SlideShare a Scribd company logo

EUCA 22 - Let's harmonize labs competence ISO 19896

Javier Tallón
Javier Tallón

Harmonization on the competence of the different labs/evaluators have been always a topic for discussion in the Cybersecurity Certification community. At ISO level, a new standard has been approved aiming to support this goal: ISO 19896. ISO/IEC 19896 orders the requirements for information security testers and evaluators, including a set of concepts and relationships to understand the competency for individuals performing Common Criteria evaluations. The requirements of this new ISO standard allows verifying that laboratories and personnel have sufficient capacity to handle a Common Criteria evaluation. However, there are some controversial points regarding this ISOs and how to apply it in Common Criteria, which will be explained during the talk. Other topics to be addressed during the talk will be how EUCC, the first European cybersecurity scheme for ICT products, will cover the requirements of this ISO and other related standards.

Technology
1 of 36
Download to read offline
❑ 1. Introduction ❑ 2. ISO/IEC 19896 Structure ❑ 3. ISO/IEC 19896 Part 1 ❑ 4. ISO/IEC 19896 Part 3 ❑ 5. ISO/IEC 19896 Part 3 - Annexes ❑ 6. Conclusions Index ISO/IEC 19896
❑ One important factor in assuring comparability of the results of evaluations is to understand that the evaluation process includes the specification of both objective and subjective assurance measures. ❑ Hence the competence of the individual evaluators is important when the comparability and repeatability of evaluation results are the foundation for mutual recognition Introduction
❑ ISO/IEC 17025 defines some competence requirements: ❑ 6.2.2 The laboratory shall document the competence requirements for each function influencing the results of laboratory activities, including requirements for education, qualification, training, technical knowledge, skills and experience. ❑ 6.2.3 The laboratory shall ensure that the personnel have the competence to perform laboratory activities for which they are responsible and to evaluate the significance of deviations. ❑ 6.2.5 The laboratory shall have procedure(s) and retain records for: ❑ a) determining the competence requirements; ❑ … ❑ f) monitoring competence of personnel. Introduction
❑ ISO/IEC 23532 further refines these requirements: ❑ 6.2.5.1 The evaluation laboratory shall have procedure(s) and retain records for: ❑ a) determining the competence requirements for personnel in ISO/IEC 19896-3; ❑ … ❑ f) monitoring of competence of personnel. ❑ NOTE The laboratory shall review annually the competence of each evaluator for each test method the evaluator is authorized to conduct. The evaluator’s immediate supervisor, or a designee appointed by the Labooratory Director, shall conduct annually an assessment and an observation of performance for each evaluator. A record of the annual review of each evaluator shall be dated and signed by the supervisor and the employee. A description of competency review programs shall be maintained in the management system. Introduction ISO 23532
❑ ISO/IEC 23532 further refines these requirements: ❑ 6.2.6.1 Laboratory evaluator collectively shall have knowledge or experience for any specific technologies upon which an evaluation is conducted in ISO/IEC 19896-3:2018 ❑ 6.2.7 The evaluation laboratory shall maintain a competent administrative and technical personnel appropriate for ISO/IEC 15408- based IT security evaluations. The laboratory shall maintain position descriptions, training records, and resumes for responsible supervisory personnel and laboratory evaluators who influence the outcome of security evaluations. Introduction ISO 23532
❑ ISO 19896 IT security techniques — Competence requirements for information security testers and evaluators — ❑ Part 1 Introduction, concepts and general requirements ❑ Part 2 Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers ❑ Part 3 Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators ISO/IEC 19896 Structure ISO 23532 ISO 19896
❑ Part 1 Introduction, concepts and general requirements ❑ Elements of competence ❑ Competency levels ❑ Measurement of elements of competence ❑ Annex A: Example structures for describing competence requirements ❑ Annex B: Example records of experience and competence ISO/IEC 19896 Structure ISO 23532 ISO 19896
❑ Part3Knowledge,skillsandeffectivenessrequirementsforISO/IEC15408 evaluators ❑ BaselinefortheminimumcompetenceofISO/IEC15408evaluatorsfor eachelementofcompetence(knowledge,skills,experience,…) ❑ AnnexA(informative)Technologytypes:knowledgeandskills ❑ AnnexB(informative)Examplesofknowledgerequiredforevaluating SARs ❑ AnnexC(informative)Examplesofknowledgerequiredforevaluating SFRs ISO/IEC 19896 Structure ISO 23532 ISO 19896
❑ The standard defines 5 elements of competence and 4 competency levels ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 Knowledge Skills Experience Education Effectiveness 1
❑ Elements of competence ❑ Knowledge: facts, information, truths, principles of understanding acquired through experience or education ❑ Of the standard ❑ Of the testing or evaluation methods ❑ Policies and procedures of relevant approval authorities ❑ Of IT product architecture and design in relevant technology areas ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
❑ Elements of competence ❑ Skills: ability to perform a task or activity with a specific intended outcome acquired through education, training, experience or other means ❑ Understanding the boundaries, documentation analysis, selection of appropriate testing methods, calibrating and using tools, build a test environment, performing testing, interpreting results, write reports, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
❑ Elements of competence ❑ Experience: involvement at a practical level with projects related to the field of competence ❑ Education: process of receiving or giving systematic instruction, especially at a school or university ❑ Effectiveness: ability to apply knowledge and skills in a productive manner ❑ Accuracy of test results, ability to repeat, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
❑ Competency levels ❑ Assigned for each competence area of 19896-3 ❑ Level 1 Associate: works under supervision ❑ Level 2 Professional: requires supervision in just a few areas ❑ Level 3 Manager: works unsupervised in most testing or evaluation areas, supervises level 1 and 2 ❑ Level 4 Principal: fully competent for at least one technology area, able to communicate with stakeholders, works unsupervised in all areas, supervise other levels. ❑ Overall level of competency may determine designation of professional capability: Technician/Evaluator/Senior Evaluator/Lead Evaluator ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
❑ Measurements of elements of competence ❑ Measuring is mandatory, how to do it is not mandatory ❑ Knowledge: 19896-3 provides a measurable body of knowledge. ❑ We may decide who will measure: The CAB-CB? The ITSEF? Third parties? ❑ Training records and professional certifications ❑ Skills: ❑ Lab proficiency-testing programme (as required by 17025) ❑ Feedback from other skilled personnel ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
❑ Measurements of elements of competence ❑ Experience: ❑ Records of projects completed ❑ Education: ❑ Certificates issued by organizations recognized as legitimate by the approval authority ❑ Effectiveness: ❑ Time needed, nonconformities, adaptability , accuracy, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
