This International Standard is a companion document to the evaluation criteria for IT security defined in ISO/IEC 15408. It defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408.
This document gives guidelines for cryptographic algorithms and security mechanisms conformance testing methods.
Conformance testing assures that an implementation of a cryptographic algorithm or security mechanism is correct whether implemented in hardware, software or firmware. It also confirms that it runs correctly in a specific operating environment. Testing can consist of known-answer or Monte Carlo testing, or a combination of test methods. Testing can be performed on the actual implementation or modelled in a simulation environment.
ISO/IEC 19790:2012 the security requirements for a cryptographic module utilised within a security system protecting sensitive information in computer and telecommunication systems. This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).
This International Standard specifies six methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives:
— data confidentiality, i.e. protection against unauthorized disclosure of data,
— data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified,
— data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator.
This document provides guidance for:
— selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII);
— the procedure to define both privacy and security functional requirements in a coordinated manner; and
— developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2.
This document specifies cryptographic secret sharing schemes.
ISO/IEC 19592 (all parts) specifies cryptographic secret sharing schemes and their properties. This document defines the parties involved in a secret sharing scheme, the terminology used in the context of secret sharing schemes, the parameters and the properties of such a scheme.
This document provides a catalogue of architectural and design principles that can be used in the development of secure products, systems and applications together with guidance on how to use those principles effectively.
This document gives guidelines for the development of secure products, systems and applications including a more effective assessment with respect to the security properties they are supposed to implement.
This document does not establish any requirements for the evaluation or the assessment process or implementation.
This document specifies security and protection of personally identifiable information components, SLOs and SQOs for cloud service level agreements (cloud SLA) including requirements and guidance.
This part of ISO/IEC 18370 specifies blind digital signature mechanisms, together with mechanisms for three variants of blind digital signatures. The variants are blind digital signature mechanisms with partial disclosure, blind digital signature mechanisms with selective disclosure and traceable blind digital signature mechanisms. The security of all the mechanisms in this part of ISO/IEC 18370 is based on the discrete logarithm problem.
This document specifies principles, including a general model, a set of entities, a number of processes, and general requirements for blind digital signature mechanisms, as well as the following variants of blind digital signature mechanisms:
— blind signature mechanisms with partial disclosure;
— blind signature mechanisms with selective disclosure;
— traceable blind signature mechanisms.
The purpose of this technical report is to expand on the description of the interactions between cloud service partners (CSNs) and cloud service customers (CSCs), and between CSNs and cloud service providers (CSPs).
Cloud computing is in a position to offer solutions to many emerging technologies, and it offers many benefits to all cloud service users (CSUs) and CSCs. The broader requirement for cloud solutions is to ensure organizations have the best capabilities to fulfil their business missions. This has helped to drive the adoption of cloud services and the marketplace is adjusting to the increasing demands.
In finding and applying appropriate solutions and leveraging the many benefits of using cloud services, many CSCs use multiple CSPs and various deployment models, and include a global network. In using, sharing, and assessing data, an understanding and clarification of roles, activities and responsibilities will help to maintain the security, privacy, confidentiality and confidence of cloud services.
Interactions of CSCs and CSPs with the various CSNs have caused a degree of concern and confusion in the cloud service marketplace, in some cases causing harm to CSCs through inappropriate security controls and the lack of proper cloud service agreements relating to the cloud services being used. This is in part caused by an inadequate understanding of the relationships involved and by the lack of standards which might apply to those relationships.
Interactions between CSCs and CSPs have been described in detail in standards documents – ISO/IEC 17789 [2], 19941 [7], 27017 [11], 27018 [12] and the 19086 series. Interactions of CSNs, a key role in the cloud service environment, with CSCs and CSPs have not been described in similar detail. This TR is to provide guidance and descriptions for those interactions.
This document provides clarification of the concepts provided in ISO/IEC 17789, 19086, and 19941 regarding CSNs, and CSN interactions with CSCs and CSPs with the help of a few of exemplary market scenarios. Building on an expanded description of sub-roles and activities, this document provides guidance on using cloud service agreements (CSA) and cloud service level agreements (cloud SLAs) to provide more clarity for CSN interactions.
This document provides an overview of and guidance on interactions between cloud service partners (CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud service entities. In addition, the document describes how cloud service agreements (CSAs) and cloud service level agreements (cloud SLAs) should be used to address those interactions including the following:
Define Terms and concepts, and provide an overview for interactions between CSNs and CSCs and CSPs
Description of types of CSN interactions
Description of interactions between CSNs and CSCs
Description of interactions between CSNs and CSPs
Elements of CSAs and Cloud SLAs for CSN interactions, both with CSPs and with CSCs
Under development
