RESUMEN
Over the last few years, private and public organizations have suffered an increasing number of cyber-attacks owing to excessive exploitation of technological vulnerabilities. The major objective of these attacks is to gain illegal profits by extorting organizations which adversely impact their normal operations and reputation. To mitigate the proliferation of attacks, it is significant for manufacturers to evaluate their IT products through a set of security-related functional and assurance requirements. Common Criteria (CC) is a well-recognized international standard, focusing on ensuring security functionalities of an IT product along with the special emphasis on IS design and life-cycle. Apart from this, it provides a list of assurance classes, families, component, and elements based on which security EALs can be assigned to IT products. In this survey, we have provided a quick overview of the CC followed by the analysis of country-specific implementation of CC schemes to develop an understanding of critical factors. These factors play a significant role by providing assistance in IT products evaluation in accordance with CC. To serve this purpose, a comprehensive comparative analysis of four schemes belonging to countries including US, UK, Netherlands, and Singapore has been conducted. This comparison has aided to propose best practices for realizing an efficient and new CC scheme for the countries which have not designed it yet and for improving the existing CC schemes. Finally, we conclude the paper by providing some future directions regarding automation of the CC evaluation process.
RESUMEN
The substantial improvements and innovations in communication networks and bio-medical technologies have led to the adoption of networked medical devices due to which the attack surface has increased profoundly. Numerous devices in practice were designed and developed years ago without security measures. In such a scenario, the role of regulatory bodies has become evident. The Food and Drug Administration (FDA) validates and approves devices before commercialization. In contrast, the European Union (EU) follows a decentralized approach and Notified Bodies (NB) for assuring high standards, safety and quality of medical devices being marketed in Europe. Once the device has gone through stringent regulations including good manufacturing practices, Quality Management System (QMS), labeling, clinical tests, performance standards, adequate storage and packaging practices, a declaration of conformity will be granted, which is a legal binding document stating that the device is conformant with applicable European requirements and can be marketed in Europe. However, such regulations lack a systematic methodology to determine unified security, safety and privacy risk that eventually influence the health of patients. To cover these gaps, this research proposes Integrated Safety, Security, and Privacy (ISSP) Risk Assessment Framework to determine the risk level of the device and required security controls. It is, then applied to a case scenario of an infusion pump and further evaluated by comparing it with current standards and practices. The comparison shows that the framework provides a unified approach to consider different types of risks associated with devices.
