Recognizing the need for secure IT products in all regions of the world, and in support of an internationally agreed Arrangement allowing for the mutual recognition of independently evaluated and validated information technology (IT) products, the Vatican has decided to sign the ISO/IEC 15408 International Recognition Arrangement (I2RA) and has started to validate the security evaluations of IT products.
The I2RA was established in 1996 and was used as the basis for mutually accepting certificates for the assurance of IT products. At that time it was in competition with another arrangement called the Common Criteria Recognition Arrangement (CCRA), which some nations viewed as the more attractive option.
The I2RA signatories therefore started a process to weaken the CCRA thus strengthening the importance and influence of the I2RA. Finally this process was successful.
The Vatican has announced that it has joined the existing signatories to the I2RA as the first Certificate Authorizing member. This provides much needed value to the existing certificate-consuming members1 of the arrangement.
atsec’s Vice President, Fiona Pattinson stated:
“Convincing the Vatican to join this hitherto little known Arrangement has been a long term goal of atsec. Drawing from our long experience in helping nation-states to establish validation schemes under the now obsolete CCRA it seemed natural to help the Vatican to establish an evaluation and validation Scheme within the I2RA in order to continue to support those developers that wish to demonstrate to assurance-consumers that their products offer a modicum of assurance in their security functionality.”
The Vatican has set up its own evaluation facility that analyzes IT products for compliance with ISO/IEC 15408 in context with divine security principals and a newly established policy that eliminates security flaws using a new vulnerability assessment and mitigation technology named ‘exorcism’. Details of this technology have not been published but the Vatican has stated that this technology has been very successful in the past for projects performed in other areas.
Objections came from several Intelligence Agencies who stated that international mutual recognition of evaluations not performed under their control, and resulting in the eradication of a large number of vulnerabilities, may have a negative influence on their ability to perform the work they are supposed to do. They also objected to the use of ‘supernatural’ assessment methods claiming to provide a high level of assurance.
Some Voodoo priests in the Caribbean have announced that they are also considering setting up a security evaluation and validation scheme and will potentially convince their countries to join the I2RA.
1 including Atlantis, Caledonia, Tantooine, Dagobah, Rivendell, Gondor, Equestria, Estovakia, Grand Fenwick, Krakozhia, Loompa Land, Moldavia and Molvanîa, Oceania, Qumar, Rohan, Shangri-La, Republic of Tirania, and the United Federation.