CC, ISO/IEC 15408 Evaluation and Certification Programme - Biometrics devices
With the rapid development of technology in recent years, more and more information and communication systems use personal Biometrics to identification and unlock sensitive information, such as mobile phones, tablets, cash machines, information systems, and webcams. And monitoring equipment, etc. According to the definition of the EU GDPR, biometric data is personal sensitive data. As long as the product directly or indirectly processes personal data, it must be protected by law, for example, encryption.
Therefore, the security of biometrics devices has received great attention from the European Union Agency for Cybersecurity (ENISA), and in accordance with the EU Cybersecurity Act, it is targeting the EU Digital Single Market established a pan-EU unified cybersecurity certification framework (EU cybersecurity certification framework). Under this certification framework, especially information and communication products related to the maintenance and operation of national Critical Infrastructure, will be required to pass the Common Criteria for Information Technology Security Assessment (Cybersecurity Certification: EUCC Candidate Scheme) security technology testing and certification.
In this context, we and the licensed CC testing laboratory accredited by the German Federal Office for Information Security (BSI) are looking for customers who are willing to obtain CC product safety technology certification.
At the same time, we also recommend that customers start with the CC EAL 2 security assurance level as the main certification.
Such benefits include:
- Short time: Estimated to be about 2 ~ 4 months; (Depending on the Target of Evaluation (TOE), the time may vary)
- The high degree of certificate recognition: it is recognized by the European Union and all CCRA member countries;
- Ensuring information security:
- Data exchange is encrypted through PGP throughout, and only authorized personnel can access it.
- Developers do not need to provide source code or detailed product hardware design circuit diagrams to ensure information security.
- The whole process of testing and evaluation is carried out in a certified security laboratory.
For basic information about the service, you can refer to [Common Criteria for IT Security (CC, ISO/IEC 15408) Evaluation and Certification Service]
Suitable for the following candidates:
- Iris recognition developer;
- Facial recognition developer;
- 2D;
- 3D;
- Fingerprint recognition developer;
- Vein recognition developer.
Reference criteria
- Protection Profiles (PPs)
- Biometric Verification Mechanisms Protection Profile, Version 1.3
- Fingerprint Spoof Detection Protection Profile based on Organisational Security Policies (FSDPP_OSP), Version 1.7
- The logical boundary includes the following minimum security functionalities :
- Spoof detection;
- Management;
- Residual information protection;
- Audit.
- The TOE physical boundary is illustrated by the following figure.
Services provided
- CC application training;
- Supporting on TOE developer and technical document preparation;
- Supporting on the developer and production site security certification;
- Supporting on CC evaluation and certification.
In order to help you clarify the feasibility of the CC evaluation and certification project as soon as possible, please prepare the following information in advance for discussion:
- Overview on security technology used, market and customer requirements (i.e., PP, EAL)
- Product used case, security architecture, guidance document;
- Overview on security functions and specification;
- Overview on product security technology includes hardware, software, firmware, especially on which cryptographic technology used or certified (i.e., FIPS 140-3)
Philip KU
philip.ku@tksg.global [ PGP Public Key ]
(PGP Fingerprint: BE11 C1CC BFE2 A3A9 4929 3D1C 10FF C3BE A51C 92F7)