❑ Provides baseline for the minimum competence of ISO/IEC 15408 evaluators for each element of competence (knowledge, skills, experience,…) ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3 Knowledge Skills Experience Education Effectiveness ISO/IEC 15408 & ISO/IEC 18045 For specific SARs For specific SFRs For specific Technologies Assurance Paradigm Information Security
❑ Knowledge: what an evaluator knows and can describe ❑ ISO/IEC 15408 and ISO/IEC 18045 ❑ Terms and definitions ❑ Protection profiles and packages ❑ SFRs and SARs ❑ The evaluation process ❑ Method and activities ❑ The assurance paradigm ❑ The evaluation authority: policies, recognition agreements, supporting documents, … ❑ The evaluation scheme: interpretations, guidance policies, … ❑ The lab and it’s management system: policies, process and procedures; methods; competence requirements. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
❑ Knowledge: what an evaluator knows and can describe ❑ The technology being evaluated ❑ Common security architectures for each technology type. (See Informative Annex A Technology types: Knowledge and skills, based on classical CC categories). ❑ Protection Profiles, packages and supporting documents ❑ Since it is continually evolving, it is not possible to identify requirements for each technology, but can be obtained through experience. Experience can be developed by: ❑ Education ❑ Working as a trainee ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3 ❑ Working as developer ❑ Performing research
❑ Knowledge: what an evaluator knows and can describe ❑ Each lab may define their technology types and requirements. ❑ Information Security: security principles, attacks, attack potential, SDLC, testing, vulnerabilities, … ❑ Knowledge required for SARs (See Informative Annex B Examples of knowledge for SARs) ❑ Knowledge required for specific SFRs (See Informative Annex C Examples of knowledge for SFRs) ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
❑ Skills: what an evaluator is able to do ❑ Basic evaluation skills ❑ Evaluation methods: sampling, analysis, recording results, … ❑ Evaluation tools: report generation, specialized tools ❑ Core evaluation skills given in ISO/IEC 15408-3 and ISO/IEC 18045 ❑ Evaluation principles: impartiality, objectivity, repeatability, reproducibility ❑ Evaluation methods and activities (knowledge of the ISO 18045 verbs like check/confirm/demonstrate/….) ❑ Skills required when evaluation specific SARs ❑ General: ability to write ORs ❑ For each assurance component specific skills are required (mandatory) ❑ E.g. VAN.3 Flaw hypothesis development ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
❑ Skills: what an evaluator is able to do ❑ Skills required when evaluation specific SFRs (mandatory) ❑ General: ability to understand and test for conformance and search for vulnerabilities ❑ E.g. FCS being able to determine if crypto algorithms and protocols are implemented correctly ❑ Skills needed when evaluating specific technologies. ❑ See Informative Annex A Technology types: Knowledge and skills, based on classical CC categories. ❑ Like in Knowledge, skills can be obtained through experience. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
❑ Experience ❑ Experience is gained during the first and subsequent evaluations performed by an evaluator. ❑ Also during consultancy or product development ❑ Education ❑ At a minimum ❑ Tertiary education with at least 3 years of IT studies ❑ Experience which provided equivalent knowledge skills and effectiveness ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
❑ Effectiveness ❑ Timely evaluations, e.g. time needed to develop or execute a test ❑ Accurate evaluations, e.g. comments received during validation ❑ Reports contain rationales and references with direct and focused language quickly understandable by the intended reader of the report. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
❑ Effectiveness ❑ Evaluator shall be able to apply knowledge and skills in a productive manner: aptitude, initiative, enthusiasm, willingness, … ❑ Required evaluation principles: impartiality, objectivity, repeatability, reproducibility ❑ Scheme guidance and procedures are followed ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
❑ Annex A, technology types: knowledge and skills ❑ Knowledge ❑ Knowledge required by evaluators working with specific technologies. List concepts that shall be known by evaluators for each classic CC technology category. ❑ PPs related to technology type ❑ Evaluation methods and activities related to the technology type ❑ Technological standards related to the technology type ❑ The depth of knowledge depends on the assurance classes (e.g. Evaluators doing ALC may require less knowledge) ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
❑ Annex A, technology types: knowledge and skills ❑ Knowledge ❑ E.g. Databases ❑ Concepts of data base management systems architecture ❑ Access control methods ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
❑ Annex A, technology types: knowledge and skills ❑ Skills ❑ Mostly related to ATE ❑ Skills required by evaluators working with specific technologies ❑ Performance of evaluation methods and activities associated with the technology type ❑ Being able to understand related technological standards ❑ Lists the skills that shall be build upon evaluators for each classic CC technology category ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
❑ Annex A, technology types: knowledge and skills ❑ Skills ❑ E.g. Databases ❑ Being able to correctly configure the database management system (DBMS) platforms ❑ Being able to use structure query language (SQL) or other database query languages. ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
❑ Annex B, examples of knowledge for SARs ❑ Minimum knowledge required for each SAR class. E.g. ❑ ADV_ARC.1: ❑ Self-protection property ❑ Domain separation property ❑ Non-bypassability property ❑ Secure architecture and design concepts ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 B
❑ Annex C, examples of knowledge for SFRs ❑ Minimum knowledge required for each SFR class. E.g. ❑ FCO (Communication) Class ❑ Proof origin ❑ Non-repudiation of origin ❑ Non-repudiation of receipt ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 C
ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 B C A Annex A - Informative Technology types SARs SFRs Knowledge Skills Annex B - Informative Annex C - Informative Section 5.3 - Mandatory Section 5.4 - Mandatory
❑ 1.- Define each job position for each evaluator level including the requirements in terms of competence ❑ 2.- Record the education and experience of each evaluator ❑ Validate years of education or experience based on well-known person certifications? ❑ 3.- Track the knowledge you transmit to your team ❑ 4.- Assess the skills through questionnaires ❑ 5.- Evaluate the effectiveness through internal reviews and intercomparisons ❑ 6.- Put it all together! How to implement in 6 easy steps?
❑ The ISO 19896 framework for competency is a good framework but every lab shall define their technology types and knowledge (/skills) requirements because some are kind of ‘artificial’, specially Annex A. ❑ A competence management system can be used just to pass audits, not being really useful. Lab managers already know their evaluators, but this may not scale. Garbage in – Garbage out. ❑ It is difficult to reflect some intangible skills like the “killer instinct” or the skill to report. There is always some subjectivity. Conclusions
jtsec Beyond IT Security Granada & Madrid – Spain hello@jtsec.es www.jtsec.es “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie Contact

