PROCEDURE COURTESY TRANSLATION

Similar documents
004 Licensing of Evaluation Facilities

Incubator Support initiative. An element of the Entrepreneurs Programme

COMMISSION IMPLEMENTING REGULATION (EU)

Mandatory accreditation of medical laboratories in France: how to best reconcile regulatory and normative requirements for cytogenetics?

between ARAB REPUBLIC OF EGYPT and

Qualifications Support Pack 03. Making Claims & Results

RÉPUBLIQUE FRANÇAISE. Having regard to Decision No DC-0189 by the French Nuclear Safety Authority of 7 July

CNAS-RL01. Rules for the Accreditation of Laboratories

AFC Club Licensing Quality Standard

NATIONAL ACCREDITATION POLICY FOR HEALTHCARE FACILITIES

ACCREDITATION REQUIREMENTS

Fundación Repsol Fondo de Emprendedores 5th Call. Terms and conditions

Appendix 3 to AO/1-7094/12/NL/CO Page 1

Multi-Year Accessibility Action Plan

Reference. No. 02/16 Issue: 1 Page: 1 of 13 Issue Date: 16/05/16 Focal: Aircrew

Supervision of Qualified Trust Service Providers (QTSPs)

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD for NON-CHANNELERS

Registration and Inspection Service

NHS RESEARCH PASSPORT POLICY AND PROCEDURE

2 HUMAN RESOURCE MANAGEMENT

Doctoral Grant for Teachers

Procedures and Conditions of GLP Registration

JOB DESCRIPTION & PERSON SPECIFICATION. Staff Grade Medical Scientist - Microbiology

Request for Proposal (RFP) for Grant Writing Services

Procedures and Conditions of Building Consent Authority Accreditation

RECRUITMENT AND VETTING CHECKS POLICY

Australian Medical Council Limited

CONDITIONS OF THE 2015 CALL FOR APPLICATIONS FOR THE UdG GRANT PROGRAMME FOR HIRING RESEARCHERS IN TRAINING (IFUdG2015)

NABH-AG ASSESSOR GUIDE FOR PANCHAKARMA CLINIC. Issue No. 04 Issue Date: 05/15 Page 1 of 13

REGISTRATION FOR HOME SCHOOLING

The Queen s Medical Center HIPAA Training Packet for Researchers

Guidelines on the Keeping of Records in Respect of Medicinal Products when Conducting a Retail Pharmacy Business

RULES OF PROCEDURE FOR CALIBRATION LABORATORY ACCREDITATION

Skill Development Promotion Act, B.E (2002)

RULES OF PROCEDURE FOR TESTING LABORATORY ACCREDITATION

National VET Data Policy

Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

RFP No. FY2017-ACES-02: Advancing Commonwealth Energy Storage Program Consultant

LAS VIRGENES MUNICIPAL WATER DISTRICT 4232 Las Virgenes Road, Calabasas, California 91302

MINIMUM CRITERIA FOR REACH AND CLP INSPECTIONS 1

Ocean Energy Prototype Research and Development. Programme Application Guide

Programme Approval and Monitoring Processes. Information for Education Providers

Application for Recognition or Expansion of Recognition

Request for Proposals (RFP) The provision of Media Monitoring and Analyses services to the CSIR. RFP No. 770/09/06/2017

Registration prescribed information handbook

Career Development Fellowships 2018 Guidelines for Applicants. Applications close 12 noon 05 April 2018

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

Office of Academic Grants and Sponsored Research Financial Conflict of Interest Disclosure, Review, and Management Procedures

CARIBBEAN DEVELOPMENT BANK PROCEDURES FOR THE SELECTION AND ENGAGEMENT OF CONSULTANTS BY RECIPIENTS OF CDB FINANCING

JOB DESCRIPTION & PERSON SPECIFICATION. Senior Medical Scientist Cytology Permanent 1.0 WTE

APPROVAL UNDER SECTION 12(2) MENTAL HEALTH ACT 1983 THE NATIONAL CRITERIA FOR ENGLAND. Revised October 2009 by the National Reference Group

Responsible to: Operational Manager(s) Head of Biomedical Scientist Accountable to: Head of Biomedical Scientist

IAF Guidance on the Application of ISO/IEC Guide 61:1996

Assurance at Country Level: External Audit of Grant Recipients. High Impact Asia Regional Report. GF-OIG August 2013

