iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 15292:2001

(Main)

Information technology - Security techniques - Protection Profile registration procedures

Information technology - Security techniques - Protection Profile registration procedures

Technologies de l'information — Techniques de sécurité — Procédures d'enregistrement du profil de protection

General Information

Status
Withdrawn
Publication Date
19-Dec-2001
Withdrawal Date
19-Dec-2001
ICS
35.030 - IT Security
35.040 - Information coding
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 3 - Security evaluation, testing and specification
Current Stage
9599 - Withdrawal of International Standard
Completion Date
04-Apr-2011
Ref Project

Relations

Consolidated By
ISO 5764:2009 - Milk — Determination of freezing point — Thermistor cryoscope method (Reference method)
Effective Date
06-Jun-2022

Buy Standard

ISO/IEC 15292:2001 - Information technology - Security techniques - Protection Profile registration proceduresISO/IEC 15292:2001 - Information technology - Security techniques - Protection Profile registration procedures
PreviousNext
Standard
ISO/IEC 15292:2001 - Information technology - Security techniques - Protection Profile registration procedures
English language
14 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 15292
First edition
2001-12-15


Information technology — Security
techniques — Protection Profile
registration procedures
Technologies de l'information — Techniques de sécurité — Procédures
d'enregistrement du profil de protection




Reference number
ISO/IEC 15292:2001(E)
©
 ISO/IEC 2001

---------------------- Page: 1 ----------------------
ISO/IEC 15292:2001(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO/IEC 2001
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland

ii © ISO/IEC 2001 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 15292:2001(E)
Contents
1 Scope. 1
2 Normative references . 1
3 Terms and definitions. 1
4 Abbreviations . 3
5 Technical Specifications . 3
5.1 Entry label . 3
5.2 Technical definition (within a register entry). 3
6 The JTC 1 Registration Authority for PPs and packages . 4
6.1 Appointment. 4
6.2 Qualifications. 4
6.3 Contract. 4
6.4 Duties. 4
7 Criteria for eligibility of applicants for registration . 5
8 Information to be included within an application for registration . 5
9 Steps involved in review and response to an application . 7
9.1 Initial processing . 7
9.2 Validation. 7
10 Criteria for rejection of applications for registration . 8
11 Operation of the register . 8
11.1 Notification of obsolescent entries . 8
11.2 Update of draft technical specifications . 8
11.3 Routine review of entries. 8
11.4 Defect notification . 9
11.5 Other requests for update of entries . 9
11.6 Deletion of register entries. 10
12 Maintenance of the register . 10
13 Confidentiality of information held within the register . 10
14 Publication of the register. 10
15 Appeals procedure. 12
Annex A (informative) Benefits of registration. 13
Annex B (informative) Lifecycle of a register entry. 14
© ISO/IEC 2001 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 15292:2001(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have
established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
The main task of the joint technical committee is to prepare International Standards. Draft International Standards
adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this International Standard may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15292 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Security techniques.
Annexes A and B of this International Standard are for information only.
iv © ISO/IEC 2001 – All rights reserved

---------------------- Page: 4 ----------------------
INTERNATIONAL STANDARD ISO/IEC 15292:2001(E)

Information technology — Security techniques — Protection
Profile registration procedures
1 Scope
This International Standard defines the procedures to be applied by the JTC 1 Registration Authority appointed by
the ISO and IEC councils to maintain a register of Protection Profiles and packages for the purposes of IT security
evaluation. These Protection Profiles and packages are specified in accordance with criteria given in
ISO/IEC 15408.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of
this International Standard. For dated references, subsequent amendments to, or revisions of, any of these
publications do not apply. However, parties to agreements based on this International Standard are encouraged to
investigate the possibility of applying the most recent editions of the normative documents indicated below. For
undated references, the latest edition of the normative document referred to applies. Members of ISO and IEC
maintain registers of currently valid International Standards.
ISO 15408-1, Information technology — Security techniques — Evaluation criteria for IT security — Part 1:
Introduction and general model
ISO 15408-2, Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security
functionality requirements
ISO 15408-3, Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security
assurance requirements
Procedures for the technical work of ISO/IEC JTC 1
ISO/IEC/ITU ITSIG Guide for the use of IT in the development and delivery of standards
3 Terms and definitions
For the purposes of this International Standard, the following terms and definitions apply.
3.1
applicant
an entity (organisation, individual etc.) which requests the assignment of a register entry and entry label

