S 2.66 The importance of certification for procurement

Initiation responsibility: Agency/company management

Implementation responsibility: Procurer

When procuring IT products and IT systems, it must be checked at an earlier stage whether the assurances by the manufacturer or distributor regarding security functions can be considered as sufficient. Particularly with regard to high or very high protection requirements, the trustworthiness of the products concerning IT security can only be guaranteed by having these evaluated by independent testing agencies.

The harmonised European "Criteria for the Evaluation of the Security of IT systems (ITSEC)" and the evaluation manual ITSEM have offered a generally-accepted basis for these evaluations since 1991 as has the globally-agreed "Common Criteria for the Examination and Evaluation of the Security of IT systems" / Common Criteria (CC) since 1998. In Germany, the BSI itself and testing bodies acknowledged by the BSI, conduct evaluations of this kind. In the event that the evaluation results are positive and the conditions of ITSEC and ITSEM or the Common Criteria are fulfilled, a safety certificate is issued by BSI as the certifying body for the assessed product or system.

The certification report states at which test level each functionality was investigated and what the result of the evaluation was. The test level ranges from evaluation level E 1 (lowest test level) to evaluation level E 6 (highest test level) for the ITSEC and from evaluation assurance level EAL 1 (lowest test level) to evaluation assurance level EAL 7 (highest test level) for the CC. Evaluation level E 1 of the ITSEC approximately corresponds to evaluation assurance level EAL 2 of the CC and so on.Additionally, the strength of the security functions is stated, which represents the degree of difficulty in overcoming the security functions. The ITSEC and CC differentiate between the strengths low, medium and high. Indications are also given regarding the conditions which must be observed when using the product.

In the event that several products with an acceptable price/performance relationship are available when procuring IT, an existing safety certificate can be considered as a positive criteria for selection. Safety certificates should be particularly considered if the evaluated function (mainly) corresponds with the minimum functionality and the security strength corresponds with the protection requirement (c.f. S 4.41 Use of a suitable PC security product). The higher the test level stated in the certificate, the higher the trustworthiness of the effectiveness of the security functions of the product.

The certification bodies regularly issue summaries of which products have a certificate. A summary of the IT products and systems certified by the BSI can be obtained from the BSI: BSI 7148 - BSI Certificates. The BSI also publishes recently-issued certificates in the magazine KES, a magazine for communication and EDP security. This information can also be obtained from the BSI server.

Additional controls:

• Have the IT procurement bodies been informed of the evaluation / certification system?

• Do the procurement bodies have up-to-date summaries of certified products?

• Does the procurement body request the relevant certification reports?