Quality Management Plan

RECERTIFICATION PROGRAMME FOR CONTINUING PROFESSIONAL DEVELOPMENT OF DISPENSING OPTICIANS

CITY OF LYNWOOD REQUEST FOR PROPOSALS For BUSINESS LICENSE SERVICES

Royal Wolverhampton Hospitals NHS Trust. Job Description Haematology

Assurance at Country Level: External Audit of Grant Recipients. High Impact Africa 2 Regional Report. GF-OIG August 2013

SOUTH AFRICAN NURSING COUNCIL

REQUEST FOR PROPOSALS. For: As needed Plan Check and Building Inspection Services

Support for Applied Research in Smart Specialisation Growth Areas. Chapter 1 General Provisions

CALL FOR PROPOSALS. Dissemination activities for the Council of Europe Reference Framework of Competences for Democratic Culture. Reference 2018/RFCDC

FRENCH REPUBLIC MINISTRY OF DEFENCE

LAW FOR THE PROTECTION OF THE CLASSIFIED INFORMATION. Chapter one. GENERAL PROVISIONS

Health and Safety Updated September

UEFA CLUB LICENSING SYSTEM SEASON 2004/2005. Club Licensing Quality Standard. Version 2.0

SERVICE PROCUREMENT NOTICE Comprehensive strengthening of the capacities of the Agency for Vocational Education and Training Republic of Croatia

POLICY ON THE CONTROL OF ASBESTOS AT WORK

*Note: An update of the English text of this Act is being prepared following the amendments in SG No. 59/ , SG No. 66/26.07.

ACCREDITATION PROCESS FOR TESTING/ CALIBRATION/ MEDICAL LABORATORIES

Participant Handbook

HSQF Scheme HUMAN SERVICES SCHEME PART 2 ADDITIONAL REQUIREMENTS FOR BODIES CERTIFYING HUMAN SERVICES IN QUEENSLAND. Issue 6, 21 November 2017

MEDICINES FOR HUMAN USE (CLINICAL TRIALS) REGULATIONS Memorandum of understanding between MHRA, COREC and GTAC

Public Diplomacy, Policy Research and Outreach Devoted to the European Union and EU-Canada Relations

Trust Fund Grant Agreement

Northumbria Healthcare NHS Foundation Trust. Charitable Funds. Staff Lottery Scheme Procedure

SAMPLE FELLOWSHIP GUIDELINES to be added to our notification list for information about future cycles.

Grant Requirements Dutch Kidney Foundation as from 1 January 2017

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

POLICIES & PROCEDURES

III. The provider of support is the Technology Agency of the Czech Republic (hereafter just TA CR ) seated in Prague 6, Evropska 2589/33b.

Rail Training Accreditation Scheme (RTAS) Rules

REGULATIONS. Level 3 NVQ Certificate in British/Irish Sign Language. Level 6 NVQ Certificate in British/Irish Sign Language

Standards for Midwifery Education

REQUEST FOR PROPOSAL TO PROVIDE AS-NEEDED ENGINEERING SERVICES FOR THE IMPLEMENTATION OF

The Nursing and Midwifery Order 2001 (SI 2002/253)

MAKE OUR PLANET GREAT AGAIN

Request for Proposals (RFP)

Revision Date Description. National Council AGM Revisions 2018 Details of changes at rear of document O 08/04/2017

National Council of State Boards of Nursing February Requirements for Accrediting Agencies. and. Criteria for APRN Certification Programs

CALL FOR PROPOSALS. Democratic and Inclusive School Culture in Operation (DISCO) EU/CoE Joint Programme for international co-operation projects

DOCUMENTS GPOBA GRANT NUMBER TF Global Partnership on Output-based Aid. Grant Agreement

URBAN DEVELOPMENT CORPORATION INFORMATION MEMORANDUM GREEN GROTTO CAVES VIDEO AND PHOTOGRAPHY

Licensing application guidance. For NHS-controlled providers

City of Coquitlam. Request for Expressions of Interest RFEI No Workforce Scheduling Software

Good Pharmacy Practice in Spanish Community Pharmacy

PART A: PROPOSAL DETAILS

OFFICIAL DOCUMENTS I

GUIDELINES FOR CRITERIA AND CERTIFICATION RULES ANNEX - JAWDA Data Certification for Healthcare Providers - Methodology 2017.

