IST/33/-/3 is the technical panel that advises the British Standards Institution (BSI) on proposed standards for Information Technology - Security Techniques - Evaluation Criteria for IT Security.
It reports to IST/33, the BSI Standards Committee responsible for IT security techniques. IST/33 sets policy and advises BSI how to respond on behalf of the United Kingdom on ballots on proposed European or International Standards.
Are you looking for a brief overview of Security Evaluation standardisation and the work of Panel 3? Try this presentation (pdf format, truncated form presented at the International Standardisation Forum, Beijing, May 2009).
IST/33/-/3 is exclusively an electronic panel; new information to be considered by members is posted to this web page once available. There are no physical meetings. Comments are distributed and collated by E-mail. Membership of the panel is open to anyone resident in the UK with an interest in standardisation. Contact the Panel Convenor to join.
Under BSI rules, a voluntary charge may be made to cover the costs of running the panel. However, no charge has been made since the panel went electronic more than ten years ago, and there are currently no plans to levy a charge, now or in the future.
The formal way to obtain information on the work of the panel, including electronic notification of new documents, is to join BSI Committee IST/33. This also gives you the right to vote as to whether technical contributions should be put forward, and whether the UK should approve or disapprove formal drafts of standards in this area. For more information, please see the BSI Standards Getting Involved page. It can be pretty difficult to find information on the BSI Standards web pages. If necessary, contact the IST/33 Committee Secretary.
The rules for distribution of documents relating to new Information Technology standards are changing. For security standards, the new rules came into operation from June 1st 2010. From that date, all Working Group documents are downloadable from the ISO server that holds the master copies without registration or passwords being required. Copyright and distribution restrictions will still apply; you will not be able to modify or further distribute documents. However, you will be able to pass on a URL from which the document can be downloaded. The URLs will be available from this web page.
Please follow these conditions. In particular, although you are free to pass on the links on this page, do not pass on downloaded documents to others. Doing so is a breach of the copyright and conditions of use.
This web page also contains links to some historical WG 3 documents held on the Gamma server. If you are a UK resident and interested in standardisation, you may view or download these documents from this page free of charge and formalities. Please observe copyright where applicable.
IST/33/-/3 tracks the work of an International Standards Working Group - the International Organisation for Standardisation - International Electrotechnical Commission Joint Technical Committee 1 Subcommittee 27 Working Group 3: Security Evaluation Criteria. This is commonly called "SC 27 WG 3" for short. This WG is responsible for developing standards for IT security evaluation and certification. More information is available from the Subcommittee Secretariat.
SC 27 has an official web site.
The last meeting of SC 27 WG 3 was held in Melaka, Malaysia between 19th and 23rd April 2010. Yes, some Europeans were unable to attend the meeting due to volcanic air travel restrictions, and others had convoluted journeys. In the circumstances, the Convenor of this Panel had a remarkably smooth journey. An acknowledgement should go to Air Malaysia, who kept flights running from southern Europe throughout. The official meeting report is available here. The next meeting is in Berlin, Germany between 4th and 8th October 2010. A Draft Agenda for this meeting is available here. The Convenor of SC 27 WG 3 is Miguel Bañón from Spain and the Secretary is Bertolt Krüger from Germany.
The main task of SC 27 WG 3 (and thus IST/33/-/3) has been to produce an ISO/IEC standard corresponding to the "Common Criteria" (CC), the large and rather complex IT security evaluation criteria originally developed by Government agencies in six North American and European Union countries as a replacement for their current national or EEA criteria. The WG3 version of the Common Criteria has now been adopted as an official International Standard, ISO/IEC 15408. The latest edition (2008/09) can be purchased in printed form from BSI, and is also available from ISO in Geneva. It can also be downloaded free of charge as a pdf file from http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html.
Of course, Parts 2 and 3 of the Common Criteria are now at Version 3.1 Release 3. It has been a continual problem finding the best way to update ISO/IEC 15408 to match these minor changes to the Common Criteria. WG 3 decided in Redmond to update the 2008 versions of ISO/IEC 15408 Parts 2 and 3 through the publication of Technical Corrigenda to these Parts. The first step of this process, the preparation of a formal Defect Report was completed at the Redmond meeting. Draft Technical Corrigenda now need to be prepared, and then balloted; an editor has been appointed for this process.
There is also an Evaluation Methodology Standard, ISO/IEC 18045, to match the Common Evaluation Methodology (CEM). It has been updated to match CEM Version 3.1 Release 2 and published as ISO/IEC 18045:2008. It is available for purchase from BSI or ISO. However, only the previous (2005) edition is available for free download from the ISO web site
For many years, there has been a concern in WG 3 that the ISO/IEC 15408 criteria were inadequate to evaluate certain types of security requirements, in particular functional properties that must hold for the whole of a TOE, but cannot be mapped to individual interfaces of the TOE. A simple example would be that certain sensitive information is not retained within a TOE at all. It is conceptually possible to prove such requirements by examination of the security architecture of the TOE, and this has been done in some evaluations. However, it represents a misuse of the existing architectural assurance criteria, which are not intended - and designed - to be used in this way.
WG 3 held a dedicated drafting meeting to look at this specific problem, with a view to developing and submitting detailed technical solutions to both ISO and the Common Criteria Development Board. These solutions could be radically innovative. This meeting was held in Madrid, Spain on 12th and 13th February 2008. The work was subsequently carried forward, but without any positive conclusion. Recent reprioritisations within the Common Criteria Project mean that this work is unlikely to be taken forward in the foreseeable future.
However, WG 3 has recently started a new Project, ISO/IEC TR 20004, Secure software development and evaluation under ISO/IEC 15408 and ISO/IEC 18045, to look into a different and urgent problem associated with practical use of ISO/IEC 15408 and the Common Criteria, namely the relationship between those development and evaluation processes dealing with the analysis of potential attacks and the CAPEC public catalogue of attack patterns being developed by MITRE in the US under sponsorship from the Department of Homeland Security. A first Working Draft is currently being prepared.
ISO and IEC sponsor a register of Protection Profiles, although this is currently inactive. In October 2007 a proposal from Centro Criptológico Nacional of Spain, who host the Common Criteria Portal Register, to take over the ISO Register was endorsed. This proposal never completed the ISO approval process, and it has been withdrawn. The International Standard that defines the operation of this register, ISO/IEC 15292, has been recommended for withdrawal.
For many years, WG 3 concentrated almost exclusively on evaluation criteria. However, there has been a significant change in recent years and a number of other standards have been prepared, dealing with, for example, the security assessment of operational systems, security requirements for cryptographic modules and a framework for security evaluation and testing of biometric technologies.
WG 3 has prepared a three-part Technical Report (an official document, but not a standard) describing Security Assurance. This is ISO/IEC TR 15443, A Framework for IT Security Assurance. It can be purchased from ISO or through BSI. Early drafts can be downloaded from the "Documents for Download" section of this web page. This report is now stabilised.
ISO/IEC 19790, Security Requirements for Cryptographic Modules, is closely related to American Federal Standard FIPS 140-2, but with a number of ambiguities removed and approved algorithms specified in terms of ISO standards. It can be purchased from BSI or ISO. ISO/IEC 19790 is currently being revised, following the technical content of proposed FIPS 140-3. A second Working Draft for the revision is now available, and can be downloaded from the ISO servers. It is based upon the November 2009 draft of FIPS 140-3, which is freely available from NIST and has been contributed to the development of ISO/IEC 19790.
ISO/IEC TR 19791, Security Assessment of Operational Systems, is a Technical Report expanding the scope of ISO/IEC 15408 to systems evaluation, published in 2006. It can be purchased from BSI or ISO. ISO/IEC TR 19791 has recently been updated to make it compatible with ISO/IEC 15408:2008 and CC Version 3.1.
Project 19792, Security Evaluation of Biometrics, progressed more slowly, but has now been published as an International Standard. It can be purchased from BSI or ISO. Biometrics is a difficult technical area, and the commenting process exposed significant technical problems in early drafts.
WG 3 is responsible for a very popular Technical Report, TR 15446, Guide to the Production of Protection Profiles and Security Targets. There is a separate section concerning this report later on this page. This has recently been updated to match ISO/IEC 15408:2008.
WG 3 is also responsible for ISO/IEC 21827, Systems Security Engineering - Capability Maturity Model. This has recently been revised and republished and is available for purchase from BSI and ISO. It should be available for free download from ISO at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html, but at present this still offers the old (2002) version.
Project 29128, Verification of Cryptographic Protocols is a standard under development in a new area. Standards already exist for the specification of cryptographic algorithms, and for the implementation and test of cryptographic devices and modules. However, there is a gap between the algorithm and its implementation in communication between entities. There are no standards or generally accepted processes for the assessment of the protocols used in such communication, and this Project fills the gap. This project has reached Committee Draft stage. The text of the third CD is now available, and can be downloaded from the ISO servers.
Project 29147, Responsible Vulnerability Disclosure, is an attempt to develop a standard for managing controlled publication of information concerning suspected defects in software products. At the moment, there is no generally agreed process that should be followed when researchers or users identify vulnerabilities in commercial software. Likewise, there is no consensus on how software vendors or vulnerability identification tool developers should respond to such information. The First Committee Draft is now available, with a title change to "Vulnerability Disclosure", and can be downloaded from the ISO servers.
Project 29193, Secure system engineering principles and techniques, is a recently approved new Technical Report. A second Working Draft is available, but for copyright reasons only from the Panel Convenor. A third Working Draft is being prepared.
WG 3 has also renewed its study period into Tamper protection requirements and evaluation. The report on the initial study period is available here. There is no report covering the latest period, as no contributions were received. A further call for further contributions recently closed. A proposal for a new Project in this area is now available here.
Finally, WG 3 is responsible for the maintenance of ISO/IEC 11889, a new standard covering Trusted Platform Modules. This was developed by the Trusted Computing Group (TCG), a vendor-neutral industry group with interests in trusted computing building blocks, and approved as an ISO/IEC standard through the Publicly Available Specification transposition process. WG 3 will be working with the Trusted Computing Group in handling defect reports and error corrections relating to this standard.
The published version of ISO/IEC 11889:2009 is downloadable from the ISO web site free of charge.
The Convenor of IST/33/-/3 is Mike Nash. He can always be contacted for any further information needed on any of these topics.
The latest versions of ISO/IEC 15408 are available for free downloading from the ITTF area of the ISO web site. Go to http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html, and scroll down until you come to the relevant entries. However, only the prior version of the accompanying methodology standard, ISO/IEC 18045:2005 is freely available.
This very useful ISO/IEC Technical Report (usually referred to as the PPST Guide) on preparing Protection Profiles and Security Targets has been revised to bring it into line with modern methods of preparing for evaluation and the recent changes to the evaluation criteria, and can be purchased from ISO or National Bodies. It contains guidance and advice that anyone faced with the task of producing a CC or ISO/IEC 15408 Protection Profile or Security Target for the first time will find useful. The previous version, matching ISO/IEC 15408:1999 and Common Criteria Version 2.3, is available for free - and legal - downloading from the ITTF web site. Look for entry TR 15446 at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html. Due to changes in the policy concerning no-cost availability of standards, it is very unlikely that the published version of TR 15446:2009 will ever be available for free downloading. If you want to buy it, it is available from BSI at a list price of £180.00. The ISBN is 978 0 580 56212 9.
You can download the final draft of the revised version here. This is a complete document - despite the warnings on the cover sheet! Only minor changes were made before final publication. You can find a list of these here.
Listed below are the WG3 documents officially available for downloading for private use from the ISO server on a "no registration - no password" basis. Please do check with the SC 27 secretariat or copyright holder before using them for other purposes, and please follow the "no onwards distribution" rule. Older documents if you need them are available from the Panel Convenor.
A number of documents that should be on this list seem to be not yet available. Given the confusion caused by the absence of the Convenor, Secretary and SC 27 Secretariat from the meeting at Melaka, this is understandable and please bear with us while things are sorted out. A further confusion is that it is no longer possible to revise documents and issue them with the same number, every revision has a new SC 27 number. This makes tracking the status of documents difficult, as resolutions etc. will refer to the original number.
There is a list of document numbers in Annex 2 to the Melaka Minutes. Please contact the Panel Convenor if you have any queries.
The International CC Project has its own web site at http://www.commoncriteriaportal.org/. This provides access to free copies of the current versions of the Common Criteria and Common Evaluation Methodology, an archive of older versions and interpretations, a discussion forum, and lots more. You can download the latest versions of the Common Criteria from here.
Web space kindly donated by Gamma Secure Systems Limited
BSI IST 33/-/3 pages maintained by webmaster@gammassl.co.uk
Page last updated: July 23, 2010