Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 010204.html (Request Expert securityfocus.com Support)

AW: [IDS] IDS Common Criteria

From: <detmar.liesen(at)lds.nrw.de>
Date: Wed Jan 08 2003 - 03:11:42 EST


FTWAI: (for those who are interested):
Europe has a pendant to CC - the Information Technology Security Evaluation Criteria (ITSEC), which has adopted several thoughts of the Orange Book of CC but is more flexible. In Germany the BSI (www.bsi.de) is the public authority for ITSEC certifications.

BTW: I have once tried to read the orange book but I gave up on the 12th page or so.
This experience was very traumatic for me (shudder).
>8)

However, for stuff like b2b, even private companies nowadays tend to prefer E3/high certified products.

As most of you probably know, in the US and in Germany (I don't know about the others) it's compulsory to protect your business - and thus your it-infrastructure as well - from known threats that could bankrupt you (for those who want to know, I am talking about the German KonTrag act and it's consequences).

If you have a security concept and your infrastructure is certified E3/high, you have solid proof that you have taken adequate measures for protecting your business and this protects you (as a business owner or executive) from being charged for serious negligence if this is the right term in english. :)
Of course, E3/high certified products do not protect you from harm if your security concept does not include audits and assessment that are performed on a regular term.

For government security-infrastructure such as firewalls, E3/high is compulsory anyway.

Just my 2 Cents
;)

Cheers,
Detmar Liesen

Do you need help?X

 -----Ursprüngliche Nachricht----- 

Von: 	Randy Taylor [mailto:gnu@charm.net] 
Gesendet:	Mittwoch, 8. Januar 2003 00:50
An:	Talisker; focus-ids@securityfocus.com; ids@mailman.vet.com.au
Betreff:	Re: [IDS] IDS Common Criteria

At 11:00 PM 1/7/2003 +0000, Talisker wrote:
>Sadly within the public sector installing an IDS isn't merely a question of

You've hit the hidden nail pretty close to its head. The U.S Government public sector now requires significant Certification and Accreditation (C&A) efforts for any new infrastructure being stood up and it is in the process of introducing C&A into existing infrastructure. CC product certifications are an integral part of the C&A process now, and they're not going away. The U.S. Military has been doing C&A on their critical infrastructure for as long
as I can remember. The point is that post 9/11 pretty much -everything- in the U.S. .gov and .mil network domains is being identified as critical infrastructure.

 From the outside-in view, CC and it's C&A parent are bureaucratic at best and Byzantine at worst. In the projects I'm involved with these days, I spend as much time on C&A issues as I do on technical issues. I'm seeing the process from the inside. It does get mind-bogglingly complex sometimes, and everyone I know that's involved relieves the pressure with an occasional witty rant or two. My previous humorous comments aside though, C&A has identified weakness in infrastructure that would have escaped detection otherwise. C&A has this annoying habit of working.

Sure, the overall process can be improved, and I'm sure it will - but it does what it's supposed to do now. From a structural security perspective, C&A is essential. I wouldn't be surprised to see the commercial sector adopt C&A processes and demand CC certs in the next year or two.

>just my 2c

8)

Randy Received on Wed Jan 8 20:12:43 2003

Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:05 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library