IT security techniques - Competence requirements for information security testers and evaluators - Part 2: Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers
German title
IT-Sicherheitstechniken - Kompetenzanforderungen an Tester und Evaluatoren von Informationssicherheit - Teil 2: Anforderungen an Wissen, Fähigkeiten und Effektivität für ISO/IEC 19790-Tester
Buy securely with a credit card or pay upon receipt of invoice
All transactions are encrypted
Content
Content (en)
Foreword
Introduction
Scope
Normative references
Terms and definitions
Abbreviated terms
Structure of this document
Knowledge
General
Tertiary education
General
Technical specialities
Speciality topics
Knowledge of standards
General
concepts
Additional ISO/IEC standards
Knowledge of the validation program
Validation program
General
Organization
Communications
Legal and regulatory mandates
Policies
Documentation
Tools
Knowledge of the requirements of
Skills
General
Algorithm testing
Physical security testing
Side channel analysis
Technology types
Experience
General
Demonstration of technical competence to the validation program
Experience with performing testing
Experience with particular technology types
Education
Effectiveness
Example of an testers’ log (informative)
Ontology of technology types and associated bodies of knowledge (informative)
General
Technology types
General
Software/firmware
Programming languages
Compilers
Debuggers or Simulators
Hardware
General knowledge
Single-chip modules
General knowledge about single-chip modules
Single-chip substrate materials
Single-chip packaging types
Multi-chip embedded modules
Multi-chip standalone modules
Specific knowledge associated with the security of cryptographic modules (informative)
General
Cryptographic module specification
General
Buffers
Security relevant components
Identification of programmable interfaces, debugging interfaces and covert channels
Identification of approved and non-approved security functions
Exclusion of components
Degraded operation
Cryptographic module interfaces
Overview
Separation of input data from output data
Knowledge of critical security functions, services or security relevant services
Trusted channel
Roles, services, and authentication
General
Services
Authentication
Software/firmware security
Operational environment
Process memory management
Loading
Linking
Virtual memory
Physical security
Non-invasive security
Sensitive security parameter management
General
Password vs cryptographic key
Entropy vs attackers' knowledge
SSP hierarchy
General
Split knowledge
Authorized roles for SSPs management
Zeroization
Copies of SSPs
Embodiment of storage device
Flash memory
Hard disk drive
Self-tests
General
Critical functions
Notion of critical functions
Pre-defined critical functions
Vendor-defined critical functions
Pre-operational software/firmware integrity test
Scope of pre-operational software/firmware integrity test
Use of a truncated version of approved message authentication code
Single encompassing message authentication code vs multiple disjoint codes
Conditional cryptographic algorithm self-tests
Pair-wise consistency test
Life-cycle assurance
General
Configuration management
Finite state model
Minimum resolution of states
Definition of error states
Development
Mapping to finite state model
Tools and automation
Unnecessary code, parameters and symbols
Pre-conditions and post-conditions
Vendor testing
General
Low-level testing
Delivery and operation
End of life
Guidance documents
Mitigation of other attacks
Competence requirements for validators (informative)
Bibliography
ICS
35.030
Cooperation at DIN
Please get in touch with the relevant contact person at DIN if you have problems understanding the content of the standard or need advice on how to apply it.
