CEN ISO/TS 17574:2017
(Main)Electronic fee collection - Guidelines for security protection profiles (ISO/TS 17574:2017)
Electronic fee collection - Guidelines for security protection profiles (ISO/TS 17574:2017)
ISO/TS 17574:2017 provides guidelines for preparation and evaluation of security requirements specifications, referred to as Protection Profiles (PP) in ISO/IEC 15408 (all parts) and in ISO/IEC TR 15446.
By Protection Profile (PP), it means a set of security requirements for a category of products or systems that meet specific needs. A typical example would be a PP for On-Board Equipment (OBE) to be used in an EFC system. However, the guidelines in this document are superseded if a Protection Profile already exists for the subsystem in consideration.
Elektronische Gebührenerhebung - Leitfaden für Sicherheitsprofile (ISO/TS 17574:2017)
Perception de télépéage - Lignes directrices concernant les profils de protection de la sécurité (ISO/TS 17574:2017)
Elektronsko pobiranje pristojbin - Smernice za zaščito varnostnih profilov EFC (ISO/TS 17574:2017)
Ta dokument podaja smernice za pripravo in vrednotenje specifikacij varnostnih zahtev, imenovanih varnostni profili (Protection Profiles – PP) v standardih ISO/IEC 15408 (vsi deli) in ISO/IEC TR 15446.
Varnostni profil (Protection Profile – PP) je niz varnostnih zahtev za kategorijo izdelkov ali sistemov, ki ustrezajo določenim potrebam. Tipičen primer je varnostni profil za opremo v vozilu (OBE), ki se uporablja v sistemu za elektronsko pobiranje pristojbin (EFC). Smernice v tem dokumentu se ne uporabljajo, če že obstaja zaščitni profil za obravnavani podsistem.
Cilji ocenjevanja (TOE) za sistem EFC so omejeni na določene vloge in vmesnike sistema EFC, kot je prikazano na sliki 1. Ker se obstoječi standardi in merila finančne varnosti uporabljajo za druge zunanje vloge in vmesnike, se domneva, da so zunaj področja uporabe ciljev ocenjevanja za sistem EFC.
Oceno varnosti se poda na podlagi ocenjevanja varnostnih lastnosti vlog, subjektov in vmesnikov, opredeljenih v varnostnih ciljih (ST), v nasprotju z ocenjevanjem celotnih procesov, ki se pogosto porazdelijo na več subjektov in vmesnikov, kot tisti, ki jih zajemajo cilji ocenjevanja tega dokumenta .
General Information
Relations
Standards Content (Sample)
SLOVENSKI STANDARD
01-oktober-2017
1DGRPHãþD
SIST-TS CEN ISO/TS 17574:2009
(OHNWURQVNRSRELUDQMHSULVWRMELQ6PHUQLFH]D]DãþLWRYDUQRVWQLKSURILORY()&
,6276
Electronic fee collection - Guidelines for security protection profiles (ISO/TS 17574:2017)
Elektronische Gebührenerhebung - Leitfaden für Sicherheitsprofile (ISO/TS 17574:2017)
Perception de télépéage - Lignes directrices concernant les profils de protection de la
sécurité (ISO/TS 17574:2017)
Ta slovenski standard je istoveten z: CEN ISO/TS 17574:2017
ICS:
03.220.20 Cestni transport Road transport
35.240.60 Uporabniške rešitve IT v IT applications in transport
prometu
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
CEN ISO/TS 17574
TECHNICAL SPECIFICATION
SPÉCIFICATION TECHNIQUE
March 2017
TECHNISCHE SPEZIFIKATION
ICS 03.220.20; 35.240.60 Supersedes CEN ISO/TS 17574:2009
English Version
Electronic fee collection - Guidelines for security
protection profiles (ISO/TS 17574:2017)
Perception de télépéage - Lignes directrices concernant Elektronische Gebührenerhebung - Leitfaden für
les profils de protection de la sécurité (ISO/TS Sicherheitsprofile (ISO/TS 17574:2017)
17574:2017)
This Technical Specification (CEN/TS) was approved by CEN on 3 March 2017 for provisional application.
The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to
submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard.
CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS
available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in
parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2017 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN ISO/TS 17574:2017 E
worldwide for CEN national Members.
Contents Page
European foreword . 3
European foreword
This document (CEN ISO/TS 17574:2017) has been prepared by Technical Committee
ISO/TC 204 “Intelligent transport systems” in collaboration with Technical Committee
CEN/TC 278 “Intelligent transport systems” the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
This document supersedes CEN ISO/TS 17574:2009.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
Endorsement notice
The text of ISO/TS 17574:2017 has been approved by CEN as CEN ISO/TS 17574:2017 without any
modification.
TECHNICAL ISO/TS
SPECIFICATION 17574
Third edition
2017-03
Electronic fee collection — Guidelines
for security protection profiles
Perception de télépéage — Lignes directrices concernant les profils de
protection de la sécurité
Reference number
ISO/TS 17574:2017(E)
©
ISO 2017
ISO/TS 17574:2017(E)
© ISO 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2017 – All rights reserved
ISO/TS 17574:2017(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms . 4
5 EFC security architecture and protection profile processes . 5
5.1 General . 5
5.2 EFC security architecture . 5
5.3 Protection profile preparatory steps . 6
5.4 Relationship between actors. 7
6 Outlines of Protection Profile . 9
6.1 Structure . 9
6.2 Context .10
Annex A (informative) Procedures for preparing documents .11
Annex B (informative) Example of threat analysis evaluation method .45
Annex C (informative) Relevant security standards in the context of the EFC .50
Annex D (informative) Common Criteria Recognition Arrangement (CCRA).51
Bibliography .52
ISO/TS 17574:2017(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www . i so .org/ iso/ foreword .html.
The committee responsible for this document is ISO/TC 204, Intelligent transport systems.
This third edition cancels and replaces the second edition (ISO/TS 17574:2009), which has been
technically revised. This edition includes the following significant changes with respect to the previous
edition:
— Clause 1 has been redrafted and shortened;
— Clause 3 has been updated with harmonized terms;
— requirements updated as to reflect the latest version of the ISO/IEC 15408 series;
— a new Clause 5 has been added, comprising much of the text from the Scope of the previous
edition.
iv © ISO 2017 – All rights reserved
ISO/TS 17574:2017(E)
Introduction
Electronic fee collection (EFC) systems are subject to several ways of fraud both by users and operators
but also from people outside the system. These security threats have to be met by different types of
security measures including security requirements specifications.
It is recommended that EFC operators or national organizations, e.g. highway authorities or transport
ministries, use the guideline provided by this document to prepare their own EFC/protection profile
(PP), as security requirements should be described from the standpoint of the operators and/or
operators’ organizations.
It should be noted that this document is of a more informative than normative nature and it is intended
to be read in conjunction with the underlying international standards ISO/IEC 15408 (all parts).
Most of the content of this document is an example shown in Annex A on how to prepare the security
requirements for EFC equipment, in this case, a DSRC-based OBE with an IC card loaded with crucial
data needed for the EFC. The example refers to a Japanese national EFC system and should only be
regarded as an example.
After an EFC/PP is prepared, it can be internationally registered by the organization that prepared the
EFC/PP so that other operators or countries that want to develop their EFC system security services
can refer to an already registered EFC/PP.
This EFC-related document on security service framework and EFC/PP is based on ISO/IEC 15408 (all
parts). ISO/IEC 15408 (all parts) includes a set of requirements for the security functions and assurance
of IT-relevant products and systems. Operators, organizations or authorities defining their own EFC/PP
can use these requirements. This will be similar to the different PPs registered by several financial
institutions, e.g. for payment instruments like IC cards.
The products and systems that were developed in accordance with ISO/IEC 15408 (all parts) can be
publicly assured by the authentication of the government or designated private evaluation agencies.
TECHNICAL SPECIFICATION ISO/TS 17574:2017(E)
Electronic fee collection — Guidelines for security
protection profiles
1 Scope
This document provides guidelines for preparation and evaluation of security requirements
specifications, referred to as Protection Profiles (PP) in ISO/IEC 15408 (all parts) and in
ISO/IEC TR 15446.
By
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.