© ISO/IEC 2001 – All rights reserved                                                              1

---------------------- Page: 5 ----------------------
ISO/IEC 15292:2001(E)
3.2
certificate
a declaration by an independent authority operating in accordance with ISO Guide 58, Calibration and
testing laboratory accreditation systems - General requirements for operation and recognition, confirming
that an evaluation pass statement is valid
3.3
entry label
the naming information that identifies a registered PP or package uniquely
3.4
evaluation pass statement
a statement issued by an organisation that performs evaluations against ISO/IEC 15408 confirming that a
PP has successfully passed assessment against the evaluation criteria given in clause 4 of Part 3 of that
International Standard
3.5
JTC 1 Registration Authority
an organisation appointed by the ISO and IEC councils to register objects in accordance with a JTC 1
procedural Standard
3.6
package
a reusable set of either functional or assurance components combined together to satisfy a set of identified
security objectives (from ISO/IEC 15408-1)
3.7
Protection Profile
an implementation-independent set of security requirements for a category of IT products or systems that
meet specific consumer needs (adapted from ISO/IEC 15408-1)
3.8
register
a set of files (electronic, or a combination of electronic and paper) containing entry labels and their
associated definitions and related information
3.9
register entry
the information within a register relating to a specific PP or package
3.10
registration
the process of assigning a register entry
3.11
Security Target
a set of security requirements and specifications to be used as the basis for evaluation of an identified IT
product or system (adapted from ISO/IEC 15408-1)
3.12
sponsor
an entity (organisation, individual etc.) responsible for the content of a register entry
2                                                                © ISO/IEC 2001 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 15292:2001(E)

4 Abbreviations
ITTF Information Technology Task Force (of ISO/IEC)
PP Protection Profile
RA Registration Authority
SC JTC 1 Subcommittee
ST Security Target
5 Technical Specifications
5.1 Entry label
Every PP or package registered in accordance with this International Standard shall have an entry label
assigned by the JTC 1 RA that uniquely identifies that PP or package within the register. The entry label
shall be made up of the following elements, separated by dashes:
- Entry Type
- Registration Year
- Registration Number.
The Entry Type shall be PP for a protection profile, AP for an assurance package or FP for a functional
package.
The Registration Year shall be the four digit representation of the year when the entry was registered.
The Registration Number shall be a four digit sequentially assigned identification number, starting each year
from 0001.
EXAMPLE PP-2001-0001.
5.2 Technical definition (within a register entry)
5.2.1 PPs
Every application for registration of a PP submitted for registration in accordance with this International
Standard shall include a technical definition of the PP in question. This technical definition shall conform to
the content requirements for PPs contained within Annex B to ISO/IEC 15408-1 and shall conform to the
structural outline portrayed in Figure B.1 of ISO/IEC 15408-1.
5.2.2 Packages
Every application for registration of a functional or assurance package submitted for registration in
accordance with this International Standard shall include a technical definition of the package. This
definition shall contain:
- a package overview that summarises the package in narrative form
- a specification of a set of either functional or assurance components.
The package overview should be sufficiently detailed for a potential user of the package to determine
whether the package is of interest. It should be understandable without reference to the component
specifications.
© ISO/IEC 2001 – All rights reserved                                                              3

