IST/33/-/3 is the technical panel that advises the British Standards Institution (BSI) on proposed standards for Information Technology - Security Techniques - Security Evaluation, Testing and Specification. This is a new title, adopted in April 2011. Previously IST/33/-/3 only dealt with Security Evaluation, and this remains its main topic of interest.
It reports to IST/33, the BSI Standards Committee responsible for IT security techniques. IST/33 sets policy and advises BSI how to respond on behalf of the United Kingdom on ballots on proposed European or International Standards.
Are you looking for a brief overview of Security Evaluation standardisation and the work of Panel 3? Try this presentation (pdf format, truncated form presented at the International Standardisation Forum, Beijing, May 2009). This is now fairly old, but still a good introduction to the subject.
IST/33/-/3 is exclusively an electronic panel; new information to be considered by members is posted to this web page once available. There are no physical meetings. Comments are distributed and collated by E-mail. Membership of the panel is open to anyone resident in the UK with an interest in standardisation. Contact the Panel Convenor to join.
Under BSI rules, a voluntary charge may be made to cover the costs of running the panel. However, no charge has been made since the panel went electronic more than ten years ago, and there are currently no plans to levy a charge, now or in the future.
The formal way to obtain information on the work of the panel, including electronic notification of new documents, is to join BSI Committee IST/33. This also gives you the right to vote as to whether technical contributions should be put forward, and whether the UK should approve or disapprove formal drafts of standards in this area. For more information, please see the BSI Standards Getting Involved page. It can be pretty difficult to find information on the BSI Standards web pages. If necessary, contact the IST/33 Committee Secretary.
The rules for distribution of documents relating to new Information Technology standards are changing. For security standards, new rules came into operation from June 1st 2010. From that date, all Working Group documents should be downloadable from the ISO server that holds the master copies without registration or passwords being required. However, this has not happened on a routine basis. Documents are distributed to Panel Members with a declared interest in the relevant topic by email. Other Panel Members can obtain them by request to the Panel Convenor.
If you are able to access documents on the ISO servers, please follow the copyright and distribution conditions. In particular, do not modify documents or pass them on to others. Doing so is a breach of the copyright and conditions of use.
This web page also contains links to some older WG 3 documents held on the Gamma server. If you are a UK resident and interested in standardisation, you may view or download these documents from this page free of charge and formalities. Please observe copyright where applicable.
IST/33/-/3 tracks the work of an International Standards Working Group - the International Organisation for Standardisation - International Electrotechnical Commission Joint Technical Committee 1 Subcommittee 27 Working Group 3: Security Evaluation, Testing and Specification. This is commonly called "SC 27 WG 3" for short. This WG is responsible for developing security engineering standards. The main areas currently addressed are:
a) security evaluation criteria;
b) methodology for application of the criteria;
c) security functional and assurance specification of IT systems, components and
products;
d) testing methodology for determination of security functional and assurance
conformance;
e) administrative procedures for testing, evaluation, certification, and accreditation
schemes.
More information is available from the Subcommittee Secretariat and there is an official SC 27 web site.
The last meeting of SC 27 WG 3 was held in Nairobi, Kenya between 10th and 14th October 2011. The official meeting report will be found in document N10297 (available from the Panel Convenor). The next meeting is in Stockholm, Sweden between 7th and 11th May 2012. A Draft Agenda for this meeting is available from the Panel Convenor. The Convenor of SC 27 WG 3 is Miguel Bañón from Spain and the Secretary is Bertolt Krüger from Germany.
The main task of SC 27 WG 3 (and thus IST/33/-/3) has been to produce an ISO/IEC standard corresponding to the "Common Criteria" (CC), the large and rather complex IT security evaluation criteria originally developed by Government agencies in six North American and European Union countries as a replacement for their current national or EEA criteria. The WG3 version of the Common Criteria has now been adopted as an official International Standard, ISO/IEC 15408. The latest edition (2008/09) can be purchased in printed form from BSI, and is also available from ISO in Geneva. It can also be downloaded free of charge as a pdf file from http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html.
Of course, Parts 2 and 3 of the Common Criteria are now at Version 3.1 Release 3. It has been a continual problem finding the best way to update ISO/IEC 15408 to match these minor changes to the Common Criteria. WG 3 decided in Redmond to update the 2008 versions of ISO/IEC 15408 Parts 2 and 3 through the publication of Technical Corrigenda to these Parts. These have now been published as ISO/IEC 15408:2011 (Third Edition, Corrected Version).