Recommended

Webinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-AuditingWebinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-Auditingmufajzaposh
 
idoc.pub_iatf-auditor-guidepdf.pdf
idoc.pub_iatf-auditor-guidepdf.pdfidoc.pub_iatf-auditor-guidepdf.pdf
idoc.pub_iatf-auditor-guidepdf.pdfUlhasKavathekar
 
BDV Skills Accreditation - EIT labels for professionals
BDV Skills Accreditation - EIT labels for professionalsBDV Skills Accreditation - EIT labels for professionals
BDV Skills Accreditation - EIT labels for professionalsBig Data Value Association
 
IREC ISPQ Informational Webinar Feb 2011
IREC ISPQ Informational Webinar Feb 2011IREC ISPQ Informational Webinar Feb 2011
IREC ISPQ Informational Webinar Feb 2011Interstate Renewable Energy Council
 
Dr. ajmal nasir
Dr. ajmal nasirDr. ajmal nasir
Dr. ajmal nasirKalim Ullah
 
ISO/IEC 17025
ISO/IEC 17025 ISO/IEC 17025
ISO/IEC 17025 Akma Ija
 
What Is Iso/iec 15504
What Is Iso/iec 15504What Is Iso/iec 15504
What Is Iso/iec 15504pax_isp
 
ISO/IEC 15504
ISO/IEC 15504ISO/IEC 15504
ISO/IEC 15504pax_isp
 

Recommended

Webinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-AuditingWebinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-Auditingmufajzaposh
 
idoc.pub_iatf-auditor-guidepdf.pdf
idoc.pub_iatf-auditor-guidepdf.pdfidoc.pub_iatf-auditor-guidepdf.pdf
idoc.pub_iatf-auditor-guidepdf.pdfUlhasKavathekar
 
BDV Skills Accreditation - EIT labels for professionals
BDV Skills Accreditation - EIT labels for professionalsBDV Skills Accreditation - EIT labels for professionals
BDV Skills Accreditation - EIT labels for professionalsBig Data Value Association
 
IREC ISPQ Informational Webinar Feb 2011
IREC ISPQ Informational Webinar Feb 2011IREC ISPQ Informational Webinar Feb 2011
IREC ISPQ Informational Webinar Feb 2011Interstate Renewable Energy Council
 
Dr. ajmal nasir
Dr. ajmal nasirDr. ajmal nasir
Dr. ajmal nasirKalim Ullah
 
ISO/IEC 17025
ISO/IEC 17025 ISO/IEC 17025
ISO/IEC 17025 Akma Ija
 
What Is Iso/iec 15504
What Is Iso/iec 15504What Is Iso/iec 15504
What Is Iso/iec 15504pax_isp
 
ISO/IEC 15504
ISO/IEC 15504ISO/IEC 15504
ISO/IEC 15504pax_isp
 
ISO/IEC 15504
ISO/IEC 15504ISO/IEC 15504
ISO/IEC 15504pax_isp
 
Quality in assessment
Quality in assessmentQuality in assessment
Quality in assessmentACPET Professional Development
 
ISO 27034 Lead Auditor - Four Page Brochure
ISO 27034 Lead Auditor - Four Page Brochure ISO 27034 Lead Auditor - Four Page Brochure
ISO 27034 Lead Auditor - Four Page Brochure PECB
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure PECB
 
ISO 27034 Lead Auditor - Two Page Brochure
ISO 27034 Lead Auditor - Two Page Brochure ISO 27034 Lead Auditor - Two Page Brochure
ISO 27034 Lead Auditor - Two Page Brochure PECB
 
Applying quality-standard (css)
Applying quality-standard (css)Applying quality-standard (css)
Applying quality-standard (css)Bong Bandola
 
ISO17025 Accreditation Procedures and Process
ISO17025 Accreditation Procedures and Process ISO17025 Accreditation Procedures and Process
ISO17025 Accreditation Procedures and Process Abdul Rahman
 
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”GoQA
 
Competency standards development in Bangladesh
Competency standards development in Bangladesh Competency standards development in Bangladesh
Competency standards development in Bangladesh Md . Amir Hossain
 
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...GoQA
 
ISO 29001 Lead Auditor - Two Page Brochure
ISO 29001 Lead Auditor - Two Page Brochure ISO 29001 Lead Auditor - Two Page Brochure
ISO 29001 Lead Auditor - Two Page Brochure PECB
 
Quality Manual
Quality ManualQuality Manual
Quality ManualFirasMfarrej
 
ISO 39001 Lead Auditor - Four Page Brochure
ISO 39001 Lead Auditor - Four Page Brochure ISO 39001 Lead Auditor - Four Page Brochure
ISO 39001 Lead Auditor - Four Page Brochure PECB
 
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdf
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdfPetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdf
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdfPetroSync Global
 
ISO 13485 Lead Auditor - Four Page Brochure
ISO 13485 Lead Auditor - Four Page Brochure ISO 13485 Lead Auditor - Four Page Brochure
ISO 13485 Lead Auditor - Four Page Brochure PECB
 
Guidelines to Audit Validation Packages_RGA
Guidelines to Audit Validation Packages_RGAGuidelines to Audit Validation Packages_RGA
Guidelines to Audit Validation Packages_RGARosnelma García
 
ISO 39001 Lead Auditor - Two Page Brochure
ISO 39001 Lead Auditor - Two Page Brochure ISO 39001 Lead Auditor - Two Page Brochure
ISO 39001 Lead Auditor - Two Page Brochure PECB
 
ISO 13485 Lead Implementer - Four Page Brochure
ISO 13485 Lead Implementer - Four Page BrochureISO 13485 Lead Implementer - Four Page Brochure
ISO 13485 Lead Implementer - Four Page BrochurePECB
 
Setting up Center of Excellence for QA in Healthcare
Setting up Center of Excellence for QA in HealthcareSetting up Center of Excellence for QA in Healthcare
Setting up Center of Excellence for QA in HealthcareCitiusTech
 
CV KDueñas Oct 2015_2
CV KDueñas Oct 2015_2CV KDueñas Oct 2015_2
CV KDueñas Oct 2015_2Karina Duenas
 
Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
 

More Related Content

Similar to EUCA 22 - Let's harmonize labs competence ISO 19896

ISO/IEC 15504
ISO/IEC 15504ISO/IEC 15504
ISO/IEC 15504pax_isp
 
ISO 27034 Lead Auditor - Four Page Brochure
ISO 27034 Lead Auditor - Four Page Brochure ISO 27034 Lead Auditor - Four Page Brochure
ISO 27034 Lead Auditor - Four Page Brochure PECB
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure PECB
 
ISO 27034 Lead Auditor - Two Page Brochure
ISO 27034 Lead Auditor - Two Page Brochure ISO 27034 Lead Auditor - Two Page Brochure
ISO 27034 Lead Auditor - Two Page Brochure PECB
 
Applying quality-standard (css)
Applying quality-standard (css)Applying quality-standard (css)
Applying quality-standard (css)Bong Bandola
 
ISO17025 Accreditation Procedures and Process
ISO17025 Accreditation Procedures and Process ISO17025 Accreditation Procedures and Process
ISO17025 Accreditation Procedures and Process Abdul Rahman
 
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”GoQA
 
Competency standards development in Bangladesh
Competency standards development in Bangladesh Competency standards development in Bangladesh
Competency standards development in Bangladesh Md . Amir Hossain
 
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...GoQA
 
ISO 29001 Lead Auditor - Two Page Brochure
ISO 29001 Lead Auditor - Two Page Brochure ISO 29001 Lead Auditor - Two Page Brochure
ISO 29001 Lead Auditor - Two Page Brochure PECB
 
ISO 39001 Lead Auditor - Four Page Brochure
ISO 39001 Lead Auditor - Four Page Brochure ISO 39001 Lead Auditor - Four Page Brochure
ISO 39001 Lead Auditor - Four Page Brochure PECB
 
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdf
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdfPetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdf
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdfPetroSync Global
 
ISO 13485 Lead Auditor - Four Page Brochure
ISO 13485 Lead Auditor - Four Page Brochure ISO 13485 Lead Auditor - Four Page Brochure
ISO 13485 Lead Auditor - Four Page Brochure PECB
 
Guidelines to Audit Validation Packages_RGA
Guidelines to Audit Validation Packages_RGAGuidelines to Audit Validation Packages_RGA
Guidelines to Audit Validation Packages_RGARosnelma García
 
ISO 39001 Lead Auditor - Two Page Brochure
ISO 39001 Lead Auditor - Two Page Brochure ISO 39001 Lead Auditor - Two Page Brochure
ISO 39001 Lead Auditor - Two Page Brochure PECB
 
ISO 13485 Lead Implementer - Four Page Brochure
ISO 13485 Lead Implementer - Four Page BrochureISO 13485 Lead Implementer - Four Page Brochure
ISO 13485 Lead Implementer - Four Page BrochurePECB
 
Setting up Center of Excellence for QA in Healthcare
Setting up Center of Excellence for QA in HealthcareSetting up Center of Excellence for QA in Healthcare
Setting up Center of Excellence for QA in HealthcareCitiusTech
 
CV KDueñas Oct 2015_2
CV KDueñas Oct 2015_2CV KDueñas Oct 2015_2
CV KDueñas Oct 2015_2Karina Duenas
 

Similar to EUCA 22 - Let's harmonize labs competence ISO 19896 (20)

ISO/IEC 15504
ISO/IEC 15504ISO/IEC 15504
ISO/IEC 15504
 
Quality in assessment
Quality in assessmentQuality in assessment
Quality in assessment
 
ISO 27034 Lead Auditor - Four Page Brochure
ISO 27034 Lead Auditor - Four Page Brochure ISO 27034 Lead Auditor - Four Page Brochure
ISO 27034 Lead Auditor - Four Page Brochure
 
ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure ISO 27034 Lead Implementer - Four Page Brochure
ISO 27034 Lead Implementer - Four Page Brochure
 
ISO 27034 Lead Auditor - Two Page Brochure
ISO 27034 Lead Auditor - Two Page Brochure ISO 27034 Lead Auditor - Two Page Brochure
ISO 27034 Lead Auditor - Two Page Brochure
 
Applying quality-standard (css)
Applying quality-standard (css)Applying quality-standard (css)
Applying quality-standard (css)
 
ISO17025 Accreditation Procedures and Process
ISO17025 Accreditation Procedures and Process ISO17025 Accreditation Procedures and Process
ISO17025 Accreditation Procedures and Process
 
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”
РАМЕЛЛА БАСЕНКО ISTQB® Streams “Core&Agile”
 
Competency standards development in Bangladesh
Competency standards development in Bangladesh Competency standards development in Bangladesh
Competency standards development in Bangladesh
 
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...
КАТЕРИНА АБЗЯТОВА - Certify with confidence: ISTQB Foundation 4.0. Common err...
 
ISO 29001 Lead Auditor - Two Page Brochure
ISO 29001 Lead Auditor - Two Page Brochure ISO 29001 Lead Auditor - Two Page Brochure
ISO 29001 Lead Auditor - Two Page Brochure
 
Quality Manual
Quality ManualQuality Manual
Quality Manual
 
ISO 39001 Lead Auditor - Four Page Brochure
ISO 39001 Lead Auditor - Four Page Brochure ISO 39001 Lead Auditor - Four Page Brochure
ISO 39001 Lead Auditor - Four Page Brochure
 
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdf
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdfPetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdf
PetroSync_-_Certified_Maintenance__Reliability_Professionals_2023 (1).pdf
 
ISO 13485 Lead Auditor - Four Page Brochure
ISO 13485 Lead Auditor - Four Page Brochure ISO 13485 Lead Auditor - Four Page Brochure
ISO 13485 Lead Auditor - Four Page Brochure
 