---------------------- Page: 7 ----------------------
ISO/IEC 15292:2001(E)
Components for functional packages shall be selected from ISO/IEC 15408-2 or shall be constructed and
specified in accordance with the specification requirements for functional components given within clause 2
of ISO/IEC 15408-2.
Components for assurance packages shall be selected from ISO/IEC 15408-3 or shall be constructed and
specified in accordance with the specification requirements for assurance components given within
subclause 2.1 of ISO/IEC 15408-3.
The technical definition of a package may contain other descriptive information that might be relevant to the
author of a PP or ST wishing to use or reference the package. This information shall be presented in the
form of one or more named PP or ST sections as defined within Annexes B and C of ISO/IEC 15408-1. The
information should be suitable for direct incorporation within PPs or STs that make use of the package.
6 The JTC 1 Registration Authority for PPs and packages
6.1 Appointment
The JTC 1 RA for PPs and packages shall be appointed by the ISO and IEC councils in accordance with the
procedure for the appointment of JTC 1 Registration Authorities defined in the JTC 1 Directives.
6.2 Qualifications
Any organisation seeking appointment as the JTC 1 RA for PPs and packages shall demonstrate that it
meets the qualifications required of JTC 1 RAs as defined in the JTC 1 Directives, with the following
amendments:
- it shall confirm its agreement to function as an RA for a minimum of 5 years;
- it shall confirm that it has sufficient equipment resources and communication facilities to operate an
Internet web site in support of this International Standard;
- it shall confirm that on termination of its appointment, it will transfer its register and all supporting
documentation at no cost to another organisation designated by the ISO and IEC councils.
6.3 Contract
The JTC 1 RA for PPs and packages shall operate under contract with the ITTF. Upon twelve-months
notice, either the RA or the ITTF may terminate the contract.
NOTE The contract has no fixed time limit. Although the organisation appointed as the JTC1 RA will have committed
to function as the RA for a minimum of 5 years from the date of first appointment, circumstances can
change. This subclause permits the RA to resign from its duties at any time, including before the 5 years
is complete, provided that the twelve months notice is given.
6.4 Duties
The JTC 1 RA for PPs and packages shall:
- receive applications for the registration of PPs and packages;
4                                                              © ISO/IEC 2001 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 15292:2001(E)
- review applications for the registration of PPs and packages;
- assign unique entry labels to PPs and packages added to the register;
- inform applicants for registration of the results of their applications;
- inform sponsors of the results of actions relating to their register entries;
- maintain an accurate register;
- make public access to all register entries available at no cost via the world wide web and provide
printed details of register entries on demand, in return for payment of a fee if required;
- publish details of its fee structure, if it operates on such terms;
- handle all aspects of the registration process in accordance with good business practice;
- provide an annual summary report on its activities to JTC 1, ITTF and the SC responsible for this
International Standard;
- adhere to the procedure for appeals contained within clause 15 of this International Standard;
- maintain a copy of the register in the English language;
- handle all correspondence relating to the register or register access in the English language;
- produce guidance, practice and tutorial web pages and documents where applicable;
- indicate (e.g. on web pages and stationery) that it has been designated a JTC 1 RA in accordance
with this International Standard by ISO/IEC.
7 Criteria for eligibility of applicants for registration
Any organisation or individual may submit an application for registration of a PP or package to the JTC 1 RA
for PPs and packages.
8 Information to be included within an application for registration
An application for registration of a PP or package shall include:
- the name and contact details of the applicant. The contact details shall include both a postal or E-
mail address and a telephone or facsimile number. If the applicant is an organisation, the contact
details shall identify the name and title of a contact person within the organisation and provide
sufficient information for contact to be made with that person;
- the type of object submitted for registration. This shall be a PP, functional package or assurance
package;
- a statement as to whether the PP or package is submitted for registration as a new entry or
replacement entry. If the PP or package is submitted as a replacement entry, the entry labels of the
existing register entries to be replaced shall be identified. The application shall include a statement
© ISO/IEC 2001 – All rights reserved                                                              5