There is also an Evaluation Methodology Standard, ISO/IEC 18045, to match the Common Evaluation Methodology (CEM). It has been updated to match CEM Version 3.1 Release 3 and published as ISO/IEC 18045:2011 (Second Edition, Corrected Version).
WG 3 currently has a Project, ISO/IEC TR 20004, Secure software development and evaluation under ISO/IEC 15408 and ISO/IEC 18045, to look into a practical problem associated with ISO/IEC 15408 and the Common Criteria, namely the relationship between those development and evaluation processes dealing with the analysis of potential attacks and the CAPEC public catalogue of attack patterns being developed by MITRE in the US under sponsorship from the Department of Homeland Security. The original name of this Project was rather misleading, and so was changed to "Refining Software Vulnerability Analysis under ISO/IEC 15408 and ISO/IEC 18045". A Draft Technical Report ballot has just closed.
ISO and IEC sponsor a register of Protection Profiles, although this is currently inactive. In October 2007 a proposal from Centro Criptológico Nacional of Spain, who host the Common Criteria Portal Register, to take over the ISO Register was endorsed. This proposal never completed the ISO approval process, and it has been withdrawn. The International Standard that defines the operation of this register, ISO/IEC 15292, has also now been withdrawn.
For many years, WG 3 concentrated almost exclusively on evaluation criteria. However, there has been a significant change in recent years and a number of other standards have been prepared, dealing with, for example, the security assessment of operational systems, security requirements for cryptographic modules and a framework for security evaluation and testing of biometric technologies. This is reflected in the recent change of WG name.
WG 3 has prepared a three-part Technical Report (an official document, but not a standard) describing Security Assurance. This is ISO/IEC TR 15443, A Framework for IT Security Assurance. It can be purchased from ISO or through BSI. This report is under revision; it is proposed to reduce it from a three part to two part Report. Third Working Drafts of both replacement parts have been circulated for comment.
ISO/IEC 19790, Security Requirements for Cryptographic Modules, is closely related to American Federal Standard FIPS 140-2, but with a number of ambiguities removed and approved algorithms specified in terms of ISO standards. It can be purchased from BSI or ISO. ISO/IEC 19790 is currently being revised, following the technical content of proposed FIPS 140-3. A First Committee Draft has recently been balloted, with no disapprovals and no major technical comments. In consequence, the revision has been advanced to Draft International Standard (DIS). The DIS ballot is currently in progress.
ISO/IEC 19790 is supported by ISO/IEC 24759, Test Requirements for Cryptographic Modules. This is also undergoing revision, with a second Working Draft recently circulated.
ISO/IEC 17825 addresses testing methods for the mitigation of non-invasive attack classes against cryptographic modules. This supports the current revision of ISO/IEC 19790. A First Working Draft has been circulated.
ISO/IEC TR 19791, Security Assessment of Operational Systems, is a Technical Report expanding the scope of ISO/IEC 15408 to systems evaluation, first published in 2006. It can be purchased from BSI or ISO. ISO/IEC TR 19791 is compatible with ISO/IEC 15408:2008 and CC Version 3.1.
Project 19792, Security Evaluation of Biometrics, progressed more slowly, but has now been published as an International Standard. It can be purchased from BSI or ISO. Biometrics is a difficult technical area, and the commenting process exposed significant technical problems in early drafts.
WG 3 is responsible for a very popular Technical Report, TR 15446, Guide to the Production of Protection Profiles and Security Targets. There is a separate section concerning this report later on this page. This has been updated to match ISO/IEC 15408:2008.
WG 3 is also responsible for ISO/IEC 21827, Systems Security Engineering - Capability Maturity Model. The latest edition is available for purchase from BSI and ISO. It should be available for free download from ISO at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html, but at present this still offers an older (2002) version. The 2008 version has recently been confirmed without changes. This means it will remain valid until at least 2014.
WG 3 also developed ISO/IEC 29128, Verification of Cryptographic Protocols. Standards already existed for the specification of cryptographic algorithms, and for the implementation and test of cryptographic devices and modules. However, there was a gap between the algorithm and its implementation in communication between entities. There were no standards or generally accepted processes for the assessment of the protocols used in such communication, and this Project filled the gap. It recently completed its development process and has now been published as an International Standard.
Project 29147, Vulnerability Disclosure, is an attempt to develop a standard for managing controlled publication of information concerning suspected defects in software products. At the moment, there is no generally agreed process that should be followed when researchers or users identify vulnerabilities in commercial software. Likewise, there is no consensus on how software vendors or vulnerability identification tool developers should respond to such information. The comment period on the Second Committee Draft has now closed. A preliminary version of the next Committee Draft was circulated for comment only. A further draft for comment has been circulated.
A decision was made at the Berlin meeting to split off the portion of this standard dealing with vulnerability handling by vendors into a separate Project; this is ISO/IEC 30111. A Second Working Draft for this portion has been circulated.
Project 29193, Secure system engineering principles and techniques, is a new Technical Report dealing the development of secure products. The work has been going well, and a first Preliminary Draft Technical Report (PDTR) was issued. Two further drafts have been circulated for comment.
Project ISO/IEC 30104 deals with physical security attacks, mitigation techniques and security requirements. A Third Working Draft has been circulated for comment.
WG 3 is responsible for the maintenance of ISO/IEC 11889, a standard covering Trusted Platform Modules. This was developed by the Trusted Computing Group (TCG), a vendor-neutral industry group with interests in trusted computing building blocks, and approved as an ISO/IEC standard through the Publicly Available Specification transposition process. WG 3 works with the Trusted Computing Group in handling defect reports and error corrections relating to this standard, although there is currently some disagreement as to how this should be done. The TCG is expected to offer a replacement standard shortly.
The published version of current ISO/IEC 11889 is downloadable from the ISO web site free of charge.
Finally, a new WG 3 Project has been approved, to address software penetration testing using ISO/IEC 15408. This will be ISO/IEC 30127.
The Convenor of IST/33/-/3 is Mike Nash. He can always be contacted for any further information needed on any of these topics.
The latest versions of ISO/IEC 15408 and ISO/IEC 18045 are available for free downloading from the ITTF area of the ISO web site. Go to http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html, and scroll down until you come to the relevant entries.
This very useful ISO/IEC Technical Report (usually referred to as the PPST Guide) on preparing Protection Profiles and Security Targets has been revised to bring it into line with modern methods of preparing for evaluation and the recent changes to the evaluation criteria, and can be purchased from ISO or National Bodies. It contains guidance and advice that anyone faced with the task of producing a CC or ISO/IEC 15408 Protection Profile or Security Target for the first time will find useful. The previous version, matching ISO/IEC 15408:1999 and Common Criteria Version 2.3, is available for free - and legal - downloading from the ITTF web site. Look for entry TR 15446 at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html. Due to changes in the policy concerning no-cost availability of standards, it is very unlikely that the published version of TR 15446:2009 will ever be available for free downloading. If you want to buy it, it is available from BSI at a list price of £180.00. The ISBN is 978 0 580 56212 9.
You can download the final draft of the revised version here. This is a complete document - despite the warnings on the cover sheet! Only minor changes were made before final publication. You can find a list of these here.
Historically, this site provided hotlinks so that current open access documents could be downloaded directly. However, the changes introduced by JTC 1 to simplify document access have made this unsustainable. Documents are not necessarily issued in numerical order, making reconciliation difficult (for example, the Berlin Agenda was N9273; the report of the meeting N9079). Some numbers are allocated but not used. And, although it ought to be possible to access open access documents on the ISO servers "without restrictions or passwords required" (to quote from JTC 1 SD 12, the electronic document rules), this currently is not so, adding a further administrative burden which can no longer be supported.
For the moment, documents are distributed by email upon request only, by request to the Panel Convenor. It is no longer practicable to keep the web page list of current documents up to date. An official list is available on request to the Panel Convenor.
The International CC Project has its own web site at http://www.commoncriteriaportal.org/. This provides access to free copies of the current versions of the Common Criteria and Common Evaluation Methodology, an archive of older versions and interpretations, a discussion forum, and lots more. You can download the latest versions of the Common Criteria from here.
Web space kindly donated by Gamma Secure Systems Limited
BSI IST 33/-/3 pages maintained by webmaster@gammassl.co.uk
Page last updated: April 29, 2012