• Shopping Cart
    There are no items in your cart

ISO/IEC TS 20540:2018

Current

Current

The latest, up-to-date edition.

Information technology — Security techniques — Testing cryptographic modules in their operational environment

Available format(s)

Hardcopy , PDF , PDF 3 Users , PDF 5 Users , PDF 9 Users

Language(s)

English

Published date

18-05-2018

€165.00
Excluding VAT

This document provides recommendations and checklists which can be used to support the specification and operational testing of cryptographic modules in their operational environment within an organization's security system.

The cryptographic modules have four security levels which ISO/IEC 19790 defines to provide for a wide spectrum of data sensitivity (e.g. low-value administrative data, million-dollar funds transfers, life-protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).

This document includes:

a) recommendations to perform secure assessing for cryptographic module installation, configuration and operation;

b) recommendations to inspecting the key management system, protection of authentication credentials, and public and critical security parameters in the operational environment;

c) recommendations for identifying cryptographic module vulnerabilities;

d) checklists for the cryptographic algorithm policy, security guidance and regulation, security manage requirements, security level for each of the 11 requirement areas, the strength of the security function, etc.; and

e) recommendations to determine that the cryptographic module's deployment satisfies the security requirements of the organization.

This document assumes that the cryptographic module has been validated as conformant with ISO/IEC 19790.

It can be used by an operational tester along with other recommendations if needed.

This document is limited to the security related to the cryptographic module. It does not include assessing the security of the operational or application environment. It does not define techniques for the identification, assessment and acceptance of the organization's operational risk.

The organization's accreditation, deployment and operation processes, shown in Figure 1, is not included to the scope of this document.

This document addresses operational testers who perform the operational testing for the cryptographic modules in their operational environment authorizing officials of cryptographic modules.

Committee
ISO/IEC JTC 1/SC 27
DocumentType
Standard
Pages
39
ProductNote
THIS STANDARD ALSO REFERS TO ISO/IEC 20085-1,ISO/IEC 20085-2,ISO/IEC 20543,ISO/IEC 20897
PublisherName
International Organization for Standardization
Status
Current

Standards Relationship
CSA ISO/IEC TS 20540:19 Identical
PD ISO/IEC TS 20540:2018 Identical

ISO/IEC 15408-3:2008 Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components
FIPS PUB 140-2 : 0 SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
ISO/IEC 19790:2012 Information technology — Security techniques — Security requirements for cryptographic modules
ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls
ISO/IEC 17825:2016 Information technology — Security techniques — Testing methods for the mitigation of non-invasive attack classes against cryptographic modules
ISO/IEC TR 20004:2015 Information technology Security techniques Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045
ISO/IEC 24759:2017 Information technology Security techniques Test requirements for cryptographic modules
ISO/IEC 17024:2012 Conformity assessment — General requirements for bodies operating certification of persons
ISO/IEC 18045:2008 Information technology — Security techniques — Methodology for IT security evaluation

Access your standards online with a subscription

Features

  • Simple online access to standards, technical information and regulations.

  • Critical updates of standards and customisable alerts and notifications.

  • Multi-user online standards collection: secure, flexible and cost effective.