---------------------- Page: 9 ----------------------
ISO/IEC 15292:2001(E)
from the sponsors of those entries confirming that if the replacement entry is accepted, they will
agree to the linking of their existing entries as replaced by this entry;
- a statement as to whether the PP or package is submitted for registration as draft or complete;
- the technical definition of the new PP or package, structured in accordance with subclause 5.2 of
this International Standard;
- a statement identifying the natural language in which the technical definition of the PP or package is
written, if not English;
- an executive summary that summarises the PP or package in narrative form;
- a declaration that the applicant will sponsor the register entry until its first routine review;
- a declaration that the technical definition of the PP or package submitted for registration does not
contain secret, proprietary or non-publishable information;
- a declaration that the technical definition of the PP or package submitted for registration meets the
requirements of subclause 5.2 of this International Standard.
- any initial fee required by the RA for consideration of the application;
An application for registration of a PP may also include:
- an evaluation pass statement or certificate for the PP in question, together with the name and
contact details of the organisation that issued that statement or certificate.
NOTE Most elements within an application for registration provide information about the status and attributes
of the proposed entry. It is the technical definition that actually specifies the PP or package that is to
be registered.
Application for registration shall be made in the English language and, with the exception of the technical
definition of the PP or package, all information supplied shall be in English. The technical definition of the
PP or package may be written in any natural language. The executive summary shall be identical in content
to the PP or package overview within the technical definition, but shall always be in the English language.
The technical definition of a PP or package submitted for registration shall contain all the mandatory
structural elements required by subclause 5.2 of this International Standard, and these structural elements
shall be readily identifiable within the text of the definition. If an entry is designated as draft, elements may
be marked as to be defined later, or may be marked as inconsistent or incomplete.
The technical definition shall not reference other PP or package specifications for definition purposes,
whether these specifications are registered or otherwise.
Versions of the technical definition in several natural languages may be supplied. However, one version
shall be identified as the official version for the register entry and all other versions as informative
translations.
An electronic copy of the technical definition shall be supplied with the application. This electronic copy shall
use a file format and transport mechanism recommended for the exchange of electronic documents within
the ISO/IEC/ITU Guide for the use of IT in the development and delivery of standards.
6                                                              © ISO/IEC 2001 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 15292:2001(E)
9 Steps involved in review and response to an application
9.1 Initial processing
All applications for registration of PPs or packages in accordance with this International Standard shall be
subjected to initial processing by the RA.
This process shall check that all required elements of the application are present, and in the opinion of the
RA, adequate for further processing.
The RA shall either reject the application or assign the PP or package an entry label and enter the PP or
package into the register with a status of “in validation”. The applicant shall be advised accordingly. If the
application is rejected, the RA shall identify within its response the reasons for its rejection.
This process shall be completed within 14 days of receipt of the application.
9.2 Validation
The RA shall perform a structural check of the technical definition provided within the application for
registration. If the RA identifies missing sections, or information presented in a manner which is
incompatible with the current version of this International Standard or of ISO/IEC 15408, including relevant
technical corrigenda or amendments published by the ITTF, the RA shall refer the issue or issues to the
applicant for clarification or rectification. If the applicant cannot resolve omissions or inconsistencies within
14 days of receipt of notification of the issue, the PP or package shall fail validation.
If an evaluation pass statement or certificate is supplied, the RA shall contact the organisation that issued
the statement or certificate and provide them with a copy of the application. The evaluating or certifying
organisation shall be requested to confirm within one month that the technical definition of the PP as
evaluated is identical to that as submitted for registration, and that the PP was awarded a pass statement. If
the organisation cannot be contacted, does not reply, or does not offer the requested confirmation, the RA
shall declare the statement or certificate not acceptable and advise the applicant accordingly.
If the application for registration identifies one or more existing register entries that are to be replaced, the
RA shall contact the organisations that currently sponsor those entries and provide them with a copy of the
application and their statement agreeing to the linking of their entries as replaced. The sponsoring
organisations shall be requested to confirm within one month the validity of these statements. If any
organisation cannot be contacted, does not reply, or does not offer the requested confirmation, the RA shall
declare the replacement linkage not accepted and advise the applicant accordingly.
The RA shall complete this validation, including any referrals that are necessary, within 3 months of receipt
of the application. If the applicant has been unable to resolve an issue, the register entry shall then be given
a status of “failed validation”. Otherwise the status shall become either “registered”, or in the case of a
complete PP where an acceptable evaluation pass statement or certificate was supplied, “evaluated” or
“certified” as appropriate. The routine review date shall be set to 36 months from the date of initial entry
onto the register. The applicant shall be recorded within the register entry as the original applicant for
registration and as the current sponsor of the entry.
NOTE Validation by the RA is restricted to the structural and consistency checks defined above and does not include
evaluation of the technical definition using ISO/IEC 15408. The RA will not perform any technical check of the
PP or package definition and it is therefore possible that an incomplete or inconsistent PP or package definition
will be accepted for registration. Only where an entry has “evaluated” or “certified” status is any assertion
© ISO/IEC 2001 – All rights reserved                                                                             7

