What is the Protection Profile?

The Protection Profile is an important concept and document for evaluating the ISO 15408 Common Criteria. In the international literature, it is known as "Protection Profile" (or PP).

In the Protection Profile document, the safety requirements for a particular product category are defined in accordance with the Common Criteria jargon. Examples of product categories include Hospital Information Management System software, Firewall Products, SIEM products, Passports, and so on.

In this context, in general the relevant product category:

  • Definition,
  • Working environment and environmental components,
  • Possible assets to target protection,
  • User roles,
  • Assumptions and policies for working conditions,
  • Information security threats,
  • the expected safety characteristics of the product and its surroundings to meet threats, assumptions and policies,
  • Analysis of threats, assumptions and policies that are met by the product or environment

It will be determined.

How Does the Protection Profile Reveal?

Protection Profiles are prepared or prepared by the authorities that guide sectors such as public institutions, taking into account industry needs. Here, public institutions are treated as just one example. The authority that prepares or prepares the Protection Profile may be either formal or informal working groups of private sector representatives. However, independently from the side preparing or preparing the document, the resulting document is evaluated by a laboratory according to the common criterion standard and approved by the certification authority (Turkish Standards Institute Institute - TSE). In the evaluation and approval process, the method followed in the product evaluation and approval process is followed . The only difference is that the special section of the standard's Protection Profile assessment is taken into account during the evaluation.

Is the Protection Profile Always Necessary?

It is not necessary to have a Protection Profile document in order for a product to qualify for common criteria and obtain a certificate. However, the existence of the Protection Profile is of great importance, especially in terms of guaranteeing the safety of the users.

In ISO 15408 Common Criteria evaluations, the scope of certification applies to the scope and assumptions defined in the safety objectives document of the products. Security target documents are documents written in standard jargon with common criteria and reviewed and understood, at least to a certain level of expertise and subject to dominance. Therefore, users can only buy and use products that do not guarantee the certification and security that they actually expect when looking at the product labels.

At this point, the Protection Profiles document comes into play. If the Protection Profiles documents have been prepared by trusted authorities and at the same time have been certified by the certification bodies as security documents that include the product in question, users will be relieved of any possible fraud by checking that the product conforms to the Protection Profile document.

What is Protection Profile Detail Level?

Protection does not include the product, but the product category. For example, it might say that the product will be installed on an operating system and it may not customize what kind of operating system it will be.

Similarly, security functions can be kept in common. For example, the cryptographic function to be used here may not be specified when the product is stated to provide cryptographic confidentiality of the data. As another example, when specifying that the product will authenticate, the method to be used here can be left open.

Leaving the conditions within the Protection Profile provides flexibility for manufacturers to develop products that comply with this protection profile. Flexible points must be precisely defined within the Security Target documents prepared specifically for the products.

If the authority preparing the Protection Profile deems necessary, it may restrict flexibility by clarifying the specific requirements of the product category in the Protection Profile.

How to Use Protection Profile

Protection Profiles will receive the product if necessary; customer, customer group or authority. In this case, the producers who develop products for the relevant category develop their products by taking these documents into consideration and reference them in the Safety Target documents they prepare for the product.

If there is a previously prepared and accepted Protection Profiles document in relation to a product category, the purchasing authority or the customer may request the appropriate product for this Protection Profile instead of preparing the new Protection Profile Document.

For example, get a Protection Profile related to Firewall product category in the middle. If a ministry acquires a firewall product, it may request a product that conforms to the existing Protection Profile instead of providing a protection profile.


Source: Certby (http://www.certbylab.com/blog/koruma-profili-protection-profile)