從歐盟EUCC之產製場所最低安全要求事項驗證及美國（資訊）安全自動化協定闡釋技術脆弱性控制之資安生態系統發展

The Elucidation on the Technical Vulnerability Controls for the Ecology of Developments of Cybersecurity from the Certifications of Minimum Site Security Requirements (MSSR) of EUCC and Security Content Automation Protocol (SCAP) in the U.S.

樊國楨；羅德興

歐盟網絡安全驗證計畫 ； 控制措施 ； 資訊安全管理系統 ； 產製場所最低安全要求事項 ； （資訊）安全自動化協定 ； 標準化 ； European cybersecurity certification scheme ； Controls ； Information security management system ； Minimum site security requirements ； (information) Security content automation protocol (SCAP) ； Standardization

電腦稽核

50期（2024 / 08 / 30）

20 - 51

繁體中文;英文

標準可以累積知識與經驗，標準化則是冀求以系統的、共同協調一致之方法來強化標準實作的知識以供傳承。「歐盟網絡安全驗證計畫（European cybersecurity certification scheme, EUCC）」提出根基於共同準則（Common Criteria, CC）之ISO/IEC 15408標準系列的保證層級（Assurance Level）：「1，驗證機構應頒發保證層級為「實質性」或「高」之EUCC證書；2，「實質性」保證層級的EUCC證書應與涵蓋1級或2級之A（Assurance）VA（Vulnerability Assessment）_VAN（Vulnerability Analysis）證書相對應；3，保證層級為「高」的EUCC證書應與涵蓋3、4級或5級之AVA_VAN證書相對應。」之法規，其罰鍰最高為年營業額的2.5%。2013年，於晶圓代工廠及有線電視等資訊服務商，歐盟分別推出場所驗證與產製場所最低安全要求事項（Minimum Site Security Requirements, MSSR），根基於MSSR 3.0 版以及ISO/IEC 27002，EUCC將MSSR正式納入法規。SCAP（Security Content Automation Protocol, SCAP）是美國國家標準與技術研究院（National Institute of Standards and Technology，簡稱NIST）主責之國家脆弱性資料庫（National Vulnerability Database，NVD）產品（Product）的具體成果，此套開放式標準用於自動化和標準化資訊安全管理中的技術脆弱性管理、配置評估和合規檢查。2015-12-15，資訊技術安全評估共同準則（Common Criteria for Information Technology Security Evaluation，CC）標準系列正式納入SCAP。歐盟EUCC之產製場所最低安全要求事項（Minimum Site Security Requirements）驗證及美國（資訊）安全自動化協定（Security Content Automation Protocol, SCAP）是全球前兩大經濟體的安全標準和協議，具有相互補充的作用。這兩者的結合可以形成一個全面的技術脆弱性控制的資安生態系統，有助於提升全球範圍的網路安全水準。各國法規及日益增加之資訊安全控制措施之需求已勢不可當，國際標準化組織（International Organization for Standardization，ISO）分於2022-10-25及2022-02-15發行進行擴增ISO/IEC 27001與ISO/IEC 27002的規範供需用者採用；我國在資訊安全管理系統標準化之進程下，國家資通安全發展方案（110年至113年）」中「建立資通系統弱點之主動發掘、通報及修補機制」與「完善政府網際服務網防禦深廣度」之工作項目中的資安弱點通報機制（Vulnerability Alert and Notification System, VANS）及零信任網路（Zero Trust Network, 簡稱ZTN）以及端點偵測及應變機制（Endpoint Detection and Response, EDR）等內容，均為MSSR聚焦之技術脆弱性之生態系統的實作之議題，本文以ISO/IEC 27002:2022（E）第8.8節之技術脆弱性管理為基礎，探討EUCC的MSSR及SCAP在技術脆弱性控制之資安生態系統發展的應然與實然，做為諸如信用評等資料庫業者等資訊服務商制訂其實作標準化參考的基礎。

Standard, knowledge and experience can be accumulated, while standardization seeks to strengthen the knowledge of standard implementation in a systematic, coordinated and consistent way for inheritance. The "European cybersecurity certification scheme (EUCC)" proposes an assurance level (Assurance Level) based on the ISO/IEC 15408 standard series of Common Criteria (CC): "1. The certification body should issue an assurance EUCC certificate with "substantial" or "high" level; 2. EUCC certificate with "substantial" assurance level should be consistent with the A (Assurance) VA (Vulnerability Assessment) _VAN (Vulnerability Analysis) certificate covering level 1 or 2. Corresponding; 3. EUCC certificates with assurance level "High" should correspond to AVA_VAN certificates covering Level 3, 4 or 5." regulations. The corresponding maximum fine is 2.5% of the annual turnover. The Security Content Automation Protocol (SCAP) reveals a significant outcome of the National Vulnerability Database (NVD) responsible by the National Institute of Standards and Technology (NIST). This open standard is employed for the automation and standardization of information security management, encompassing areas such as vulnerability management, configuration assessment, and compliance checking. On December 15, 2015, the SCAP framework was formally incorporated into the Common Criteria for Information Technology Security Evaluation (CC) standard series. The MSSR and the SCAP are the security standards and protocols of the world's leading economies. Such compensating combination forms a comprehensive technical vulnerability controls ecology of cybersecurity, aids to promote an effective global cybersecurity level. The demands for national regulations and increasing information security control measures have become overwhelming. The International Organization for Standardization (ISO) issued expanded ISO/IEC 27001 and ISO on 2022-10-25 and 2022-02-15. The specifications of ISO/IEC 27002 are for users to adopt. In Taiwan, there are several issues on the marching of information security management system standardization, e.g. the National Information Security Development Plan (110 to 113 years) "Establishing proactive discovery, reporting and reporting of information system vulnerabilities" The Vulnerability Alert and Notification System (VANS) and Zero Trust Network (ZTN) and endpoint detection in the work projects of "Repairing Mechanism" and "Improving the Depth and Breadth of Government Internet Service Network Defense". All the above issues are addressed in the certifications of minimum site security requirements (MSSR) of EUCC and security content automation protocol (SCAP) in the U.S. Based on the MSSR and SCAP, this article discusses the normativity and reality of the ecosystem in the security field in order to serves as the basis for formulating standardization references for the information services providers.