---------------------- Page: 11 ----------------------
ISO/IEC 15292:2001(E)
made in the register concerning the technical accuracy of the technical definition.
10 Criteria for rejection of applications for registration
An application for registration of a PP or package shall be rejected if:
- the applicant fails to pay any fee required by the RA;
- required elements of the application are missing;
- the application contains missing or incomplete information (except where expressly permitted by this
International Standard);
- the application contains information designated secret, proprietary or non-publishable;
- the application contains incomprehensible information;
- the technical definition of the PP or package to be registered is not in accordance with the
requirements of this International Standard.
11 Operation of the register
11.1 Notification of obsolescent entries
The RA may be advised at any time by the sponsor of a register entry with “registered”, “evaluated” or
“certified” status that the entry in question is considered unsuitable for future use on grounds of
obsolescence. The register entry status shall be updated to “obsolescent”, and the routine review date shall
be set to 18 months from the date of receipt of the advice.
11.2 Update of draft technical specifications
The sponsor of a draft register entry may request the RA at any time to replace all or part of the registered
technical definition or executive summary with a revised specification. The RA shall perform a structural
check of the revised technical definition. If the RA identifies missing sections, or information presented in a
manner which is incompatible with the current version of this International Standard or of ISO/IEC 15408,
including relevant technical corrigenda or amendments published by the ITTF, the RA shall refer the issue or
issues to the applicant for clarification or rectification. Otherwise the entry shall be updated as requested
within 14 days of receipt of the request.
The RA may charge a fee for such updates to draft entries.
11.3 Routine review of entries
One month prior to the routine review date of entries with a status of “evaluated” or “certified”, the RA shall
contact the organisation that issued the evaluation pass statement or certificate, providing a copy of the
current register entry, including any defect reports and defect resolution notes. The evaluating or certifying
organisation shall be requested to confirm within one month that the pass statement or certificate is still
valid. If the organisation cannot be contacted, does not reply, o
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 18032:2020(Main)
Information security — Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates. Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented. NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one. Annex A provides error probabilities that are utilized by the Miller-Rabin primality test. Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met. Annex C defines primitives utilized by the prime generation and verification methods.

  • Standard
    33 pages
    English language
    sale 15% off
  • Draft
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 24761:2019(Main)
Information technology — Security techniques — Authentication context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report. Biometric identification is out of the scope of this document. This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.

  • Standard
    75 pages
    English language
    sale 15% off
ISO
ISO/IEC 30111:2019(Main)
Information technology — Security techniques — Vulnerability handling processes

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service. This document is applicable to vendors involved in handling vulnerabilities.

