4/13/2000

Pragmatic Use of
ISO/IEC 15408
(The Common Criteria)

HL7 International Affiliates Joint Meeting

August 25, 2000

Dresden, Germany

Glen Marshall
glen.marshall@smed.com

What is ISO/IEC 15408?

¥ A framework defining criteria for

evaluating IT products and systems.
¥ A standard for information protection
Ð Confidentiality
Ð Integrity
Ð Availability
¥ Human Activity Centered
Ð Technology and Assurance Functions

1
 4/13/2000

What ISO/IEC 15408 Is Not

¥ A Security Standard
¥ A Prescription
¥ ÒSecurity for DummiesÓ
¥ A Panacea

What is ISO/IEC 15408 Good For?

¥ Consumer Decision Assistance

Ð What is Ògood enoughÓ?
Ð Have we covered the right risks effectively?
¥ Comparisons Among Alternatives
Ð Everyone plays by the same rules
Ð Vendor products & systems
Ð In-house development efforts

2
 4/13/2000

What is ISO/IEC 15408 Good For?

¥ For Healthcare IT É
Ð Translating regulations to actions
Ð Responding to external audits
Ð Assuring healthcare stakeholders
Ð Establishing trust among systems
Ð Planning systems changes

What is ISO/IEC 15408 Not For?

¥ Non-IT administrative security

¥ Specifying the evaluation method
Ð Business framework
Ð Legal requirements
¥ Accreditation procedures
¥ Esoteric technical aspects

3
 4/13/2000

How is ISO/IEC 15408 Used?

¥ Protection Profile
Ð Environmental assumptions
Ð Threats
Ð Policies
Ð Objectives
Ð Functional Requirements
Ð Assurance Requirements
Ð Environmental Requirements

How is ISO/IEC 15408 Used?

Environment Policies Assumptions

Objectives

Functional Assurance Environment

Requirements Requirements Requirements

4
 4/13/2000

How is ISO/IEC 15408 Used?

¥ Protection Profile Creation

Ð Top-down, broad interest
Ð Bottom-up to define product families from
piece-parts
¥ Security Target
Ð Take a Protection Profile
Ð Add implementation specifics

Why is ISO/IEC 15408 Not Used?

¥ Pragmatically É
Ð Healthcare IT systems are not monolithic.
Ð Systems are subject to frequent changes.
Ð System implementers are not security experts.
Ð System users often donÕt care about security.
Ð There are severe budget and time constraints.
Ð Managers are often impatient.

10

5
 4/13/2000

Key Strategic Challenges

¥ Bridge to the Future

Ð Now: A pile of disconnected tools
Ð Future
¥ Robust Security Administration
¥ Prudent Technology Choices
¥ Seen As Valuable By Users

¥ A Complete Solution

11

Key Pragmatic Strategies

¥ Focus
Ð Central Concerns
Ð User Benefits
Ð Scope and Scale
¥ Assurance
Ð Benefits at Reasonable Cost
Ð Incremental Results

12

6
 4/13/2000

Focus on Central Concerns

Pick a Security need that É

¥ Contains a significant business process
¥ Is well-bounded
¥ Has limited threats, e.g., is not Internet-
based or with unmanaged user population
¥ Preferably, is the entry-point case for less
well-bounded or more threatened cases

13

Focus on Central Concerns

Affiliates
Referrals Scheduling

Patients Point of Care Laboratory

ADT

Staff Radiology

Payers

14

7
 4/13/2000

Focus on User Benefits

Fulfill Security needs that É

¥ Attract and promote willing compliance
¥ Contain significant business processes
¥ Are well-bounded
¥ Have limited threats, e.g., not an
unmanaged user population
¥ Preferably, may form the basis for less well-
bounded or more threatened cases

15

Focus on User Benefits

Example: Single Sign-On

¥ Highly desired by current users
¥ Well-bounded case
¥ Threats are limited
¥ A basic enabler for É
Ð Physician use
Ð Patient access

16

8
 4/13/2000

Focus on User Benefits

Example: Single Sign-On

¥ Core identification/authentication functions
¥ Added functions:
Ð Auditing
Ð Cryptography
Ð Protecting authentication data
Ð Administrative Functions
Ð Protecting Administrative Functions
Ð System access rules
Ð Trusted paths

17

Focus on User Benefits

Drop acronyms and jargon!

¥ TOE = the system or the application
¥ TSF = the Security functions
¥ TSF data = the Security database
¥ SFP = Security policies

18

9
 4/13/2000

Focus on Scope and Scale

¥ Who are your users?

¥ How many?
¥ How few?
¥ How much?
¥ Where?

One Size Does Not Fit All

19

Assure Benefits (at reasonable cost)

¥ Evaluation Assurance Level Choices

¥ Development Assurance
¥ Deployment Assurance
¥ Operational Assurance
¥ Auditing
Ð Internal
Ð External

20

10
 4/13/2000

Assure Incremental Results

ItÕs always a moving target

T3

Now T1

T2

21

Discussion

What has your organization been doing about

Healthcare Security and Privacy?
¥ Are you satisfied with priorities?
¥ Are your users fully enrolled?
¥ Will the planned results fit the needs?

22

11
 4/13/2000

Discussion

What will your organization continue to do

about Healthcare Security and Privacy ?

¥ Measure costs vs. benefits?

¥ Achieve incremental compliance?

23

Discussion
How are you transitioning your current
assurance approaches and implementation
into the future requirements?
¥ Are you involving Risk Management?
¥ Where in the organization will the Security
Officer reside?
¥ Who is responsible and accountable for
conducting É
Ð Internal audits?
Ð External audits?

24

12
 4/13/2000

Questions?
Fragen?
ÀPreguntas?
Domande?

25

Thank you
Danke
Merci
Gracias
Grazie

26

13