“Consorzio RES and IT Security Certifications” 1/22

the Consorzio RES operates as Consorzio RES originates in 1997 in response to the ICT market growing needs in the framework of security processing and maintenance of electronic data Security Evaluation Laboratory (LVS) qualified by the OCSI (ISTICOM) Evaluation Centre (CE.VA.) qualified by ANS (the Italian National Security Authority) Global Consultant in the physical, organizational and ICT security 2/22

Scheme managed by OCSI, the certification body for security Evaluation an Certification of commercial systems and products (DPCM of the 30/10/2003) Scheme managed by ANS, the certification body for security Evaluation and Certification of systems and products dealing with classified information concerning the National Security (DPCM of the 11/04/2002) Consorzio RES is a laboratory qualified to perform Security Evaluation Processes according to the following National Schemes What is an Evaluation Process ? 3/22

An Evaluation Process is part of a Certification Process and has the purpose to produce a Final Evaluation Report. On the base of this report the Certification Body produces the Certification Report and, eventually, the Certificate So, the target seems to be achieving the Security Certificate …and this target MUST be achieved… in a while with money savings at high assurance level 4/22

… these are Customers usual requests! ? ! 5/22

6/22 Our approach punctually answers to the main problems of the ones who are disposed to engage a certification process Consequently Consorzio RES has consolidate an operative metodology with certain benefits for the Customers Experience taught us to respect the Customers needs

Why certify What certify How much spend … and the presumptions of our Customers are… 7/22

Why certify It is necessary to sell our product… Our direct competitor has just achieved the security certificate for his product… We have some left-over money in our project… 49% 2% 8/22

All We don’t know… 50% What certify 9/22

Few money We have this available amount…do what you can! 50% How much spend 10/22

Consorzio RES intervention, since the Certification is only an hypothesis, allows the Customers to resolve to their advantage the previous problems Analysis of these needs has driven the Consorzio RES in the development of a working metodology that attends the Customers since before the Evaluation Process start-up Followed approach answers to the Customers needs though respecting all procedures of the reference scheme as well as used security standard for the system/product evaluation 11/22

Why certify Since before the starting of Evaluation Process, Consorzio RES cooperates with the Customers in a clear definition of : So that data requiring protection can be managed in a security context appropriate to real environment “ ” Real security needs Most suitable operating environment Strictly necessary countermeasures 12/22

What certify Only the components (HW/SW) that, implementing Security, are effectively contrasting the supposed threats “ ” One of the major activities of Consorzio RES is to support Customers to clearly mark off the boundaries of : Target of Evaluation Everything else Operating environment items 13/22

How much spend The bare minimum after having correctly answered to the questions: Why certify? What certify? ” “ 14/22

It is frequent that Security Problem ambiguities are transposed in a cautionary extention of the boundaries of Target of Evaluation and its Operating Environment, as well as in the definition of Security Procedures onerous for the workaday users operations Confusion about true Security Objectives Certification time increasing Certification cost increasing Rules/Standards Modifications HW/SW Obsolescence 15/22

Evaluation Assistance Phase Evaluation Preparation Phase Evaluation Phase Certificate Emission certification Evaluation Starting Evaluation Ending Consorzio RES Intervention Areas 16/22

Critical Success Factors (1/2) Evaluation Assistance Phase Evaluation Phase Evaluation Preparation Phase certification 17/22

Evaluation Preparation Phase Identification of Security Aspects strictly related to the Security Problem Evaluation Assistance Phase Very well written evaluation documents compliant with referential Security Standard Critical Success Factors (2/2) 18/22 Paying attention to these Critical Success Factors remarkably reduces the risk to cumulate considerable delays during a certification process, in behalf of costs and operatives engagements for system/product under certification

Evaluation Assistance Phase Evaluation Preparation Phase Evaluation Phase Turn key solutions Consorzio RES is able to offer all these services during a same certification process, having the availability of highly qualified personnel in a sufficient number to guarantee the independency expected by national scheme 19/22

Every human resource of Consorzio-RES is also qualified, by both certification bodies, for the respective schemes, to hold the Evaluator role during the evaluation process Common Criteria v.3.1 (ISO/IEC 15408) Every human resource of Consorzio RES is skilled according to the most recent security standard, recognized by an international board: 20/22

the Customers trust has allowed us to achieve primacy goals First Italian LVS to have completed an evaluation process according to the National Scheme managed by OCSI First Italian laboratory to have completed several Common Criteria evaluation processes according to the National Scheme managed by Italian National Security Agency First Italian LVS to obtain required qualification to carry out products/systems or protection profiles evaluation process according to the National Scheme managed by OCSI...all unavoidable results of the care and the skills by which “Consorzio RES” answers to the Customers needs 21/22

Other information on: Contact: 22/22