Common Criteria Recognition Arrangement 8 th ICCC Rome

Common Criteria Recognition Arrangement 8 th ICCC Rome, 25 th September 2007 Report by the MC Chairman Gen. Luigi Palagiano

Introduction The diffusion of IT systems and networks empowers the international and national exchange of information But, at the same time …. The growing connectivity among secure and insecure networks creates new opportunities for unauthorized intrusions into sensitive networks and computer systems. 1 Rome, 25 september 2007

Terrorists, drugs trafficker and criminal organisations will take advantage of the new high speed information technologies supporting their illegal activities 2 Rome, 25 september 2007

System & Network complexity The complexity of systems and computer networks is growing faster than the ability to understand protect them by identifying critical nodes, verifying security, and monitoring activity and intrusion attempts. 3 Rome, 25 september 2007

Systems / Networks Threats 1. Capture data related to industrial, military or national security; 2. Destroy or control information systems which are for critical infrastructures (for example: airports) 3. Information alteration 4 Rome, 25 september 2007

Definition of IT Security can be defined as: “Getting rid of any unacceptable risk". The risks relate the following categories of losses: q Confidentiality of Information q Integrity of Data and system related assets q Availability of Data and Service 5 Rome, 25 september 2007

Confidentiality Assurance that information is shared only among authorized persons or organisations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. 6 Rome, 25 september 2007

Integrity Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. Assuring information will not be accidentally or maliciously altered or destroyed. 7 Rome, 25 september 2007

Availability Ensuring that information and service is available to authorized users, when needed. 8 Rome, 25 september 2007

History of Common Criteria TCSEC (USA) 1983 - 1985 Canada, first initiative 1989 - 1993 CTCPEC 3 1993 NIST - MSFR 1990 National and Regional European Initiatives, 1989 – 1993 Federal Criteria 1992 ITSEC 1992 Common Criteria Project, 1993 ISO Initiatives 1992 Common Criteria ver. 1. 0, 1996 Common Criteria ver. 2. 0, 1998 ISO 15408 08/06/1999 9 Rome, 25 september 2007

History of Common Criteria 8 th June 1999 CC is approved as International Standard ISO 15408 10 Rome, 25 september 2007

Nations taking part to the Common Criteria Recognition Arrangement Australia Canada Finland France Germany Greece Israel Italy Netherlands New Zealand Spain United Kingdom Norway U. S. A. 11 Rome, 25 september 2 oo 7

Common Criteria participant Nations Participant nations (14) Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, Netherland, New Zealand, Norway, Great Britain, Spain, U. S. A. 2000 (2) (2) (2) Austria, Sweden Hungary, Turkey Czech Republic, Japan India, Singapore Korea, Denmark 2002 2003 2004 Year 2005 2006 (1) Malaysia 2007 12 Rome, 25 september 2007

Variations during 2007 year l New Entrant – Malaysia l Status change – Sweden – Singapore l Interested in adhesion to CCRA – Tunisia – Belgium 13 Rome, 25 september 2007

How are Countries divided ? l Certificate Authorizing Participants – Australia - New Zealand, Canada, France, Germany , Japan, Korea, Netherland, Norway, Spain, Sweden(*), UK, USA. l Certificate Consuming Participants – Austria, Czech Republic, Denmark , Finland, Greece, Hungary, Israel, Italy, India, Malaysia, Singapore, Turkey. (*) shadow certification in progress 14 Rome, 25 september 2007