Guidelines to Audit Validation Packages_RGA
Guidelines to Audit Validation Packages_RGAGuidelines to Audit Validation Packages_RGA
Guidelines to Audit Validation Packages_RGA
 
ISO 39001 Lead Auditor - Two Page Brochure
ISO 39001 Lead Auditor - Two Page Brochure ISO 39001 Lead Auditor - Two Page Brochure
ISO 39001 Lead Auditor - Two Page Brochure
 
ISO 13485 Lead Implementer - Four Page Brochure
ISO 13485 Lead Implementer - Four Page BrochureISO 13485 Lead Implementer - Four Page Brochure
ISO 13485 Lead Implementer - Four Page Brochure
 
Setting up Center of Excellence for QA in Healthcare
Setting up Center of Excellence for QA in HealthcareSetting up Center of Excellence for QA in Healthcare
Setting up Center of Excellence for QA in Healthcare
 
CV KDueñas Oct 2015_2
CV KDueñas Oct 2015_2CV KDueñas Oct 2015_2
CV KDueñas Oct 2015_2
 

More from Javier Tallón

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIJavier Tallón
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Javier Tallón
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaJavier Tallón
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...Javier Tallón
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesJavier Tallón
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045Javier Tallón
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?Javier Tallón
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Javier Tallón
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2Javier Tallón
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...Javier Tallón
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...Javier Tallón
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria Javier Tallón
 

More from Javier Tallón (20)

Evolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio IIEvolucionando la evaluación criptográfica - Episodio II
Evolucionando la evaluación criptográfica - Episodio II
 
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
Cómo evaluar soluciones biométricas para incluir productos de videoidentifica...
 
ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
 
ICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
 
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
 
Hacking your jeta.pdf
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdf
 
Evolucionado la evaluación Criptográfica
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
 
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
 
EUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
 
EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
 
Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
 
CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
 
2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
 
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
 
Automating Common Criteria
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
 

Recently uploaded

Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Recently uploaded (20)

Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

EUCA 22 - Let's harmonize labs competence ISO 19896

  • 1.
  • 2.
  • 3. ❑ 1. Introduction ❑ 2. ISO/IEC 19896 Structure ❑ 3. ISO/IEC 19896 Part 1 ❑ 4. ISO/IEC 19896 Part 3 ❑ 5. ISO/IEC 19896 Part 3 - Annexes ❑ 6. Conclusions Index ISO/IEC 19896
  • 4. ❑ One important factor in assuring comparability of the results of evaluations is to understand that the evaluation process includes the specification of both objective and subjective assurance measures. ❑ Hence the competence of the individual evaluators is important when the comparability and repeatability of evaluation results are the foundation for mutual recognition Introduction
  • 5. ❑ ISO/IEC 17025 defines some competence requirements: ❑ 6.2.2 The laboratory shall document the competence requirements for each function influencing the results of laboratory activities, including requirements for education, qualification, training, technical knowledge, skills and experience. ❑ 6.2.3 The laboratory shall ensure that the personnel have the competence to perform laboratory activities for which they are responsible and to evaluate the significance of deviations. ❑ 6.2.5 The laboratory shall have procedure(s) and retain records for: ❑ a) determining the competence requirements; ❑ … ❑ f) monitoring competence of personnel. Introduction
  • 6. ❑ ISO/IEC 23532 further refines these requirements: ❑ 6.2.5.1 The evaluation laboratory shall have procedure(s) and retain records for: ❑ a) determining the competence requirements for personnel in ISO/IEC 19896-3; ❑ … ❑ f) monitoring of competence of personnel. ❑ NOTE The laboratory shall review annually the competence of each evaluator for each test method the evaluator is authorized to conduct. The evaluator’s immediate supervisor, or a designee appointed by the Labooratory Director, shall conduct annually an assessment and an observation of performance for each evaluator. A record of the annual review of each evaluator shall be dated and signed by the supervisor and the employee. A description of competency review programs shall be maintained in the management system. Introduction ISO 23532
  • 7. ❑ ISO/IEC 23532 further refines these requirements: ❑ 6.2.6.1 Laboratory evaluator collectively shall have knowledge or experience for any specific technologies upon which an evaluation is conducted in ISO/IEC 19896-3:2018 ❑ 6.2.7 The evaluation laboratory shall maintain a competent administrative and technical personnel appropriate for ISO/IEC 15408- based IT security evaluations. The laboratory shall maintain position descriptions, training records, and resumes for responsible supervisory personnel and laboratory evaluators who influence the outcome of security evaluations. Introduction ISO 23532
  • 8. ❑ ISO 19896 IT security techniques — Competence requirements for information security testers and evaluators — ❑ Part 1 Introduction, concepts and general requirements ❑ Part 2 Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers ❑ Part 3 Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators ISO/IEC 19896 Structure ISO 23532 ISO 19896
  • 9. ❑ Part 1 Introduction, concepts and general requirements ❑ Elements of competence ❑ Competency levels ❑ Measurement of elements of competence ❑ Annex A: Example structures for describing competence requirements ❑ Annex B: Example records of experience and competence ISO/IEC 19896 Structure ISO 23532 ISO 19896
  • 10. ❑ Part3Knowledge,skillsandeffectivenessrequirementsforISO/IEC15408 evaluators ❑ BaselinefortheminimumcompetenceofISO/IEC15408evaluatorsfor eachelementofcompetence(knowledge,skills,experience,…) ❑ AnnexA(informative)Technologytypes:knowledgeandskills ❑ AnnexB(informative)Examplesofknowledgerequiredforevaluating SARs ❑ AnnexC(informative)Examplesofknowledgerequiredforevaluating SFRs ISO/IEC 19896 Structure ISO 23532 ISO 19896
  • 11. ❑ The standard defines 5 elements of competence and 4 competency levels ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 Knowledge Skills Experience Education Effectiveness 1
  • 12. ❑ Elements of competence ❑ Knowledge: facts, information, truths, principles of understanding acquired through experience or education ❑ Of the standard ❑ Of the testing or evaluation methods ❑ Policies and procedures of relevant approval authorities ❑ Of IT product architecture and design in relevant technology areas ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 13. ❑ Elements of competence ❑ Skills: ability to perform a task or activity with a specific intended outcome acquired through education, training, experience or other means ❑ Understanding the boundaries, documentation analysis, selection of appropriate testing methods, calibrating and using tools, build a test environment, performing testing, interpreting results, write reports, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 14. ❑ Elements of competence ❑ Experience: involvement at a practical level with projects related to the field of competence ❑ Education: process of receiving or giving systematic instruction, especially at a school or university ❑ Effectiveness: ability to apply knowledge and skills in a productive manner ❑ Accuracy of test results, ability to repeat, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 15. ❑ Competency levels ❑ Assigned for each competence area of 19896-3 ❑ Level 1 Associate: works under supervision ❑ Level 2 Professional: requires supervision in just a few areas ❑ Level 3 Manager: works unsupervised in most testing or evaluation areas, supervises level 1 and 2 ❑ Level 4 Principal: fully competent for at least one technology area, able to communicate with stakeholders, works unsupervised in all areas, supervise other levels. ❑ Overall level of competency may determine designation of professional capability: Technician/Evaluator/Senior Evaluator/Lead Evaluator ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 16. ❑ Measurements of elements of competence ❑ Measuring is mandatory, how to do it is not mandatory ❑ Knowledge: 19896-3 provides a measurable body of knowledge. ❑ We may decide who will measure: The CAB-CB? The ITSEF? Third parties? ❑ Training records and professional certifications ❑ Skills: ❑ Lab proficiency-testing programme (as required by 17025) ❑ Feedback from other skilled personnel ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 17. ❑ Measurements of elements of competence ❑ Experience: ❑ Records of projects completed ❑ Education: ❑ Certificates issued by organizations recognized as legitimate by the approval authority ❑ Effectiveness: ❑ Time needed, nonconformities, adaptability , accuracy, … ISO/IEC 19896 Part 1 ISO 23532 ISO 19896 1
  • 18. ❑ Provides baseline for the minimum competence of ISO/IEC 15408 evaluators for each element of competence (knowledge, skills, experience,…) ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3 Knowledge Skills Experience Education Effectiveness ISO/IEC 15408 & ISO/IEC 18045 For specific SARs For specific SFRs For specific Technologies Assurance Paradigm Information Security