Transcription:

PREMIER MINISTRE Secrétariat général de la défense nationale Paris, le 6 janvier 2004 000004/SGDN/DCSSI/SDR Référence : AGR/P/01.1 Direction centrale de la sécurité des systèmes d information PROCEDURE LICENSING OF EVALUATION FACILITIES Subject : Licensing of Evaluation facilities Application : From 1 January 2004 Circulation : Public COURTESY TRANSLATION 51 boulevard de La Tour- Maubourg - 75700 PARIS 07 SP

Modifications Version Date Modifications 1 02/12/2003 Creation 2 / 15 AGR/P/01.1

TABLE OF CONTENT 1. PURPOSE OF THE PROCEDURE... 4 2. REFERENCES... 4 3. PROCESS... 5 4. DESCRIPTION OF THE PROCEDURE... 5 4.1. Application for licensing... 5 4.2. Preliminary audit... 6 4.3. Pilot evaluation... 6 4.4. Licensing audit... 6 4.5. Awarding of the license... 7 4.6. Monitoring of the licensed evaluation facilities... 7 4.7. Modification of the scope of the license... 7 4.7.1. Modification at the request of the evaluation facility...7 4.7.2. Modification at the request of DCSSI...7 4.8. Renewal... 8 4.9. Withdrawal of license... 8 4.9.1. Withdrawal at the request of the evaluation facility...8 4.9.2. Withdrawal at the request of DCSSI...8 4.9.3. Consequences of withdrawal of licensing...8 APPENDIX A LICENSING CRITERIA... 9 APPENDIX B SCOPE OF LICENSING... 15 AGR/P/01.1 3 / 15

1. Purpose of the procedure This procedure describes the licensing process of evaluation facilities, defined in chapter II of Decree 2002-535. The licensing procedure for an evaluation facility enables it to demonstrate that: a) it complies with the quality criteria in line with current accreditation rules and standards; b) it has the capacity to apply current evaluation criteria and the associated methodology as well as to enforce the level of confidentiality required by the evaluation; c) it has the technical skills to conduct an evaluation. 2. References Decree 2002-535 of 18 April 2002 relating to the evaluation and certification of the security offered by information technology products and systems. Standard NF EN 45011, Chapter 4.4: sub-contracting. 4 / 15 AGR/P/01.1

3. Process Responsible Actions Records Applicant for licensing Application for licensing Application form for licensing Licensing manager Preliminary audit Preliminary audit report Preliminary conditions satisfied Central Director for Information Systems Security Status "evaluation facility in training" Letter of notification List of evaluation facilities Evaluation facility "in training" Pilot evaluation Evaluation report Licensing manager Licensing audit Licensing audit report Prime Minister asking opinion of Certification Management Board refusal Licensing decision Licensing decision, List of evaluation facilities issuance Renewal Licensing manager Monitoring of the licensed evaluation facility Prime Minister Following opinion of Certification Management Board Withdrawal of licensing 4. Description of the procedure 4.1. Application for licensing An application form for licensing (template AGR-F-01 Application form for licensing) shall be sent to the Central Directorate for Information Systems Security (thereafter DCSSI) (art. 11 of Decree 2002-535). The following documents must be included in the application form: a photocopy of the company s K-bis registration certificate; a technical file about the applicant s capabilities, including: o a general overview of the company with organisation charts showing the position of the evaluation facility in the parent company (if the evaluation facility is part of a larger organisation). The organisation charts must identify the various responsibilities; o evidence of recent national and international experience in similar services, indicating the amount of operations, client details and the periods in which the services were carried out. AGR/P/01.1 5 / 15

