IDS mailing list archives
AW: [IDS] IDS Common Criteria
From: detmar.liesen () lds nrw de
Date: Wed, 8 Jan 2003 09:11:42 +0100
FTWAI: (for those who are interested): Europe has a pendant to CC - the Information Technology Security Evaluation Criteria (ITSEC), which has adopted several thoughts of the Orange Book of CC but is more flexible. In Germany the BSI (www.bsi.de) is the public authority for ITSEC certifications. BTW: I have once tried to read the orange book but I gave up on the 12th page or so. This experience was very traumatic for me (shudder).
8)
However, for stuff like b2b, even private companies nowadays tend to prefer E3/high certified products. As most of you probably know, in the US and in Germany (I don't know about the others) it's compulsory to protect your business - and thus your it-infrastructure as well - from known threats that could bankrupt you (for those who want to know, I am talking about the German KonTrag act and it's consequences). If you have a security concept and your infrastructure is certified E3/high, you have solid proof that you have taken adequate measures for protecting your business and this protects you (as a business owner or executive) from being charged for serious negligence if this is the right term in english. :) Of course, E3/high certified products do not protect you from harm if your security concept does not include audits and assessment that are performed on a regular term. For government security-infrastructure such as firewalls, E3/high is compulsory anyway. Just my 2 Cents ;) Cheers, Detmar Liesen -----Ursprüngliche Nachricht----- Von: Randy Taylor [mailto:gnu () charm net] Gesendet: Mittwoch, 8. Januar 2003 00:50 An: Talisker; focus-ids () securityfocus com; ids () mailman vet com au Betreff: Re: [IDS] IDS Common Criteria At 11:00 PM 1/7/2003 +0000, Talisker wrote:
Sadly within the public sector installing an IDS isn't merely a question of having sufficient resources to achieve the objective, there are also a plethora of political and accreditation issues to overcome. CC can help to surmount many of the bureaucratic mountains that lie in the way. I don't agree with it, but it's a fact of life, I can't see another way until common sense prevails. Unfortunately public sector and common sense rarely walk hand in hand.
You've hit the hidden nail pretty close to its head. The U.S Government public sector now requires significant Certification and Accreditation (C&A) efforts for any new infrastructure being stood up and it is in the process of introducing C&A into existing infrastructure. CC product certifications are an integral part of the C&A process now, and they're not going away. The U.S. Military has been doing C&A on their critical infrastructure for as long as I can remember. The point is that post 9/11 pretty much -everything- in the U.S. .gov and .mil network domains is being identified as critical infrastructure. From the outside-in view, CC and it's C&A parent are bureaucratic at best and Byzantine at worst. In the projects I'm involved with these days, I spend as much time on C&A issues as I do on technical issues. I'm seeing the process from the inside. It does get mind-bogglingly complex sometimes, and everyone I know that's involved relieves the pressure with an occasional witty rant or two. My previous humorous comments aside though, C&A has identified weakness in infrastructure that would have escaped detection otherwise. C&A has this annoying habit of working. Sure, the overall process can be improved, and I'm sure it will - but it does what it's supposed to do now. From a structural security perspective, C&A is essential. I wouldn't be surprised to see the commercial sector adopt C&A processes and demand CC certs in the next year or two.
just my 2c take care -andy
8) Randy
Current thread:
- AW: [IDS] IDS Common Criteria detmar . liesen (Jan 08)