, and functionality. Product testing can have different goals depending on the stage your product is at in its lifecycle.

Evaluation result:

An evaluation result refers to the outcome of an assessment process, which serves as a basis for decision-making.

Validator’s Comments:

The Validators have reviewed the Evaluation Technical Report [ETR] and all relevant evaluation evidence, documents, records, etc.

IoT System Certification Scheme (IoTSCS)

The IoTSystem Certification Scheme (IoTSCS), operated by STQC, Ministry of Electronics and Information Technology, aims to support all IoT products. This scheme assesses IoT devices based on three aspects namely an IoT platform, the market expectation, and the network effects. The three main components of the Internet of Things (IoT) are devices, connectivity, and the cloud. The objective of IoTSCS under STQC is to instill confidence among consumers and stakeholders about the quality and security of IoT products and systems.

Security Considerations related Posts: