In our increasingly connected world it is evident that all products and applications which connect to the Internet or other networking systems are likely to (at worst) be a target for attack or (at best) be a potential source of human error leading to data compromise. Many products or systems will be subject to specific legislation, such as the Data Protection Act or the Computer Misuse Act. Failure to comply with such legislation can result in fines of up to £500k or, if current proposals are accepted, up to 5% of global turnover (whichever is the greater).
DNV GL can help you to assess and protect against these risks by:
- Testing newly developed products or systems before they are released to market, including fuzz testing of the available interfaces as well as more formal security testing such as Common Criteria and Commercial Product Assurance; and
- Penetration testing – with a view to identifying, and rectifying any issues before it’s too late.
DNV GL can further help you to identify and manage risk to products and systems in the wider context of your operational and business practices and our highly experienced team has decades of experience in cyber security.
Common Criteria (ISO 15408) is the foremost international standard covering the evaluation and certification of security products, covering software products and devices (such as operating systems, firewalls, gateway devices, database management systems, PC security products).
DNV GL is a candidate Commercial Evaluation Facility (CLEF) under the UK IT Security Evaluation & Certification Scheme and has ISO 17025 accreditation by UKAS and can undertake Common Criteria evaluations. Our team can help clients to achieve successful certification, and re-certification, for hardware and software products at a range of assurance levels and in a range of technical domains.
We can undertake security analysis and testing (either as evaluators or as an independent test resource). We can also act as both consultant (to assist you with the development of the necessary evaluation deliverables such as Security Target and Design Representation) and evaluator, as our team size and structure enables us to ensure the necessary levels of separation are in place.
DNV GL can already provide pre-evaluation consultancy, process support and test evidence in accordance with Evaluation Scheme rules, helping clients to achieve successful certification of their products.
Commercial Product Assurance
The CESG Commercial Product Assurance (CPA) scheme is a developing UK Government scheme designed to provide assurance around commercial security products. The scheme is administered by CESG, the Government’s National Technical Authority for Information Assurance.
The scheme provides assurance in the ‘Official’ and below space although usage may be allowed in some cases above ‘Official’ (depending on the threat level). The CPA scheme was originally designed to ensure that products for use within the Public Sector provide the required risk mitigations to counter the threats which they are likely to face in this environment.
Certification to CPA’s Foundation Grade means that a product has been tested to show that it provides the required security functionality. The functionalities required for a particular type of product are defined in a set of CESG produced Security Characteristics (SCs). Indeed, members of the team here were heavily involved in crafting the SCs for GB smart meters.
DNV GL is a Foundation Grade CPA laboratory whereby evaluation and testing would be performed by DNV GL, with certification being performed by CESG in their role as scheme certification body. DNV GL is already offering informal pre-evaluation consultancy services to a number of customers and is under contract to several customers to evaluate products across a range of technical areas.