Deliverable D7.4. Methodological guidelines for assurance and certification of security and privacy level

Pablo López-Agu...

Based on D7.1(Summary of existing trustworthiness seals and labels), which identifies some incentives and barriers for labelling schemes, D7.2 (Cybersecurity and privacy Criteria Catalogue for assurance and certification), which defines a Catalogue Criteria that can be used to assess and compare the trustworthiness of ICT products and services, and D6.3 (Recommendations for standardisation initiatives), which outlines a labelling solution from a business perspective, and other relevant European initiatives, this document defines a set of recommendations for the assessment and labelling processes for trustworthy ICT products and services.

While further details can be found throughout the document, in a nutshell, advocate a labelling solution that includes the following core elements:

  1. A questionnaire which contains a set of yes/no questions that will be answered by the ICT service provider or by the product manufacturer itself after a self-assessment, also attaching the respective evidence supporting the assessment. The questions ask which indicators of the Criteria Catalogue are met (a question corresponds to an indicator). The fulfilment of an indicator can also be supported by attaching evidence of other assurance processes already performed on the subject-matter of the labelling, such as certifications, approved code of conducts, etc. In this way, we prevent an ICT product or service from going through the same process several times (one for obtaining the label and some other for certifying specific properties).
  2. A labelling portal which issues a transparency report and a multidimensional& multilevel visual label based on the questionnaire and the evidence submitted by the provider/manufacturer. The questions ask which indicators of the Criteria Catalogue are met, i.e. a question corresponds to an indicator. A level of conformance is then assigned to each criterion for trustworthiness according to the answers.
  3. A transparency report and a multidimensional & multilevel visual label.  
  1. A governance framework ruled by an authority, which will be responsible, e.g. for setting-up the questionnaire, defining the levels of conformance, and so on.

The guidelines presented here will contribute to feeding into the Recommendations for a European Trust-Enhancing Label (RETEL), which aims to promote their use and ultimately enhance the perception of privacy and security in ICT products and services, while also fostering users trust.