  • 19. ❑ Knowledge: what an evaluator knows and can describe ❑ ISO/IEC 15408 and ISO/IEC 18045 ❑ Terms and definitions ❑ Protection profiles and packages ❑ SFRs and SARs ❑ The evaluation process ❑ Method and activities ❑ The assurance paradigm ❑ The evaluation authority: policies, recognition agreements, supporting documents, … ❑ The evaluation scheme: interpretations, guidance policies, … ❑ The lab and it’s management system: policies, process and procedures; methods; competence requirements. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 20. ❑ Knowledge: what an evaluator knows and can describe ❑ The technology being evaluated ❑ Common security architectures for each technology type. (See Informative Annex A Technology types: Knowledge and skills, based on classical CC categories). ❑ Protection Profiles, packages and supporting documents ❑ Since it is continually evolving, it is not possible to identify requirements for each technology, but can be obtained through experience. Experience can be developed by: ❑ Education ❑ Working as a trainee ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3 ❑ Working as developer ❑ Performing research
  • 21. ❑ Knowledge: what an evaluator knows and can describe ❑ Each lab may define their technology types and requirements. ❑ Information Security: security principles, attacks, attack potential, SDLC, testing, vulnerabilities, … ❑ Knowledge required for SARs (See Informative Annex B Examples of knowledge for SARs) ❑ Knowledge required for specific SFRs (See Informative Annex C Examples of knowledge for SFRs) ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 22. ❑ Skills: what an evaluator is able to do ❑ Basic evaluation skills ❑ Evaluation methods: sampling, analysis, recording results, … ❑ Evaluation tools: report generation, specialized tools ❑ Core evaluation skills given in ISO/IEC 15408-3 and ISO/IEC 18045 ❑ Evaluation principles: impartiality, objectivity, repeatability, reproducibility ❑ Evaluation methods and activities (knowledge of the ISO 18045 verbs like check/confirm/demonstrate/….) ❑ Skills required when evaluation specific SARs ❑ General: ability to write ORs ❑ For each assurance component specific skills are required (mandatory) ❑ E.g. VAN.3 Flaw hypothesis development ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 23. ❑ Skills: what an evaluator is able to do ❑ Skills required when evaluation specific SFRs (mandatory) ❑ General: ability to understand and test for conformance and search for vulnerabilities ❑ E.g. FCS being able to determine if crypto algorithms and protocols are implemented correctly ❑ Skills needed when evaluating specific technologies. ❑ See Informative Annex A Technology types: Knowledge and skills, based on classical CC categories. ❑ Like in Knowledge, skills can be obtained through experience. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 24. ❑ Experience ❑ Experience is gained during the first and subsequent evaluations performed by an evaluator. ❑ Also during consultancy or product development ❑ Education ❑ At a minimum ❑ Tertiary education with at least 3 years of IT studies ❑ Experience which provided equivalent knowledge skills and effectiveness ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 25. ❑ Effectiveness ❑ Timely evaluations, e.g. time needed to develop or execute a test ❑ Accurate evaluations, e.g. comments received during validation ❑ Reports contain rationales and references with direct and focused language quickly understandable by the intended reader of the report. ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 26. ❑ Effectiveness ❑ Evaluator shall be able to apply knowledge and skills in a productive manner: aptitude, initiative, enthusiasm, willingness, … ❑ Required evaluation principles: impartiality, objectivity, repeatability, reproducibility ❑ Scheme guidance and procedures are followed ISO/IEC 19896 Part 3 ISO 23532 ISO 19896 3
  • 27. ❑ Annex A, technology types: knowledge and skills ❑ Knowledge ❑ Knowledge required by evaluators working with specific technologies. List concepts that shall be known by evaluators for each classic CC technology category. ❑ PPs related to technology type ❑ Evaluation methods and activities related to the technology type ❑ Technological standards related to the technology type ❑ The depth of knowledge depends on the assurance classes (e.g. Evaluators doing ALC may require less knowledge) ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 28. ❑ Annex A, technology types: knowledge and skills ❑ Knowledge ❑ E.g. Databases ❑ Concepts of data base management systems architecture ❑ Access control methods ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 29. ❑ Annex A, technology types: knowledge and skills ❑ Skills ❑ Mostly related to ATE ❑ Skills required by evaluators working with specific technologies ❑ Performance of evaluation methods and activities associated with the technology type ❑ Being able to understand related technological standards ❑ Lists the skills that shall be build upon evaluators for each classic CC technology category ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 30. ❑ Annex A, technology types: knowledge and skills ❑ Skills ❑ E.g. Databases ❑ Being able to correctly configure the database management system (DBMS) platforms ❑ Being able to use structure query language (SQL) or other database query languages. ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 A
  • 31. ❑ Annex B, examples of knowledge for SARs ❑ Minimum knowledge required for each SAR class. E.g. ❑ ADV_ARC.1: ❑ Self-protection property ❑ Domain separation property ❑ Non-bypassability property ❑ Secure architecture and design concepts ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 B
  • 32. ❑ Annex C, examples of knowledge for SFRs ❑ Minimum knowledge required for each SFR class. E.g. ❑ FCO (Communication) Class ❑ Proof origin ❑ Non-repudiation of origin ❑ Non-repudiation of receipt ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 C
  • 33. ISO/IEC 19896 Part 3 – Annexes ISO 23532 ISO 19896 3 B C A Annex A - Informative Technology types SARs SFRs Knowledge Skills Annex B - Informative Annex C - Informative Section 5.3 - Mandatory Section 5.4 - Mandatory
  • 34. ❑ 1.- Define each job position for each evaluator level including the requirements in terms of competence ❑ 2.- Record the education and experience of each evaluator ❑ Validate years of education or experience based on well-known person certifications? ❑ 3.- Track the knowledge you transmit to your team ❑ 4.- Assess the skills through questionnaires ❑ 5.- Evaluate the effectiveness through internal reviews and intercomparisons ❑ 6.- Put it all together! How to implement in 6 easy steps?
  • 35. ❑ The ISO 19896 framework for competency is a good framework but every lab shall define their technology types and knowledge (/skills) requirements because some are kind of ‘artificial’, specially Annex A. ❑ A competence management system can be used just to pass audits, not being really useful. Lab managers already know their evaluators, but this may not scale. Garbage in – Garbage out. ❑ It is difficult to reflect some intangible skills like the “killer instinct” or the skill to report. There is always some subjectivity. Conclusions
  • 36. jtsec Beyond IT Security Granada & Madrid – Spain hello@jtsec.es www.jtsec.es “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie Contact