Tecnalia's OPENCERT



Functional Components Description

The current features of OpenCert include the management of information from standards and regulations, the management of assurance projects, assurance case management, and compliance management.

The main functional blocks from OpenCert are:

  • Reference Framework Management: Functionality related to the management of standards information as well as any other information derived from them, such as interpretations about intents, mapping between standards, etc. This functional group maintains a knowledge database about “standards & understandings”. The database is independent of the assurance projects.

  • Assurance Project Lifecycle Management: This functionality factorizes aspects such as the creation of assurance projects. This module manages a “project repository”, which can be accessed by the other modules.

  • Assurance Case Management: This group manages argumentation information in a modular fashion. It also includes mechanisms to support compositional safety assurance, and assurance patterns management. It supports the idea of the assurance case as the OMG defined “An Assurance Case is a set of auditable claims, arguments, and evidence created to support the claim that a defined system/service will satisfy the particular requirements. An Assurance Case is a document that facilitates information exchange between various system stakeholder such as suppliers and acquirers, and between the operator and regulator, where the knowledge related to the safety and security of the system is communicated in a clear and defendable way” 1 .

  • Evidence Management: This module manages the full life-cycle of evidences and evidence chains. This includes evidence traceability management. This module is used to store all evidenced used for regulatory accountability purposes.

  • Assurance Reporting: This functionality is related with the reporting and compliance levers measurement.


Services provided

Support platform for R + D + i projects

The OpenCert platform was developed in the context of an R&D project and it has evolved in later R&D projects with a cooperative approach. There is an open source version being maintained inside the umbrella of the Eclipse community with different extensions developed either in collaboration with TECNALIA or by individually or third parties by themselves.

These projects should be mainly conducted by researchers and in a one-off case private projects may be developed. In the latter case, pay-per-use regulation and standards models used in the regulation database are contemplated for using the platform for the aim of financing the projects amortization or maintenance.

Benchmarking, evaluation and / or certification of products and / or services

The platform can be used to support certain activities done during the development process for certification purposes such as evidence accountability or assurance cases edition and evolution.

Training

The asset may be used as a platform for offering and developing a wide-range of training activities, as for instance, security informed safety cases or a specific security standard compliance process. In other words, enabling access to end users, companies offering cybersecurity training or researchers, so they can prepare and provide training.

Consultancy

The asset may be used as a platform to support activities performed around consultancy services around

  • Privacy and GDPR appliance

  • Functional safety standards such as ISO 26262, IEC 61508 appliance

  • Security management related standards appliance such as IEC 62443

Support for awareness actions or generation of cybersecurity culture

In the event that public-private partnerships are encouraged, the platform could be used in a public demo showing the different assurance activities perform during the product development process in order to comply with a specific standard or to ensure that threats and or hazards have been managed, creating appealing scenarios for attracting talent or to promote the local companies as leaders in industrial cybersecurity.


Keywords

Assurance cases, Standards Compliance, Assurance Accountability, GSN


Services

  • Benchmarking, evaluation and / or certification of products and / or services: support certain activities done during the development process for certification purposes, such as evidence accountability or assurance cases edition and evolution.

  • Training: enabling access to end users, companies offering cybersecurity training or researchers, so they can prepare and provide training.

  • Consultancy: Privacy and GDPR appliance: Functional safety standards such as ISO 26262, IEC 61508 appliance; Security management related standards appliance such as IEC 62443

  • Support for awareness actions or generation of cybersecurity culture: could be used in a public demo showing the different assurance activities perform during the product development process in order to comply with a specific standard or to ensure that threats and or hazards have been managed, creating appealing scenarios for attracting talent or to promote the local companies as leaders in industrial cybersecurity.


Technical equipment

  • Server asset:

    • Computers: hard disk 50gb, RAM 2gb

    • Software licenses: Windows 10 64 bits, PostgreSQL Database Server 9.3.15 or 9.4.10 version

  • Client asset:

    • Computers: Dell Pc PRECISION 3530, 16Gb, 200Gb

    • Software licenses: Windows 10 Pro 64 bits, Java Runtime Environment 1.8


Use request

General version: public

Privacy compliance specialized version: commercial