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    15 pages
    French language
    sale 15% off
ISO
ISO/IEC 9798-2:2019(Main)
IT Security techniques — Entity authentication — Part 2: Mechanisms using authenticated encryption

This document specifies entity authentication mechanisms using authenticated encryption algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require an on-line trusted third party for the establishment of a common secret key. They also realize mutual or unilateral entity authentication. Annex A defines Object Identifiers for the mechanisms specified in this document.

  • Standard
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 9798-3:2019(Main)
IT Security techniques — Entity authentication — Part 3: Mechanisms using digital signature techniques

This document specifies entity authentication mechanisms using digital signatures based on asymmetric techniques. A digital signature is used to verify the identity of an entity. Ten mechanisms are specified in this document. The first five mechanisms do not involve an on-line trusted third party and the last five make use of on-line trusted third parties. In both of these two categories, two mechanisms achieve unilateral authentication and the remaining three achieve mutual authentication. Annex A defines the object identifiers assigned to the entity authentication mechanisms specified in this document.

  • Standard
    25 pages
    English language
    sale 15% off
ISO
ISO/IEC TS 27008:2019(Main)
Information technology — Security techniques — Guidelines for the assessment of information security controls

This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001. It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks.

  • Technical specification
    91 pages
    English language
    sale 15% off
ISO
ISO/IEC 10118-3:2018(Main)
IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions

This document specifies dedicated hash-functions, i.e. specially designed hash-functions. The hash-functions in this document are based on the iterative use of a round-function. Distinct round-functions are specified, giving rise to distinct dedicated hash-functions. The use of Dedicated Hash-Functions 1, 2 and 3 in new digital signature implementations is deprecated. NOTE As a result of their short hash-code length and/or cryptanalytic results, Dedicated Hash-Functions 1, 2 and 3 do not provide a sufficient level of collision resistance for future digital signature applications and they are therefore, only usable for legacy applications. However, for applications where collision resistance is not required, such as in hash-functions as specified in ISO/IEC 9797‑2, or in key derivation functions specified in ISO/IEC 11770‑6, their use is not deprecated. Numerical examples for dedicated hash-functions specified in this document are given in Annex B as additional information. For information purposes, SHA-3 extendable-output functions are specified in Annex C.

  • Standard
    398 pages
    English language
    sale 15% off
ISO
ISO/IEC 29147:2018(Main)
Information technology — Security techniques — Vulnerability disclosure

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides: — guidelines on receiving reports about potential vulnerabilities; — guidelines on disclosing vulnerability remediation information; — terms and definitions that are specific to vulnerability disclosure; — an overview of vulnerability disclosure concepts; — techniques and policy considerations for vulnerability disclosure; — examples of techniques, policies (Annex A), and communications (Annex B). Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111. This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.

  • Standard
    32 pages
    English language
    sale 15% off
  • Standard
    34 pages
    French language
    sale 15% off
ISO
ISO/IEC TS 19608:2018(Main)
Guidance for developing security and privacy functional requirements based on ISO/IEC 15408

This document provides guidance for: — selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII); — the procedure to define both privacy and security functional requirements in a coordinated manner; and — developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2. The intended audience for this document are: — developers who implement products or systems that deal with PII and want to undergo a security evaluation of those products using ISO/IEC 15408. They will get guidance how to select security functional requirements for the Security Target of their product or system that map to the privacy principles defined in ISO/IEC 29100; — authors of Protection Profiles that address the protection of PII; and — evaluators that use ISO/IEC 15408 and ISO/IEC 18045 for a security evaluation. This document is intended to be fully consistent with ISO/IEC 15408; however, in the event of any inconsistency between this document and ISO/IEC 15408, the latter, as a normative standard, takes precedence.

  • Technical specification
    48 pages
    English language
    sale 15% off
ISO
ISO/IEC 27050-2:2018(Main)
Information technology — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery

This document provides guidance for technical and non-technical personnel at senior management levels within an organization, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. It describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.

  • Standard
    9 pages
    English language
    sale 15% off