Applicant must be able to provide evidence of skills in the activities associated with information systems security evaluation. the accreditation certificate with current validity for programme 141 of the Laboratory Section, Testing Division of COFRAC, with the associated technical appendix, or a notification from COFRAC stipulating that the applicant is undergoing or has applied for accreditation. The applicant shall forward the accreditation certificate as soon as he will receive it; any security clearance of the company; any other relevant information about the applicant. The application form is analysed by DCSSI. If the content of the application form is not satisfactory, the applicant shall supply a new application form or provide additional information. The licensing manager is a member of the certification body. He is in charge of the monitoring of the application throughout the licensing procedure. In particular, he organises the preliminary audit of the applicant. 4.2. Preliminary audit A preliminary audit is carried out in the applicant s premises in order to assess the aptitude of the applicant for meeting the licensing criteria stated in appendix A. This preliminary audit is carried out in accordance with AGR-I-01 Audit of the evaluation facilities. The licensing manager edits a preliminary audit reports that states if the organisation of the applicant is sufficient to continue the licensing procedure. If the outcomes of this preliminary audit are satisfactory, the status of evaluation facility in training is granted to the applicant. The evaluation facility appears in AGR-L-01 List of evaluation facilities with this status. The list is available on the DCSSI website: www.ssi.gouv.fr. 4.3. Pilot evaluation The evaluation facility in training must then conduct a pilot evaluation to enable DCSSI to assess its aptitude for performing an evaluation properly. The scope of the license, which may subsequently be awarded, depend directly on the scope of this pilot evaluation. The evaluation facility is responsible for finding a pilot evaluation with a sponsor. The sponsor must be aware of the applicant s status and of the potential risks about the results of the pilot evaluation. The pilot evaluation shall be performed in accordance with the evaluation procedures of the applicant. The oversight by the certification body is stronger than for a normal evaluation. The applicant has a period of one year (from the date of application for licensing) to start a pilot evaluation. If the candidate has not started a pilot evaluation within this period, its status of evaluation facility in training is withdrawn. A new application will not be accepted without a contract for a pilot evaluation. 4.4. Licensing audit At the end of the pilot evaluation, DCSSI carries out the licensing audit in accordance with AGR-I-01 Audit of the evaluation facilities. During this audit, the licensing manager checks, in particular, that the observations identified during the preliminary audit have led to corrective actions. The licensing manager edits the licensing audit report which indicates if the evaluation facility is compliant with the licensing criteria listed in appendix A. If the outcomes of the audit are satisfactory, the awarding of the license is proposed to the Certification Management Board. 6 / 15 AGR/P/01.1

4.5. Awarding of the license The Certification Management Board issues an opinion about the licensing of the evaluation facility. The Prime Minister awards the license in accordance to article 12 of Decree 2002-535. The license includes a list of obligations to which the evaluation facility must comply with. The evaluation facility can perform evaluations for certification only in the scope of its license. The various scopes of license are defined in appendix B. 4.6. Monitoring of the licensed evaluation facilities The license is valid only for a period of two years. It is the responsibility of the evaluation facility to apply for renewal. The renewal requires a new licensing audit. However, DCSSI can check at any time that the evaluation facility meets the licensing criteria (art. 14 of Decree 2002-535). For this purpose, DCSSI perform a continuous monitoring of the evaluation facilities. The procedure is described in AGR-I-02 Monitoring of evaluation facilities. 4.7. Modification of the scope of the license This procedure may be initialised: at the request of an evaluation facility wishing to enlarge the scope of its activity. The procedure is applicable only for a modification of the evaluation assurance level. For a modification of the field of technology, a new application form must be supplied and the full procedure for licensing is applied. at the request of DCSSI if it considers that the capability of the evaluation facility is altered. The procedure could occur because of the outcomes of a visit of the evaluation facility. For example, if a member with a key-technical knowledge leaves the evaluation facility, DCSSI may restrict the scope of the license. In the same way, if the evaluation facility recruits a new member, develops new methods or acquires new equipments, it could apply to enlarge the scope of its license. 4.7.1. Modification at the request of the evaluation facility The evaluation facility must supply to DCSSI with its application for modification, all the elements that prove the extension of its capability. The licensing manager can perform a visit of the evaluation facility to check the elements. The licensing manager records every stage of the process. The elements of evidence are recorded in the ITSEF monitoring file. When all the elements have been analysed, the Central Director for Information Systems Security decides to modify or to keep as it is the scope of the license. The evaluation facility is notified of the decision by post. 4.7.2. Modification at the request of DCSSI If DCSSI considers that the scope of the license of an evaluation facility must be modified, a notification is sent to the evaluation facility. The notification includes a period a time within which the evaluation facility must take actions to be able to perform again evaluations in the full scope of its license. The licensing manager records every stage of the process. The elements of evidence are recorded in the ITSEF monitoring file. At the end of the allotted period, the Central Director for Information Systems Security decides to modify or to keep as it is the scope of the license. The evaluation facility is notified of the decision by post. AGR/P/01.1 7 / 15

