In this activity, the CORAL team focuses on the identification of CSA’s basic target audience, the definition of low-complexity products, services, which is dedicated to the identification of the category of ICT services, ICT products, etc. that could be concerned by the certification being designed. Then on the identification of technical scope dedicated to the identification of the main domains of technical inquiry needed to cover all the baseline of information security and cybersecurity.

Identification of CSA basic target audience and Products/ Services

The initial main target audience identified for the certification are Startups and SMEs because they often provide ICT services or propose ICT products or processes that could be considered as non-critical and low-complexity. Also, Startups and SMEs often do not have the budget and resources to do existing certifications on the market, which are expensive and target a medium and high level of security maturity products, services, and processes.

However, large companies proposing low complexity and low risk, ICT services, ICT products, and ICT processes can also request the CORAL certification. There is no discrimination between the category or type of company in the CORAL certification framework.

Definition of technical requirements

The technical requirements defined in the context of the CORAL project are limited to the objectives of the certification, that is basic assurance and low complexity products, services, and processes. The technical requirements were defined based on the standards and guidelines reviewed during the state-of-the-art.

General generic technical requirements were defined for products covering the following domains:

• Security architecture;
• Security by design: basic architecture design principles;
• Testing
• Vulnerability management strategy.

More product category requirements were also defined for web application products, Artificial intelligent products (AI) and Internet of Thing (IoT) products.

Domains of requirments for Web application products

• Authenticator requirements;
• Password Security Requirements;
• Credential Storage requirements;
• Credential Recovery requirements;
• Session management;
• Access control security requirements;
• Input Validation requirements;
• Error handling and logging verification requirements;
• Log management;
• Error Handling;
• Data Protection Verification Requirements;
• Communications Verification Requirements;
• Deployed Application Integrity Controls;
• File and Resources Verification Requirements;
• API and Web Service Verification Requirements;
• RESTful Web Service Verification Requirements;
• Dependency;
• Unintended Security Disclosure Requirements.

Domains of requirments for AI products

• Fundamental rights;
• Access Management;
• Password requirements;
• Data security & privacy requirements;
• Risk & Vulnerability management;
• Security update management;
• General security requirements.

Domains of requirments for IoT products

• Security by Design Principles;
• Access Management;
• Password management;
• Software and System update Management;
• Security of stored and processed data;
• System hardening;
• System security resilience;
• Installation and Maintenance;
• Security & Cryptography best practices;
• Data Privacy;
• Vulnerability management;
• Support;
• Compliance;
• Configuration management;
• Communication Security.

Domains of requirments for ICT services

• Information security policies;
• Inventory and controls of Assets;
• Data Protection;
• Secure Configuration of Assets;
• Access Control Management;
• Account Management;
• Continuous vulnerability Management;
• Audit log management;
• Malware Defenses;
• Data Recovery;
• Network Infrastructure management;
• Network Monitoring and defense;
• Security Awareness and Skills Training;
• Application Security;
• Incident Response Management;
• Contract security requirements;
• Contract privacy requirements.

Domains of requirments for ICT processes

• Organizational project-enabling process;
• Project Process;
• Technical Process;
• Compliance requirements;
• Supply relationship Process.

The target audience nor the technical requirements are fixed. These can change and evolve during the project and the lifetime of the certification framework based on threats landscape and vulnerabilities. Furthermore, the CORAL certification framework is based on the framework proposed by the ENISA, hence any change in the scope of products, services, processes, and assurance evaluation criteria in the Cybersecurity Act would affect it.

For the detailed deliverable, please look at this document