Updates on Korean Scheme

1. The 8th ICCC in Rome, Italy Updates onKorean Scheme IT Security Certification Center, National Intelligence Service

2. Introduction to ITSCC • ITSCC(IT Security Certification Center) is… • Aiming at enhancing the IT security in government organizations by evaluating and certifying commercial IT security products that government organizations plan to procure • The certification body of Korea for security certification, responsible for proper operation of the Korean Evaluation and Certification Scheme(KECS) • Our Six Main Roles • Issue Common Criteria certificates for IT security products • Regulate the procurement of products within government • Plan and develop Protection Profiles for IT security products • Approve IT security evaluation facilities • Operate the training and education program for evaluators • Participate in CC related international cooperation

3. Korean Procurement Policy • Government organizations must procure certified IT security products since 1 Jan. 2006 • To promote the use of Common Criteria in Korea • To encourage Korean developers to produce sound security products that meet the international standards • Although this policy certainly contributed to the provision of improved confidence in commercial IT security products… • Encountered a problem • The number of products applying for CC certificates far-exceeded the evaluation capacity we can afford • This means products have to wait for a long time in the queue before actual evaluation work begins

4. New Evaluation Facilities(1) • Most obvious and effective solution was to expand evaluation capacity of the country • There was only one evaluation facility, KISA(Korea Information Security Agency), which had been established by law • In Dec. 2006, introduced a new procedure to approve evaluation facilities by amending the Korean Standard Lab. Accreditation Program • As a result, we have two more evaluation facilities • Early this year, KTL(Korea Testing Laboratory) and KOSYAS(Korea System Assurance) applied for approval • After accredited against ISO 17025, KTL and KOSYAS were finally approved as an evaluation facility on 29 June and 9 August, respectively

5. New Evaluation Facilities(2) • Established the CC evaluator’s license program • To produce quality IT security evaluators in order to meet demands from new evaluation facilities • Also, the need for systematic training and education of evaluators arose to ensure the quality of their work • Three types of evaluator status * In addition, we also teach top-notch graduate students to educate them as CC evaluators with high standard from this semester

6. Domestic Certification • Introduced a domestic certification scheme to shorten the evaluation time itself • Intended to deal with the products having waited or being expected to wait in the evaluation queue for quite a long time, say, more than a year • Identical to CC except that sampling-based evaluation is used for some components rather than full examination, being able to save evaluation time up to four weeks • The domestic scheme can only be regarded as a temporary solution because… • It still requires the same developer’s evidence as CC • And there is no significant reduction in evaluation time at the expense of internationally recognized CC certification * Note : This domestic scheme is outside the scope of the conference

7. Provision of PPs • Timely provide PPs that are very needed by IT security product developers • We believe guiding developers to build products correctly and rightly can significantly reduce the evaluation time as it can reduce potential ORs raised by evaluators • In view of this, ITSCC develops 4 Protection Profiles a year for the products with a large demand from government organizations and a high potential for market growth • AND a high potential for market growth * PPs can be downloaded from www.kecs.go.kr (in Korean)

8. CEMS (1) • Improve the management process of evaluation and certification by employing an automated document management system called CEMS • Handled documents manually because EF and CB are located very closely and therefore preferred in-person contact • However, manual handling of deliverables between CB and EF was partly responsible for inevitable delays in evaluation • Moreover, location of new EFs are widely separated across the city and therefore electronic communication becomes necessary • Therefore, started to build the CEMS system • Supports electronic management of documents • And also some essential functions of project management such as real time monitoring of progress * CEMS : Certification and Evaluation Management System

9. CEMS (2) • CEMS is a web-based client-server system, running on Windows Server with IIS and MS-SQL • It consists of two subsystems, called CMS and EMS • CMS stands for Certification Management System while EMS stands for Evaluation Management System • CMS can only be accessible to certifiers inside the CB • EMS communicates with evaluation facilities’ own system through secure communication channels CEMS

10. CEMS (3) • Main Features of CEMS developed so far: • Online document management and storage • Real-time monitoring of work progress • Management of document templates • CEMS user management and audit functions • Backup and other system maintenance • With the help of CEMS, we expect to achieve the improved efficiency in evaluation and certification and reduction in evaluation and certification time • For anyone interested in CEMS, demonstration is available at out booth outside

11. Conclusion Q & A IT Security Certification Center www.kecs.go.kr