Posts

IT Security Congress

SRC contributes to the German IT Security Congress 2019

IT security as a prereq­uisite for successful digital­i­sation

This is the motto of this year’s German IT Security Congress, which is held every two years by the Federal Office for Infor­mation Security (BSI). The congress will take place from 21 to 23 May 2019 at the Stadthalle Bonn — Bad Godesberg. The aim of this year’s congress is to examine the topic of IT security from different perspec­tives, to present and further develop possible solutions.

SRC is at the German IT Security Congress

As a BSI-approved evalu­ation body for evalu­a­tions according to Common Criteria (CC) and various other technical guide­lines, SRC will also be present with a booth at the German IT Security Congress in 2019. Thus we offer the experts of customers, partners and those of the BSI once again the well-estab­lished contact point at the German IT Security Congress. This concept has proven itself over many years. The stable personal network between the partic­i­pants offers the optimal platform for the transfer of complex technical and regulatory aspects.

SRC expert Sandro Amendola talks about compliance, mobile payment proce­dures and customer authen­ti­cation

The triumphal march of mobile payment proce­dures seems unstop­pable. The legis­lator has also inten­sively considered the security of these proce­dures and the necessary customer authen­ti­cation. Sandro Amendola will talk about “Legal security require­ments for payment proce­dures for customer authen­ti­cation using mobile devices” on Thursday, 23 May 2019 at 11:00 a.m. in the main hall.

Aspects of Common Criteria Certifications

Aspects of Common Criteria Certi­fi­ca­tions — Guest lecture at the Vienna University of Technology

Aspects of Common Criteria Certi­fi­ca­tions — this is the topic of the lecture that the experts of the SRC evalu­ation body for Common Criteria will address at the Vienna University of Technology. The lecture will take place on 10 May 2019 as part of the lecture IT Security in Large IT Infra­struc­tures at the Institute of Infor­mation Systems Engineering.

Common Criteria in science

With the help of Common Criteria for Infor­mation Technology Security Evalu­ation (CC), IT products can be evaluated regarding their security according to general criteria. As an inter­na­tionally recog­nised standard, Common Criteria is of interest to the scien­tific world. Initially, an evalu­ation is carried out by an evalu­ation body accredited by the German Federal Office for Infor­mation Security (BSI). SRC is accredited as such a CC evalu­ation body. The BSI then carries out the certi­fi­cation.

Guest lecture for students

The SRC experts will discuss the Aspects of Common Criteria Certi­fi­ca­tions at first hand. The lecture informs the students about the basic approach for product certi­fi­ca­tions according to Common Criteria. Infra­struc­tures in the European Union that rely on Common Criteria certi­fi­cation will be highlighted. The formal side including the respon­sible certi­fi­cation and recog­nition bodies will also be considered. The comparison of Common Criteria with other concepts concludes the lecture. Certi­fi­ca­tions according to technical guide­lines of the BSI, ISO27001 or the criteria of the Payment Card Industry (PCI) will be considered.

KRITIS 2018

Critical Day 2018 | Knowledge and experience in a lively exchange

The Critical Day

On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at repre­sen­ta­tives of companies that operate a critical infra­structure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experi­ences and best practices on IT and physical security of critical infra­struc­tures.

The Schedule

After the arrival of the first partic­i­pants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the partic­i­pants’ need for infor­mation.

Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and repre­sen­tative of the Federal Office for Infor­mation Security (BSI), explained the proce­dures and processes in the super­visory authority. Randolf Skerka, Head of SRC and respon­sible for the topic of auditing according to §8a (3) BSIG, described the first experi­ences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the devel­opment of hospital organ­i­sation in prepa­ration for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indis­pensable corner­stone of a meaningful exami­nation, rounded off the morning.

The expert presen­ta­tions gave the partic­i­pants a 360° view of the require­ments of the BSI audits, which were largely and with good reason vaguely formu­lated.

At the end of the morning the visual artist Frank Rogge described his view on the questions of criti­cality in the field of artistic creation.

The afternoon was completely dedicated to the main interests of the partic­i­pants. Under the moder­ation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.

The partic­i­pants indepen­dently organized the various contents for nine sessions.

The most signif­icant results of the afternoon

From the session ” Submitting certi­fi­cation findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or devia­tions formu­lated down to the last technical detail. A roughly described framework of devia­tions and a description of a course of action in the test report is useful. Never­theless, an appro­priate measure must be in place for each risk within a critical infra­structure. This is of enormous impor­tance for the BSI.

The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.

In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and imple­men­tation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be respon­sible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guide­lines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.

In another session, the partic­i­pants focused on the safe and simple defin­ition of the scope. The pyramid model was partic­u­larly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infra­structure of a sewage treatment plant, the defin­ition of the scope requires identi­fying and deter­mining which systems clarify the water, what effects a failure would have and how this failure can be compen­sated by other methods to maintain the critical service.

With this method you system­at­i­cally move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.

Conclusion of the first “Critical Day” from SRC’s point of view

An example of the fasci­nating atmos­phere was the contin­u­ation of the bilateral commu­ni­cation of the partic­i­pants between the individual sessions. The feedback proved that the partic­i­pants were able to make many new contacts and gain insights from other KRITIS projects.

The overall positive response of the partic­i­pants shows us as SRC that the Critical Day is a useful hub for the exchange of infor­mation on KRITIS projects between the partic­i­pants. Our thanks goes to all partic­i­pants who contributed funda­men­tally to the success of the Critical Day with their open-mindedness and commitment.

We regard the Critical Day as a successful exper­iment. This motivates us to start preparing for a follow-up event.

EMVCo certification

SRC’s ITSEF laboratory receives extended EMVCo certi­fi­cation

SRC’s certified Common Criteria security laboratory has recently been enriched by another EMVCo certi­fi­cation. The SRC laboratory has long been approved by the German Federal Office for Infor­mation Security (BSI) for the evalu­ation of hardware and software evalu­a­tions for smart cards and similar devices. After SRC has now success­fully evaluated chip hardware of a well-known and also EMVCo certified manufac­turer, EMVCo confirmed the certi­fi­cation of the SRC security laboratory as EMVCo Security Evalu­ation IC laboratory, which is now also listed as such on the EMVCo website, following a review of the latest findings provided within the scope of an IC security evalu­ation project.

Further infor­mation on the certi­fi­ca­tions for SRC by EMVCo can be found here.

Portfolio Items