There is no one-size-fits-all set of technical requirements for ICT products and services when it comes to enhancing security and trust
TRUESSEC.eu Deliverable 5.3, entitled “Recommendations and Technology Research Agenda”, has two objectives:
- To propose a set of recommendations to determine requirements to be mandated for certification of trustworthy ICT products or services
- To propose a research agenda based on technical gaps identified by TRUESSEC.eu in our Deliverable D5.2, “Technical gap analysis”, categorizing these gaps according to six TRUESSEC Core Areas of trustworthiness.
With respect to technical requirements to be mandated for certification of trustworthy ICT products and services:
- Requirements to be mandated depend on the industrial sector and intended use:
- ICT products and services are ubiquitous, used in different sectors (e.g. health, energy, government, transport, etc.), and in each sector are used for different use cases. Determining technical requirements for trustworthiness certification depends on the combination of sector and use case, e.g. TRUESSEC’s Protection Core Area of trustworthiness principle will have different requirements and impact from attacks on confidentiality, integrity and availability data, depending on sector and use case – consider accessing healthcare data compared with booking entertainment tickets. There is no one-size-fits-all set of technical requirements.
- Best practices already use a plethora of technical requirements from standards and control frameworks used in certification processes:
- TRUESSEC Deliverable 5.1 noted a variety of standards applicable to different areas, e.g. oriented to products, components, processes, services, organization, critical infrastructure, etc. A recent state-of-the-art performed by the European Cybersecurity Organisation (ECSO) showed 290 standards and certifications schemes, which should be leveraged to avoid reinventing the wheel, as emphasized by the European Commission in the Cybersecurity Certification Framework (Article 47 (b)).
Therefore, we define a first set of technical recommendations on which we would like your opinion and comments:
- Define a set of levels of assurance in terms of the: (a) level of confidence, which can be determined by, e.g., the type of assessment and the extent of independence between the evaluator and the responsible party for the ICT product or service, and (b) strength of controls required against the risks identified.
- Achieve consensus in a baseline for a horizontal minimum set of requirements independent of sector, which may prevent untrustworthy ICT products and service from entering to the market.
- Using a risk-based approach as a primary mechanism to derive a detailed set of sector-specific requirements: Risk analysis shall be the primary means to identify risks and derive a detailed and comprehensive set of technical requirements for higher levels of assurance.
- Establishment of new and reuse of Experts Groups to define baseline and sector-specific requirements.
- Promote the harmonisation of existing standards and certification schemes: Despite the heterogeneity of existing standard schemes, their reuse and harmonisation for certification, as much as possible, is encouraged. New schemes should only be created if current standards are not adequate.
- Foster the composition (across supply chains) of existing certification schemes to cover complex supply chains of current ICT products and services. A system could be composed of several sub-systems (e.g. ICT products, services, processes, organizations, etc.), this means that trustworthiness of the whole system requires the certification of all sub-systems through the composition of several existing schemes.
Please give us your feedback below.
You can find the full deliverable here: https://truessec.eu/content/d53-recommendations-and-technology-research-agenda