ENISA 認証をサポートする規格
こんにちは、丸山満彦です。
ENISAから認証をサポートする規格に関する報告書が公開されていますね。。。
■ ENISA
・2020.11.24 Standards Supporting Certification
・[PDF]
この報告書では、EUのサイバーセキュリティ認証制度の候補として発展させる可能性のあるフレームワーク、制度、基準を持つ
- IoT
- クラウドインフラとサービス
- 金融セクター脅威ベースインテリジェンス
- 電子カルテ
- 適格信託サービス
の5つの分野についての基準を分析し、ギャップを特定し、これらのギャップにど標準化団体がどのように対処できるか、また、利用可能な標準をどのように適応させて、将来のEUサイバーセキュリティ認証制度の基礎を形成する可能性があるかについての提言を行っているということです。。。
■ 参考 (一部ですが・・・)
[IoT]
・Eurosmart IoT Certification Scheme
E-IoT-SCS Certification Scheme Process & Policy - This document defines the policies and processes that govern the IoT device certification scheme.
E-IoT-SCS Generic Protection Profile - This document is a generic representation of common security requirements on IoT devices. It is based on a security risk analysis approach of an IoT Device operating in a typical infrastructure without considering a specific type of data or a context for risk calculation. The main output of this document is a list of security goals and requirements qualifying the need to counter security threats identified on a typical IoT device
E-IoT-SCS Evaluation Methodology - Document defining the evaluation activities to be performed by an evaluator and links between them in order to conduct properly an evaluation. It lists evaluation evidences required to perform actions as defined in the security assurance requirements. It defines way to report evaluation results in Evaluation technical report and observation report. It also provides rules to define verdict and criteria of failure.
CABs Agreement - Guidelines listing the rules for setting up agreement between CABs and Certification Scheme stakeholders (e.g. other CABs – CAB reviewer, CAB evaluator, NABs, etc.)
CABs Accreditation Policy - Guidelines describing policy for CABs accreditation
[金融セクター脅威ベースインテリジェンス]
・・2018.08 [PDF] Framework - Services Procurement Guidelines
・・2018.12 [PDF] White Team Guidance - The roles and responsibilities of the White Team in a Threat Intelligence-basedEthical Red Teaming test
・・2020.07 [PDF] Guidance for Target Threat Intelligence Report
・・2020.07 [PDF] Guidance for the Red Team - Test Plan
・・2020.08 [PDF] Guidance for the Red Team - Test Report
・・2020.08 [PDF] Guidance for the TIBER-EU Test Summary Report
Template
・・2020.07 [PDF] Scope Specification Template
・・2020.07 [PDF] TIBER-EU Attestation Template
1 | INTRODUCTION |
2 | CYBERSECURITY ACT |
3 | INTERNET OF THINGS (IOT) |
3.1 | IOT LANDSCAPE |
3.1.1 | Eurosmart cybersecurity certification scheme for IoT |
3.1.2 | ETSI 303 645 |
3.1.3 | Other relevant frameworks and suggestions |
3.2 | POTENTIAL CANDIDATE FOR A EUROPEAN |
4 | ANALYSIS OF THE STANDARDS LANDSCAPE FOR CLOUD SERVICES |
4.1 | OVERVIEW OF LANDSCAPES |
4.2 | POTENTIAL CANDIDATE FOR AN EU CYBERSECURITY CERTIFICATION SCHEME FOR CLOUD |
5 | ANALYSIS OF THE STANDARDS LANDSCAPE FOR THREAT INTELLIGENCE-BASED FRAMEWORK |
5.1 | OVERVIEW OF THE TIBER-EU FRAMEWORK |
5.1.1 | History of Threat Intelligence-led Red Teaming Frameworks |
5.1.2 | Overview of TIBER-EU Framework |
5.2 | POTENTIAL CANDIDATE EUROPEAN CYBERSECURITY CERTIFICATION SCHEME |
5.2.1 | Gaps and opportunities for certification schemes |
5.2.2 | Security objectives of European cybersecurity certification scheme for TIBER-EU |
5.2.3 | Assurance levels of European cybersecurity certification scheme for TIBER-EU |
5.2.4 | Security requirements for the cybersecurity certification scheme for TIBER-EU |
5.2.5 | TIBER-EU certifications for individuals |
6 | ANALYSIS OF THE STANDARDS LANDSCAPE ON E-HEALTH RECORDS |
6.1 | OVERVIEW OF LANDSCAPE FOR EHR |
6.2 | POTENTIAL CANDIDATE CYBERSECURITY CERTIFICATION SCHEME FOR SHARING EHRS |
6.2.1 | Potential product/service or process that can be evolved to a cybersecurity certification scheme. |
6.2.2 | Assurance levels based on risk assessment |
6.2.3 | Potential rules/standards for the schemes |
7 | ANALYSIS OF THE STANDARDS LANDSCAPE IN RELATION TO QUALIFIED TRUST SERVICE PROVIDERS |
7.1 | OVERVIEW OF EIDAS REGULATION ON QUALIFIED TSP AND TRUST SERVICES |
7.1.1 | Initiation and supervision |
7.1.2 | TSP supervisory scheme |
7.2 | OVERVIEW OF STANDARDS’ LANDSCAPE |
7.2.1 | eIDAS Regulation requirements |
7.2.2 | ETSI certification scheme |
7.2.3 | WebTrust for CAs assurance audit |
7.2.4 | Cab Forum, CAs and browsers |
7.2.5 | ISO/IEC 27000 series |
7.2.6 | Identification of gaps in current practice to acquire a qualified status. |
7.3 | POTENTIAL CANDIDATE FOR A CYBERSECURITY CERTIFICATION SCHEME |
7.3.1 | Potential product/service or process that can be evolved to a cybersecurity certification scheme. |
7.3.2 | Identification of potential rules/standards for the schemes |
8 | CONCLUSIONS |
* | REFERENCES |
« 米国 国土安全保障省 国土安全保証諮問委員会の最終報告書(バイオメトリックス、経済安全保障、緊急技術とか・・・) | Main | 英国生まれの国際統合報告委員会 (IIRC) と米国生まれのサステナビリティ会計基準審議会 (SASB) が合併に・・・ »
Comments