GISFI_SP_2012062 41 TEC-GISFI Workshop, 21 June, 2012 Overview and System Security to Security Testing Company: NEC Corporation Author(s): Anand R. Prasad, Chairman Security & Privacy Working Group Contact: [email protected]Purpose: Discussion Document#: GISFI_SP_201206241
17
Embed
GISFI_SP_201206241TEC-GISFI Workshop, 21 June, 2012 Overview and System Security to Security Testing Company:NEC Corporation Author(s):Anand R. Prasad,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Security Testing Requirements• Companies should fulfill ISO 27k
security guidelines• Highest level of security from design,
development, deployment, maintenance to running of all comm. products and networks
• Security testing of all products and network based on Indian guidelines set as per Common Criteria (ISO 15408) where testing: – performed by Indian labs from 1 April 2013 onwards – yearly– labs will be accredited by Indian government– test result will be certified by Indian government– only “type” testing will be done
• Products/network should fulfill Indian security requirements, implementation should comply with common security considerations and implemented as per standard specification (e.g. 3GPP)
• Duration of testing: Longer time to wait will impact business• Periodicity of testing: Given product can have monthly software or
firmware update• Timing of testing: Before purchase will mean impact on vendors
while after purchase could mean issues for operators/service providers
• Volume of testing, number of points: Type approval, extent/depth of testing to be performed and level of value-chain to be touched
• Human resource: Initially sufficient people will not be available to perform security tests. Steps to perform test and develop resources should be a concern
• Cost of testing: Cost of testing will lead to impact on market.• Responsibility of accidents: Vendors pay for the accidents due to
certified products? Security threats / attacks are maturing with time thus there should be consideration from long-term perspective
• Confidentiality and intellectual property: How can the testing “person” be certified? Also issue regarding escrow.