Feasibility Study Workshop for IT Security Evaluation (CC, ISO/IEC 15408) and Certification
The Common Criteria for IT Security Evaluation (CC, ISO/IEC 15408) is one of the most popular and market (include Asia, EU, Middle-East and US market) recognized IT Security Assurance Certificates for your ICT product.
To participate in this workshop, the following preliminary knowledge and skills were expected:
- Knowledge and skills of ICT security product development.
- Knowledge of the following requirements:
- Common Criteria for Information Technology Security Evaluation (CC), V3.1, Part 1: Introduction and general model, Revision 5, April 2017.
- Common Criteria for Information Technology Security Evaluation (CC), V3.1, Part 2: Security functional components, Revision 5, April 2017.
- Common Criteria for Information Technology Security Evaluation (CC), V3.1, Part 3: Security assurance components, Revision 5, April 2017.
- Common Methodology for Information Technology Security Evaluation (CEM), V3.1, Revision 5, April 2017.
- Scheme relevant guidance, application notes and interpretations (AIS/JIL).
- Applicable Protection Profiles (PPs) (If any)
- ISO/IEC 27001: Knowledge of the requirements of ISO/IEC 27001 (with ISO/IEC 27002) and the commonly used information security management terms and definitions, as given in ISO/IEC 27000.
Who should attend?
- The ICT product developer, i.e. R&D engineer, product manager
- Product manufacture, i.e. site security manager, facility manager
- CNII (critical national information infrastructure) client, i.e. sponsors, customer, user
- Sales and marketing manager
- Technical compliance officer
- Understand the IT security evaluation criteria, supporting documents and scheme.
- Understand the information security technologies used for development.
- Understand the development and manufacture site security requirements.
- Prepare and define preliminary TOE(Target of Evaluation) and project scope (if applicable).
- Improve the overall understanding of IT security evaluation requirements and scheme
- Supported by the field experts to identify the feasible TOE and project scope for evaluation and certification, same time and money
- Supported by the field experts to identify the potential gaps between existing information security technology and evaluation/certification requirements (if applicable)
Day 1, Overview to the Common Criteria for IT Security Evaluation (CC, ISO/IEC 15408) and the TOE scope
- Introduction to the Common Criteria for IT Security Evaluation/Certification process
- Introduction to PP(Protection Profile), ST(Security Target) and EAL(Evaluation Assurance Level)
- Introduction to the IT security technologies and/or product (perform by the client)
- Functionality and use case
- Security features
- Tools and techniques
- Discussion on the preliminary TOE(Target of Evaluation) scope
Day 2, Preliminary assessment on TOE developer documents (supported by the client)
- Assessment of TOE design documents (include but not limited to security functionality, security architecture, and design, implementation)
- Assessment of TOE security operation and administration documents
- Assessment of TOE configuration management, change management, release management process, and tools
- Assessment of TOE secure lifecycle management and delivery process
- Assessment of TOE testing process and tools (include but not limited to security functionality, analysis of testing coverage and/or depth)
- Assessment of TOE security technology vulnerability assessment
Day 3, Preliminary assessment on TOE developer and/or manufacturer site security (supported by the client)
- Assessment of TOE lifecycle security management process
- Assessment of TOE development and/or manufacture security management processes include but not limited to:
- Information asset management
- Personnel security
- Physical and environmental security
- Communication and operational security
- Access control
- Information security incident management
- Contingency management
- Legal and technical compliance
- Summary and present the findings
- Workshop material, and presentation
- An IT security evaluation and certification project proposal or feasibility assessment report (with possible evaluation and/or certification solution) will be delivered within 4 weeks after the workshop.
- Supported by the client：The developers shall prepare and provide the following evidence in 2 weeks BEFORE the workshop:
- Technical contents of the TOE
- Development site security documents
- Manufacture site security documents
- This is an "in-house" workshop, not public.
- The maximum numbers of delegates for this workshop are 20.
- This course is facilitated by www.TKSG.global online learning management system (LMS). The participants should have the capability to use their own PC, laptop notebook or suitable mobile devices to access the LMS.
Daily time: 09:00 ~ 17:00