ISMS Aspects in Common Criteria Certificates for Development Sites


The talk will present some results of an ongoing study conducted by the German BSI. This study explores the possibility to issue Certificates for Development Sites in order to reduce the redundancy in activities for a product developer, who needs Common Criteria evaluations for several products or who needs assurance in site security for several customers. We will talk about some aspects of the criteria needed for production site evaluations.
For people knowing the CC the obvious first approach to production site certification will be to define an assurance package consisting of components from the CC classes, which touch secure development and security of the development environment. This would include classes like

1. ALC (Product Life Cycle, which in particular includes the security of the development and production site),
2. ACM (Configuration Management),
3. ADO (which includes delivery procedures for products).

However, some issues need to be solved:

1. The first, well known, issue is that the classes mentioned before always have two aspects: Aspects of the general production site (like physical security measures) and aspects for the concrete product (like specific version numbers or project specific development tools). This leads to the necessity to divide the CC classes in some way in product-specific and non-product specific aspect.
2. Two other, closely connected issues, are the aspects of maintenance of certificates and the aspect of organisational and management aspects of the security measures. In these aspects the development site certification has close connection to information security management. This is connected with standards like the "IT Baseline Protection Manual" of German BSI, ISO17799 / BS7799, ISO/IEC TR 13335 "Guidelines for the management of information and communications technology security" and others. Therefore it was an aspect of the project to discuss the use of ISMS aspects in site certification.

The presentation will cover topic 2. Issue 1. will be covered by another presentation about reusability of evaluation results.
Though the project concentrates on the aspect of development and production sites, there are close connections to the evaluation of IT systems as discussed in the ongoing ISO project 19791 "Security assessment of operational systems" and to ISMS standards as mentioned above. This connection will be shortly reflected in the talk.