At SecureMetric we understand our digital security products and/or solutions play very critical role in our customer ICT implementation thus it is very important to ensure our offers are compliance to the industry security standards. Almost all our security devices are developed base on either EAL4+ certified or compliant microprocessor smart chip which will ensure the hardware architecture alone is already clone-prove. Some of the systems or products had gone through security validation such as EJBCA, SecureToken ST3 and SecureCOS PKI. Additionally, we recommend AEP K Series HSM which is FIPS 140-2 Level 4 Certified for PKI or related implementation which will fulfil maximum security requirements on the root of the system. Nevertheless, SecureMetric R&D is adopting CMMI compliant development process. It is SecureMetric commitment to ensure what we offers are always SECURED.

MyCC Malaysiaian Common Criteria Evaluation & Certification

Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme is a systematic process for evaluating and certifying the security functionality of ICT products against defined criteria or standards. It is important to have a scheme to ensure high standards of competence and impartiality are maintained, and that consistency is achieved. MyCC Scheme evaluates and certifies the security functionality within ICT products against ISO/IEC 15408 standard which is known as Common Criteria (CC). The methodology use in the evaluation is also a recognised standard known as Common Evaluation Methodology (CEM) or ISO/IEC 18045.

Based on the Common Criteria Recognition Arrangement (CCRA) requirement, a scheme is managed by a sole Certification Body (CB). The Certification Body for the MyCC Scheme is known as Malaysian Common Criteria Certification Body (MyCB), a department within CyberSecurity Malaysia. MyCB is responsible for carrying out certification and overseeing the day-to-day management and operation of the scheme. MyCB is independent from the Evaluation Facilities. SecureMetric’s SecureToken ST3 was awarded myCC.

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. SecureToken ST3 are SecureCOS PKI are awarded Common Criteria Certificate with Assurance Level EAL 1 on 21 March 2011.

EAL1:Functionally Tested. Provides analysis of the security functions, using a functional and interface specification of the TOE, to understand the security behaviour. The analysis is supported by independent testing of the security functions.

EAL4+::EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

SecureMetric’s tokens and dongles are EAL4+ compliant whereas EJBCA will be releasing EAL4+ certified version before end of 2011.

FIPS 140-2 Level 4

SecureMetric is the authorized distributor for AEP Networks’ FIPS 140-2 Level 4 certified HSM – as the first network ready HSM come with such certification and being classified as the most secured HSM available in the market. The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. The standard defines the security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems.

There are four levels of security: from Level 1 (lowest) to Level 4 (highest). These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be deployed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include basic design and documentation, module interfaces, authorised roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.