4.8. Renewal At the end of the license validity period, the evaluation facility may apply to DCSSI for a renewal of the license. On receipt of the application, a new licensing audit is carried out in accordance with AGR-I-01 Audit of the evaluation facility. It permits to check if the evaluation facility complies with the licensing criteria and the obligations related to the licensing. If the outcomes of the audit are satisfactory, the renewal of the license is proposed to the Certification Management Board. The Certification Management Board issues an opinion about the renewal. The Prime Minister awards a new license for two years. If the evaluation facility does not wish to renew the license, it only needs not to send an application for renewal. The evaluation facility will then be removed from the list of licensed evaluation facilities. 4.9. Withdrawal of license The Prime Minister, with the opinion of the Certification Management Board, can withdraw the license of an evaluation facility (art. 14 of Decree 2002-535) : if the evaluation facility does not meet the requirements of article 11 of Decree 2002-535 anymore or has failed in any of the obligations stated in its license. In particular, the withdrawal of the accreditation leads to the withdrawal of the license; if the evaluation facility ceases activity; or for the interests of national defence or internal or external security of the State. 4.9.1. Withdrawal at the request of the evaluation facility The evaluation facility can decide to cease evaluation activities. It only needs to informs DCSSI of the decision. DCSSI will inform the Certification Management Board. The evaluation facility is then notified of the end of its licensed status. 4.9.2. Withdrawal at the request of DCSSI If the withdrawal is requested by DCSSI, the license is first suspended for a period of time. During this period, the evaluation facility must put in place corrective actions in order to comply with the licensing criteria. At the end of the period of suspension, if DCSSI considers that the evaluation facility still does not comply with the licensing criteria, DCSSI proposes the withdrawal of the license to the Certification Management Board. The withdrawal can occur only after the audition of the evaluation facility manager by the Certification Management Board. 4.9.3. Consequences of withdrawal of licensing The evaluation facility is removed from the list of licensed evaluation facilities. The evaluation facility can not start any new evaluation and the evaluations in progress are suspended. The evaluation facility must transfer all the information and the files related to the evaluations carried out to DCSSI. 8 / 15 AGR/P/01.1

Appendix A Licensing Criteria A.1 Management Accreditation C1 The evaluation facility must be accredited by COFRAC under programme 141 of the Laboratory Section, Testing Division Evaluation of IT Security. Applicants for licensing can be evaluation facility in training even if they are not yet accredited. But they must be accredited to have the license. Organisation C2 C3 C4 C5 C6 The evaluation facility or the organisation of which it is part must be a legal entity. Where the evaluation facility is part of an organisation involved in activities other than evaluations, the responsibilities of the key members of the organisation s staff who participate in or influence the evaluation activities of the evaluation facility must be clearly defined, in order to identify any areas of possible conflict of interest. The evaluation facility and its staff must not be subject to any commercial, financial or other pressures that can influence their technical judgment or the quality of their work. For example, any pressure on the verdicts of the evaluations exerted by persons or organisations outside the evaluation facility must be excluded. In particular, staff salary must not depend on the verdicts of the evaluations. The evaluation facility must not be engaged in any activity that may have impact on its independence in evaluation activities. Policies and procedures must formalise this constraint. For example, if the evaluation facility provides advisory services, these must not in any way affect the facility s independence in any evaluation. The organisation of the evaluation facility and the responsibilities must be carefully defined. The allocation of principal responsibilities must be stated in a general organisation chart. The organisation chart must also state: - which company the evaluation facility belongs to and how; - how the evaluation facility is organised generally, and that there are the following functions: - director - business manager - how the technical activities are organised, and that there are the following functions: - technical manager with overall responsibility for technical operations and providing the resources necessary to ensure the quality required for the evaluation work; - quality manager (may not be held concurrently with the function of technical manager) who must have the responsibility and authority to ensure that the quality system is implemented. The quality manager must have direct access to the highest levels of senior management where decisions on matters of policy or on the resources for the evaluation facility are taken; AGR/P/01.1 9 / 15

- security manager (may not be held concurrently with the function of technical manager), tasked with defining and implementing the evaluation facility s security policy and procedures. He must ensure that procedures are applied. The same person can hold one or more functions but it is subject to the approval of the certification body. C7 C8 C9 C10 The management functions must be continuously ensured: deputies must be appointed. The responsibility, authority and reporting lines must be defined for all the members of the evaluation facility involved in the evaluations. The persons responsible for the signature of the evaluation reports must be identified. All the commercial details of the evaluations must be settled by contract between the evaluation facility, the sponsor, and in certain cases, the developers. C11 In every evaluation contracts, the certification body must be referred to as the recipient of all of the evaluation information. Quality System C12 C13 C14 C15 The evaluation facility must operate and maintain a quality system for the evaluation activity which is compliant with ISO/CEI 17025. It must have written policies, procedures and instructions to ensure the quality of the evaluation. Staff must have access to this documentation, be acquainted with, understand and implement it. All members involved in the evaluations must be aware of the quality system at the evaluation facility. The objectives of the quality system must be defined in a quality policy statement (quality manual). The quality manual must include a commitment from management to ensure good professional practice and quality of the evaluation work. It must also include the quality system objectives and the requirement that the staff of the evaluation facility knows the documentation and apply the procedures. The manual must also contain the management s commitment to comply with the current licensing criteria. The quality manual must set out the structure of the documentation of the quality system, and must contain and refer to the procedures putted in place within the evaluation facility (including technical procedures). The quality manual must also contain definitions of the roles and responsibilities for all the staff in management or key positions. C16 Security The evaluation facility must define procedures to manage all the documents of the quality system such as regulations, standards, evaluation methods and any related document (instructions, manuals, etc.). In particular, the procedures for modification, approval and circulation must be defined. C17 C18 The evaluation facility must define and document a security policy defining the methods and conditions for the protection of the sensitive information it holds. The security policy must be maintained by the security manager and approved by the certification body. All members of staff participating in evaluation work must be aware of it. The security policy must define: - the security objectives, - the organisation putted in place to achieve these objectives, - the security procedures for (list not exhaustive and given as example only): 10/ 15 AGR/P/01.1

- protection of the site, - management of personnel and visitors, - regular training of persons participating in the evaluation work, - protection of evaluation data, - protection of archives and communications. - the provisions covering any anomaly detected in applying the policy and the corrective actions to be taken. Processing of sensitive information and data C19 C20 The evaluation facility must have the capacity to handle industrial sensitive data. Such information must be rigorously protected. To achieve this, the evaluation facility must have procedures for the shipment, reception, protection, storage, preservation and / or elimination of any object connected to the evaluations. It includes also provisions for protecting the integrity of such objects as well as the interests of the evaluation facility and its clients. All the members of the evaluation facility must agree to maintain the confidentiality required during the evaluations. C21 The evaluation facility must ensure that all sensitive information is protected between evaluations on a need-to-know basis. Security clearance C22 If the evaluation facility wishes to handle classified information, it must have enough members with security clearance to meet the requirements of Decree 98-608 of 17 July 1998 relating to the protection of national defence secrets. Sub-contracting C23 Sub-contracting of evaluation tasks must remain the exception and is subject to prior agreement from the certification body, the sponsor, and in some cases, the developer concerned. If sub-contracting is required, it is preferred that the evaluation facilities sub-contract to other evaluation facilities. If the sub-contractor is not a licensed evaluation facility, it must be able to satisfy the current licensing criteria for the sub-contracted tasks. AGR/P/01.1 11/ 15

A.2 Premises and equipment Premises and environment C24 The evaluation facility must have dedicated technical premises for the evaluation (offices, testing platform, meeting rooms, etc.). These premises must be protected against attacks. These premises must be appropriately maintained. C25 The access to the evaluation premises must be controlled. For example, the evaluation facility must ensure the protection of the information against people from outside the evaluation facility as well as against members on a need-to-know basis. Tools and equipment C26 C27 C28 C29 All equipments necessary to carry out the evaluation inside the scope of the license must be available in the evaluation facility. The evaluation facility must have its own administrative support and sufficient resources for the evaluation activity. If, exceptionally, the evaluation facility needs to use equipment outside its organisation, it must be able to demonstrate that the equipment offers the requisite quality and security. The staff of the evaluation facility must have the necessary skills to operate the equipment themselves. In addition, measures to protect the sensitive data processed by the equipment must be defined. All the tools used during the evaluations must be identifiable (by a unique code for example). They must be subject to a specific management in terms of set-up and configuration. It must ensure that the results of the evaluations can be reproduced. A configuration management system should permit to audit the changes made to the tools. Each equipment or software that can have an impact in the evaluation tasks must be registered. Equipments can be used only by authorised staff. The access to the evaluation tools must be regulated. The operation and the maintenance of the evaluation tools must be subject to instructions perfectly known by the authorised staff. 12/ 15 AGR/P/01.1

