(別紙―1)

セキュリティ評価・認証室

NISSC参加報告[詳細]

1.Special Events

(1) Opening Plenary (基調講演)
(2) CC-MRA Signing & Award Ceremony
(3) NATIONAL COMPUTER SYSTEMS SECURITY AWARD
(4) Workshop : Protection Profiles * Turning a Good Idea Into a Registered Standard
(5) Government Displays
(6) Vendor Exhibition

2.受講セッション

(1) Common Criteria Project: Implementing the Mutual Recognition Arrangement
(2) ISO/IEC JTC 1/SC 27 "IT Security Techniques"
(3) TPEP to NIAP: Completing the Transition
(4) Common Criteria Project: Introducing the Common Evaluation Methodology
(5) British Standards 7799
(6) Best Security Practices for US Government Information Systems
(7) Using the Common Criteria in Smart Card Security
(8) NSA/ISSO Thread
(9) Defensewide Information Assurance Program (DIAP)
(10) INFOSEC Year in Review


[詳細]

1. Special Events

(1) Opening Plenary (基調講演)

 ● Monday, October 18, 1999 10:30 a.m. - 12 noon Regency Ballroom
 ● Keynote Speaker:
    Charles Stuckey, Chairman of the Board and CEO, Security Dynamics

・ e-Business & PKI
・ Opportunity for Industry & Government to work together
・ How/Why they corporate
・ Securityの歴史。
・ NISSCのはじまった1977年頃は誰もSecurityのことなど気にしなかった。

(2) CC-MRA Signing & Award Ceremony

 ● Monday, 17:45-- , Regency Ballroom

CC-MRA新規参加国(Australia, New Zealandの2ヶ国)の調印Ceremony
更に来年1月に加盟国が8ヶ国(欧州)予定されており、合計15ヶ国になるとのこと。

ITセキュリティー評価・認証を受けた製品ベンダーの表彰。

(3) NATIONAL COMPUTER SYSTEMS SECURITY AWARD

 受賞者: Dorothy E. Denning、Georgetown大学教授(Computer Science)

(4) Workshop : Protection Profiles * Turning a Good Idea Into a Registered Standard

 ● Thursday, October 21, 1999 13:00 ? 18:00

 ● 講師:
   Murray Donaldson, CESG, UK (UK認証機関)
   Lynne Ambuel, Decisive Analytics, USA (US評価機関)

CC,PPの初歩から概論迄、都度質問・議論しながら行った。
参加者の知識レベルが、まちまちなので結構丁寧に説明があった。
参加者25名程度(他のWorkshopに比べ少ない)

(5) Government Displays - October 18-21, 1999

 米国・その他国の政府機関、公益法人の展示(併設開催)

(主な展示機関)

・ NIST、NSA
・ CESG, UK (UK認証機関)
・ ジョージア工科大学

(6) Vendor Exhibition - October 19-20, 1999

 100社以上のITセキュリティーベンダーの展示会(併設開催)。

2.受講セッション

(1) Common Criteria Project: Implementing the Mutual Recognition Arrangement

 ● Monday, 1:30--3:00, Kennedy Jefferson Room

 ● Chair
   ・ Eugene F. (Gene) Troy, NIST-USA

 ● Panelists:
   ・ Murray Donaldson, Communications-Electronics Security Group, United Kingdom
   ・ Robert Harland, Communications Security Establishment, Canada
   ・ Ron Ross, NIST-ITL, USA

 ●パネルディスカッション: CC-MRAを取巻く国際状況について。

(2) ISO/IEC JTC 1/SC 27 "IT Security Techniques" or Why Bother About ISO Security Standards ?

 ● Monday, October 18: 3:30--5:00 Kennedy Jefferson Room

 ● Chair
   ・ Dr. Walter Fumy, Chair SC 27, Siemens

 ● Panelists:
   ・ Ted Humphreys, XISEC Consultants Ltd.
   ・ R. Mueller, TUViT, Inc. USA
   ・ Eugene F. (Gene) Troy, NIST, ITL
   ・ Jerry Rainville, National Security Agency

 ● パネルディスカッション:ISOでのCC関連Activitiesについて。(ISO/SC27/WG3)

   ・ ISO 15446 : Guide for production of PP & ST
   ・ ISO 15292 : PP Registration Procedures (International)
   ・ ISO 15443 : Framework for IT Security Assurance

 ● Standards Bodies - ISO/SC27

   ・ Chair SC 27 : Dr. Walter Fumy
   ・ SC27/WG1 : Ted Humphreys (IT Security Management, PKI, Time Stamping)
   ・ SC27/WG2 : R. Mueller (Digital Signature)
   ・ SC27/WG3 : Gene Troy (CC)

(3) TPEP to NIAP: Completing the Transition

 ● Tuesday, October 19: 8:30--10:00 Kennedy Jefferson Room

 ● Chair
   ・ Thomas E. Anderson, National Security Agency (NSA)

 ● Panelists:
   ・ Arnold Johnson, NIST
   ・ Keith F. Brewster, NSA
   ・ Suzanne S. O'Connor, NSA
   ・ Jeffrey Horlick, NIST

 ● パネルディスカッション: TPEP to NIAP CCEVS Transitionの状況・予定について

   予定:
   - FY2000 All TPEP evaluation over
   - FY2002 TPEP activity concluded

Testing Lab. Applicants:(評価機関候補)以下8社
・Arca Systems
・Booz Allen & Hamilton, Inc.
・COACT, Inc.
・CSC (Computer Science Corp.)
・CygnaCom Solution, Inc.
・InfoGard Laboratories
・Science Applications International Corp (SAIC)
・Tuvit, Inc.

(4) Common Criteria Project: Introducing the Common Evaluation Methodology

 ● Tuesday, 10:30--12:00, Kennedy Jefferson Room

 ● Chair
   ・ Murray Donaldson, Communications-Electronics Security Group, United Kingdom

 ● Panelists:

   ・ Lynne Ambuel, Decisive Analytics Corporation, USA
   ・ Ron Bottomly, National Security Agency, USA
   ・ Julian Straw, Syntegra, UK
   ・ Jerry Rose, Communications Security Establishment, Canada

 ● パネルディスカッション: CEMの状況・予定について

*2000年からの評価にはCEM使用が必須となる

Not covered -- CEM ver 1.0 (*): covered by future plan

- EAL 5-7
- Composability
- Reuse
- Re-evaluation
- Augmentation(*)
- Rating maintenance(*)
- Flow Remandiation(*)
- Functional requirements

(5) British Standards 7799 [Double Session]

 ● Tuesday, 1:30, Conference Theatre

 ● Chair
  ・ Dr. Stephen D. Bryen, L-3 Network Security

 ● Panelists:
   ・ Stephen Bryen
   ・ Geoff Smith
   ・ David Brewer, Gamma Secure Systems Limited
   ・ Reg Blake, British Standards Institution, Inc.
   ・ Junjiro Isomura, The Office of Isomura, Inc.磯村順二郎氏(株:磯村国際関係事務所)

 ● パネルディスカッション:BS7799のCCへの追加ついて(Adding to the CC)

Adopted countries: 以下の7ヶ国
 UK, Netherland, Australia, NewZealand, Sweeden, Switzerland, Norway
 * Under consideration - Japan

”BS7799(事業所認定)+CC(製品認定)”は、「うまくいくのか?」と疑問の声が多かった。

日本からのパネリスト:磯村順二郎氏(株:磯村国際関係事務所、社長)
日本のSecurityに対する認識の薄さなどの状況を語る。

(6) Best Security Practices for US Government Information Systems

 ● Wednesday, 8:30, Conference Theatre

 ● Chair
   ・ Dennis Steinauer, NIST

 ● Panelists:

・ Jeffrey Hunker, National Security Council, Sr. Director for Infrastructure Protection ? The role of best practices in the Administration's efforts to improve protection of critical infrastructures
・ Mike Fleming , NSA, Co-chair, Standards and Best Practices working group, Critical Infrastructure Protection Coordination Group ? Establishing a framework for the identification, definition, and sharing of best security practices.
・ John Gilligan, Department of Energy, Co-chair, CIO Council Security Committee ? The Federal CIO Council and the implementation of security best practices by government
・ Geoff Smith, UK Department of Trade and Industry ? British Standard 7799 as a code of best IT security practices
・ Don Holden, Chair, IEEE Internet Best Practices Working Group ? The IEEE Computer Society and the development of best security practices for the Internet.
・ Oliver Smoot, Chair, Information Industries Security Project, Information Technology Industry Association -- Private sector activities to encourage the development and sharing of best IT security practices.

 ● パネルディスカッション:最近話題の"Best security Practices" のConceptについて

(7) Using the Common Criteria in Smart Card Security

 ● Wednesday, October 20: 10:30--12 noon Kennedy Jefferson Room

 ● Chair
   ・ Stuart Katzke, NSA

 ● Panelists:

   ・ Gilles Lisimaque, GemPlus (representing smart card vendors)
   ・ Kenneth Ayer, VISA International (representing smart card issuing associations)
   ・ Gene Troy, NIST (representing NIAP and the CC)

パネルディスカッション:Smart Card Securityについて(以下3つ視点から)
Card Vendor, Card Issuer, CC(NIST)のそれぞれの立場から発表。

CCについては、NIST Mr.G.TroyがSpeaker
SCSUG(Smart Card Security Users Group)が、今年6月発足したが、
業界は、もっとFormalな組織を希望している。
各社の利害関係でStandard化がかなり難航している。

(8) NSA/ISSO Thread

 ● Wednesday, 1:30 - 5:00 , Conference Theatre

 ● Opening Address by Mike Jacobs, DDI, NSA, focusing on the ISSO mission

 ● Chair
   ・George Wooley, NSA

 ● Panelists:
   ・ Lou Giles, NSA
   ・ Mike Jacobs, NSA
   ・ Steve Rome, NSA

 ● パネルディスカッション: NSA/ISSO(Information System Security Org.)の活動状況について

・ PKI Infrastructures
・ Information Assurance Solution Initiatives (IAS) : NSA
・ 3種類のPP (DoD Acquisition PP, Tech Goal PP, Specific Need PP)
・ (New Deal - NSA)
・ NSA “endorsed” only used for NSA-produced crypt-module.
・ NSA will now certify PP/ST and compliant products for specified applications.
・ NSA list of certified PP/ST

(9) Defensewide Information Assurance Program (DIAP)

 ● Thursday, 8:30, Kennedy-Jefferson Room

 ● Chair
   ・ CAPT J. Katharine Burton, USN

 ● Panelists:
   ・ COL Tom Muchenthaler, USAF
   ・ Christina McBride
   ・ Mark Viola

 ● パネルディスカッション:US国防省の情報システム部門のMission、機能、組織の紹介

(10) INFOSEC Year in Review

 ● Thursday, 10:30, Ragency AC

 ●Speaker
   ・ David Kennedy, CISSP, Director of Research, ICSA, Inc.

 ● INFOSECの年次活動報告 (Oct 98-Sep 99).

・ Good News
・ Bad News
・ System Scanning
・ 1999, Year of the Buffer Overflow (Nth Iteration)
・ Denial of Service Attacks Continue
・ UNIX vulnerabilities
・ NT vulnerabilities
・ Trojans and Backdoors
・ Solutions
・ Forecast for 2000

以上