Security evaluation and certification of products/services/systems/processes is becoming key for more and more stakeholders, private entities, public authorities, and consumers. Every single component may have a security flaw and/or widen the attack surface of a larger system with consequences that may not be under the control or mitigation capabilities of a single actor. Security evaluation and certification are means to lower the risks at unitary and system level and become highly recommended, mandatory or “opposable” in many new areas.
However, stakeholders’ expertise and experience related to security and certification schemes are highly variable and skilled personnel is a rare resource. Internet of Trust supports all customers – experienced and new comers to the certification ecosystem alike – in building or reinforcing an efficient certification team and in establishing processes meant to maximize the customer’s chances to obtain a successful evaluation.
With over 20 years of experience in security, we provide evaluation support services for addressing a variety of requirements, from basic to the highest security levels. Developers, manufacturers, and service providers can rely on Internet of Trust’s expert team for preparing the evaluation of their products. This applies for instance to smartcards and secure tokens, acceptance terminals, mobile and IoT devices, payment or authentication services.
Our services include scheme selection, certification strategy definition, security target and documentation writing or review, coordination with the selected certification body and laboratory.
We adapt to the development model of our clients, e.g. V, Agile or custom, to achieve cost-effective security certification, and we work in close relationship with labs and certification/approval bodies to anticipate specific requirements. Our goal is to facilitate the optimization of our customer’s time and resources by defining a global certification strategy, rationalizing the evidences, avoiding unnecessary documentation, and improving the reuse from one evaluation to another. This applies to international, national or sectorial security frameworks, for substantial or high level security such as Common Criteria, CSPN, GlobalPlatform, PCI, EMVCo, FIDO.
We also assist customers in preparing lower level security assessments, typically based on checklists, guidelines, an audit plan, by reviewing processes, procedures, security measures, proof evidences, and by providing recommendations for improvement and corrective plans.
Our approach consists of several phases. All the activities are tailored to comply with applicable regulations and to meet the customer’s code of practice.
The first step is to determine the objectives, the scope and the means to put in place for preparing the evaluation and reaching the targeted certification. This is generally done though a workshop to determine the perimeter of the product/service that will be evaluated (the Target of Evaluation), to select the scheme and level, to identify the relevant security requirements and to choose the certification body and the evaluation laboratory.
The second step consists in collecting and analyzing the information from the customer and it is followed by a concrete action plan proposal that is driven by customer needs. This typically covers different aspects and parameters, such as time, resources, reuse strategy for a family of products, long-term certification strategy, etc.
For instance, in a CC product certification project this step consists in determining the gaps with regard to the target EAL (Evaluation Assurance Level) and in making a proposal for producing the missing evidences and delivering them to the lab. This is often carried out through a workshop with the management and technical teams.
For a site security pre-audit, this means determining the scope of the audit and preparing a detailed audit plan, including the required inputs and the actions for collecting/preparing such inputs, the identification of the personnel to interview, the identification of the premises to inspect, etc.
The third step focuses on the execution of the plan, which often implies a joint work with the customer. Customers provide inputs and knowledge of their system/product/service and perform the tasks that have been assigned to them. Internet of Trust performs the assigned activities and follow-ups of the overall execution plan.
In a CC project, Internet of Trust’s usual tasks include writing a selected set of missing evidences, e.g. the Security Target and the traceability mappings, and ensuring the interface with the lab and the certification body up to the certification of the product. This phase may include some trainings to accelerate the customer’s learning curve, for instance about the required Protection Profile(s) or the specific EAL.
For a site security pre-audit, this phase corresponds to the documentation and/or physical analysis of the scope and to the reporting of deviations and alternative corrective measures. This could also cover support during third-party audit.
The fourth phase consists in regular or event-driven maintenance activities on the work-products delivered by Internet of Trust and overall monitoring of the product/project.
In a CC project, the maintenance of the product certificate in an assurance continuity process is an example. This requires the editing of a Change Impact Analysis Report, the delivery of updated evidences and the interaction with the lab and the certification body in the framework of a re-submission.
For a site security pre-audit, examples include the follow-up of the corrective action plan and the update of the environment conditions, processes and procedures.
Evaluation support services may give rise to a variety of deliverables, which include:
Internet of Trust provides several types of services, which are customized based on the certification or regulation framework and on the customer’s needs:
Scoping and team set-up, which aims at defining the evaluation and certification project, the resources and the entities that will be involved. It may include the selection of the scheme, the security requirements and the targeted level that depends not only on the product but also on the users’ requirements and on the use case(s) for multipurpose products. In this activity, we assume that the risk analysis and the security requirements are available. Otherwise, a cybersecurity analysis can be proposed.
Integral Evaluation Support, which is aimed at one or more certification projects and allows us to accompany our customers throughout the whole life-cycle of their products in order to reach and maintain the required security level. This service comprises project management, ensuring the interface and communication with evaluators and certifiers, and writing technical documentation as required. Developers who are new to the certification process or want to increase the assurance level of their products (e.g. a smartcard manufacturer who decides to move from Common Criteria EAL4+ or EAL5+ to EAL6 or EAL7) are typical clients of such a service.
Focused Evaluation Support, which addresses a specific need at a given time either during the preparation of a security evaluation or during the evaluation itself. Evaluation project management and writing of some of the required documentation, e.g. Common Criteria or CSPN security targets, are typical examples of services of this kind.
Site Security Audit, which consists in studying the characteristics of a development/manufacturing/integration/personalization site against the applicable regulations and requirements, followed, if necessary, by on-site inspection. Customers require such type of audit service to gain confidence in the reachable assurance level of their site(s), or as a preparation step either for a self-assessment or for a formal audit conducted by an evaluation authority, e.g. in the framework of a CC evaluation against MSSR set of requirements.