Skip to main content

CERTIFICATION APPROACH IN DOME (T4.3)

Objectives:

???       Develop a formal process to verify the compliance against reference standards

???       Develop a methodological framework supported by tools to verify the compliance against reference standards  during the on-boarding process

???       Develop tools to automatically monitor the validity of the certificates (i.e., by checking ENISA???s public registry)

???       Develop tools to continuously monitor that security requirements EUCS high are being fulfilled.

DOME Project level assumptions:

???       DOME won???t certify services

???       DOME will guarantee that services in the platform are certified (based on their verifiable credentials)

???       DOME needs to support  the EUCS level high that Continuously assesses the certificates validity.

DOME certification approach, first insights:

???       DOME will verify that services that want to be endorsed to DOME are compliant to the selected schemes: EUCS, Others: ISO 27001/17

???       DOME will to assess the ???continuous compliance of the EUCS??? during the lifecycle of the service in DOME.

???       DOME could also offer (some) services to help service providers to be EUCS compliant (adapted from MEDINA framework or others)

Other considerations:

Enlarging the scope of Certification verification in DOME: ???CSP???s posture 360???: Security, testing, financial, contractual framework. Added value services over these KPIs such as ranking of CSPs/CSs. 

  • Provider security posture. See  as an example.: Bitsight Security Ratings | Bitsight
  • Product testing.  Qualification report
  • Contractual framework. Setting some contractual baseline like minimum contractual SLA, presence of a specific reporting, or something else, can be an additional control that we can propose in the validation process.
  • Provider service posture. What about creating a ???ranking??? function where customers of a specific service can provide some feedback that we can map as a ???ranking??? of the single provider ? And maybe later use it to set a minimum level to be qualified on the portal.
  • Provider financial posture. Dunno if there is some way to do some check on the posture of a specific provider, but this may be another qualification factor we could introduce in the ranking evaluation. 

 

Certification compliance sub-processes in DOME:

  •  Step 0: Certification initialization/configuration - Baseline (Theory: EUCS+Rulebook). Default.  ISO27001 + ISO27017

 

Section

Description (TECNALIA)

Process id

CP00

Objective

Certification initialization/configuration

Description

The DOME admin/Market place admin set ups the certification level for the services, selecting which certifications/frameworks need to be provided when a service is endorsed into the DOME/federated market place. Some certification levels will be pre-configured i.e., Baseline/DOME and the mandatory certifications will be already included. Other levels to be initialized could be customize for each of the marketplaces to be federated. i.e., Advanced level.

- Baseline: ISO27001 + ISO27017

- DOME: EUCS

-Vertical: Automotive, Energy,Banking

- Advanced: Testing, financial, Fiware etc.

Based on this configuration the certification options to be provided may differ and thus it will impact the "3) verification of the compliance with DOME???s basic standards and criteria"

(Theory: EUCS+Rulebook). Default. ISO27001 + ISO27017. Others: Testing frameworks, service posture, financial

Roles

DOME admin

Market place admin

Pre-Conditions

The different certification levels need to be established in the DOME platform.

Comments

This process is part of the initialization of the Market place /configuration of whichcertification data is to be requested. It is part of the characterization of the services (the certification part) that needs to be defined in DOME

How to manage the change of certification configuration?

  • Step 1: Certification accreditation - A CS that wants to be part of DOME provides the certificates (sail Statement of applicability)

  •  Step 2- Certification assessment for endorsement- DOME assesses the certificate and provides an answer to the CSP.

  •  Step 3- Continuous certification assessment (EUCS) . DOME continuously assess the certification

  • Step 4- Filtering / Looking /Ranking for services with a certain certification level  .This is not directly related to the compliance process but  it has an impact on the characterization of the services.

 

Back to top