A.3 Technical skills C30 Staff The evaluation facility shall have the necessary skills to carry out evaluations within the scope of its license. C31 C32 C33 C34 C35 C36 C37 C38 The staff of the evaluation facility must be competent and experienced in information technology, as well as in security evaluation. DCSSI is responsible for the assessment of the capability of the evaluation facility relating to the scope of its license (technical knowledge and experience necessary to carry out the corresponding tasks). The evaluation facility must qualify the members appointed to operate specific tools, to perform evaluation tasks and to sign evaluation reports. Supervision by an experienced and qualified member must be ensured for members in training. The members of the evaluation facility must be recruited in accordance with a procedure that clearly sets out the responsibilities resulting from the licensing. The procedure must include a careful analysis of candidates to be sure that they meet the requirements of the licensing criteria. Each member of the evaluation facility must be made aware of his/her responsibility. This implies a definition of all the responsibilities related to the evaluation activities. The evaluation facility must define objectives for the training and the qualification of the members of the evaluation facility. Policy and procedures must exist to identify training needs and to provide the relevant training. Training programmes must be related to the evaluation activity. Note: the programme must include training on the evaluation criteria and associated methodology. The evaluation facility must keep up-to-date job descriptions for management, technical and key support staff participating in the evaluations. Note: DCSSI must be informed of the activity of the members of the evaluation facility in order to ensure that such activity is compatible with the licensing. DCSSI must be informed of any change in the staff of the evaluation facility. The Curriculum Vitæ of each member must be supply to DCSSI. The evaluation facility must ensure to limit the staff turnover. It is important to avoid too many short-term contracts and people with mobility (trainees). The majority of the activity of the members of the evaluation facility must be security evaluation, advisory services or security training. Members of the evaluation facility may be employed outside these fields for limited periods but their activity must be compatible with the evaluation. AGR/P/01.1 13/ 15

A.4 Methods and procedures of work Methods C39 C40 C41 C42 The evaluation facility must have a methodology for each evaluation task included within the scope of its license. The methodology must be international, European or national standard or at the minimum be publicly available. The evaluation facility may develop its own methods if there is not any existing method or if a generic method has to be adapted. The development of methods must be a planned activity and must be done by qualified staff with adequate resources. The evaluation facility must first approve internally the evaluation (including testing and attacks) methods that it has developed in order to confirm that they are suitable for the expected use. The approval is done with pilot projects. The final approval of the methods is done by DCSSI. All the methods, procedures or instructions used for the evaluations must be documented. C43 Records C44 When performing the evaluation tasks, the evaluation facility must comply with the approved methods. All records related to the evaluations (observations, data, etc.) must be kept. These records should contain enough information to repeat the evaluation tasks in conditions as near as possible to the original. They must also specify the person who carried out the task. Evaluation reports C45 C46 C47 All the evaluation reports must be internally approved before to be supplied to customers in order to limit any bias and the consequences of any errors. All the evaluation reports supplied to the sponsors and to the certification body must be signed by a qualified person (cf. criterion C9), including any mail sent electronically. Evaluation reports must be kept for a period of ten years. 14/ 15 AGR/P/01.1

Appendix B Scope of licensing A.5 Definition of the scope of licensing The licensing defines the scope in which the evaluation facility can perform evaluations for the purpose of certification. DCSSI may grant exemptions to this rule for special tasks but it remains an exception. The scope of licensing is defined in terms of Type of technology and Maximum evaluation assurance level. A.6 Type of technology Two types of technology (and related evaluation skills) are defined: electronic, microelectronic components and embedded software, computers and networks. Within each type of technology, restrictions may be specified about the products/systems that the evaluation facility can evaluate. A.7 Evaluation assurance level 1 The maximum evaluation assurance level for which the evaluation facility is licensed depends on several parameters: the scope of the accreditation: this is the list of methods (evaluation tasks) for which COFRAC has awarded accreditation; the applicant s technical skills and resources: during the preliminary audit, the pilot evaluation and the licensing audit, DCSSI assesses the technical skills and the resources of the evaluation facility to perform evaluation. This assessment focuses to the vulnerability analysis evaluation tasks (technological survey, penetration tests, etc.); the scope of the pilot evaluation: the assurance level of the pilot evaluation have a direct influence on the scope of the license. 1 The license letter stipulates only the type of technology and the evaluation criteria. The maximum evaluation assurance level is defined and managed by the certification body. It could be modified without a renewal of the license (see 4.7). AGR/P/01.1 15/ 15

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback