Security certification for critical information infrastructures: The Italian certification body approach
Abstract
Critical national infrastructures (CNIs) — defined as any public or private infrastructure whose operation is essential for a country’s security and functioning, including such fundamental sectors as healthcare, economy, energy, transport, communication systems, law enforcement, defence and, in general, public administration — can be affected by a variety of events that can jeopardise their efficiency both directly and indirectly. CNIs increasingly rely on critical information infrastructures (CIIs), such as telecommunications. These networks must guarantee operational viability when critical events occur, as well as under normal working conditions. In some circumstances, critical events can affect not only the CNIs, but also their telecommunication infrastructures. Such failures are not necessarily caused by external events. To guarantee their correct and continuous operation, security aspects of CIIs must therefore be the focus of particular care. Guarantees on the effectiveness and correctness of the security measures deployed in the CII can be obtained through certification. This paper analyses the role of system/product security certification in this context. In particular, the paper describes the certification approach recommended by the Italian national certification body (Organismo di Certificazione della Sicurezza Informatica) to achieve the maximum benefit from the process, in terms of both efficiency and security.
The full article is available to subscribers to the journal.
Author's Biography
Luisa Franchina obtained her ‘Laurea’ degree in electronics engineering in 1992 at the University of Rome, ‘La Sapienza’. In the period 1994– 1996 she attended the National School for PhD Students and in 1996 she was awarded a PhD in electronics engineering from the University of Rome, ‘La Sapienza’. Since 1993 she has worked as a consultant for several companies and Institutions. In the period 2003–2006 she worked at the Italian Ministry of Communications, where she was entrusted with various tasks: General Director For Regulations and Quality of Service, responsible for the startup of a new General Direction for purchase, security and computing; Italian representative on the ENISA (European Network and Information Security Agency) boards of directors; member of the Italian High Council of Communications, responsible to the Ministry of Communications SIA (Sistema informativo automatizzato); and General Director of the dell’Istituto Superiore delle Comunicazioni e della Tecnolgia dell’Informazione, (ISCOM). Luisa is currently the General Director of the Operative Group NBCR within the Italian Civil Protection Department.
Laura Gratta obtained her ‘Laurea’ degree in electronics engineering in 1989 at the University of Rome, ‘La Sapienza’. She worked as a researcher at Fondazione Ugo Bordoni from1990 to 2006, carrying out research activities on communication networks and ICT security. Since March 2006 she has been with the Italian Ministry of Communications, where she works on various aspects of ICT security. Laura is head of the ‘Certication Processes’ section of OCSI, the Italian National Certification Body for security for ICT Security for non-classified products and systems; she is also security evaluator for ISCOM CEVA, within the Italian National Security Authority certification scheme.
Marco Carbonelli achieved his ‘Laurea’ degree in telecommunications engineering in 1987. He is the author of more than 100 papers on TLC and ICT topics. Up to 2000 he worked in the research field of digital transmission, PHD-SDH-ATM equipment and TLC network synchronisation. Since 2001 he has been involved in information protection and security certification activities for the Fondazione Ugo Bordoni and Italian Ministry of Communications. In 2003 he was editor of the Guidelines for the implementation of the Italian Certification Scheme for the application of Common Criteria and ITSEC standards for non-classified ICT systems and products. In 2004–2005 he was head of the Security Certification Division of OCSI (Italian Security Certication Body). Since March 2006 he has been with the Italian Ministry of Communications, where he is head of the OSCI Precertification and Accreditation Division.
Citation
Franchina, Luisa, Gratta, Laura and Carbonelli, Marco (2007, May 1). Security certification for critical information infrastructures: The Italian certification body approach. In the Journal of Business Continuity & Emergency Planning, Volume 1, Issue 3. https://doi.org/10.69554/MNVM6190.
Publications LLP