Malaysian Security Evaluation Facility (MySEF)

MySEF (Malaysian Security Evaluation Facility)

MySEF is one of the licensed evaluation facilities under the Malaysian Common Criteria Evaluation & Certification (MyCC) Scheme. It provides expertise in security evaluation of ICT products and systems. It aims towards creating a safe and reliable computing environment through the provision of ICT security evaluation.

MySEF strengths in ICT Security Evaluation & Testing Services:


Accredited/Licensed Laboratory

  • CyberSecurity Malaysia MySEF is an accredited laboratory under the Laboratory Scheme Accreditation of Malaysia (SAMM), which meets the requirements of MS ISO/IEC 17025.

  • A licensed laboratory under MyCC scheme.

  • Well equipped to conduct:

    1. a) security functional testing
      b) security assessment and validation
      c) auditing and evaluating a variety of ICT products, systems and Protection Profiles (PP).

Highly Skilled and Certified Evaluators

  • Our evaluators are qualified and experienced in performing security evaluations including Common Criteria evaluations.

  • Our evaluators are highly skilled and competent in various fields of ICT technology and security including network, operating system, system administration, programming, web application, PKI, ethical hacking, auditing, smart cards and smart card readers, penetration testing and biometrics.

  • Our evaluators are GWEB, CEH, CISSP, ECSA, ECES, GPEN, GSNA, GCUX, GSEC, GWAPT, ISMS Lead Auditor and Information System Security Professional certified.

  • Our evaluators are Electronics Engineering professionals majoring in Computer, Information Security and Computer Science.

Evaluation Facility

  • Our lab has sufficient equipment to carry out most ICT products and system evaluations. We are currently venturing into smart card testing equipment such as probing and analysis to perform SPA and DPA.

  • Our lab can cater for small to medium sized products such as software-based products (e.g. web applications), firewall appliances and others.

MySEF Services:

1. Common Criteria (CC) Evaluation Service (up to EAL 4)

  • ICT product evaluation on the product security features against Common Criteria standard - a set of functional and assurance claims using MS-ISO/IEC 15408 Common Criteria (CC) and MS-lSO/lEC 18045 Common Evaluation Methodology (CEM)

  • Certificate is recognized in Malaysia and globally among 27 CCRA countries (e.g. U.S., U.K., Canada, France, Germany and Netherlands)

  • Involves two major processes: product evaluation and product certification. Product needs to be evaluated by CC laboratory (CyberSecurity Malaysia MySEF or other licensed lab) first before being certified by certification body. For more details on certification process, refer to MyCC website.

  • The product evaluation consists of product technical documentation review, security functional testing and penetration testing on the actual product.

  • Certification provides independent validity of the evaluation results confirmation and a level of confidence in the security functionality provided by a ICT product

  • Another evaluation that is offered under this service is Protection Profile (PP) evaluation. PP is an implementation independent set of security requirements to determine whether they solve a stated security problem. This evaluation provides customers with validated security requirements to support selection and procurement of ICT products.

2. ICT Product Security Assessment (IPSA) Service

  • ICT Product security assessment consisting of Security Functionality Testing and/or Penetration Testing.

  • IPSA is adapting ISO/IEC 15408 Common Criteria (CC) and ISO/IEC 18045 Common Evaluation Methodology (CEM), any relevant Malaysian Standards (MS) or common uses of best practices/reference test methods.

  • ICT product that has been evaluated under IPSA Service will be issued a notification letter that is recognized locally in Malaysia.

  • The scope of work for IPSA service consists of:

  • i. Security Functional Testing; and/or
    ii. Penetration Testing

3. Independent Verification Assessment (IVA) Service

  • Verification of product functionality and product security functionality claims by product developer.

  • Product that has been evaluated under IVA Service will be issued a notification letter that is recognized locally in Malaysia.

List of Product Categories for Evaluation

  1. Cryptographic Systems

  2. Access Control Devices and Systems

  3. Biometric Systems and Devices

  4. Boundary Protection Devices and Systems

  5. Data Protection

  6. Databases

  7. Detection Devices and Systems

  8. ICs, Smart Cards and Smart Card related Devices and Systems

  9. Key Management Systems

  10. Multi-Function Devices

  11. Network and Network related Devices and Systems

  12. Operating Systems

  13. Product for Digital Signatures

  14. Trusted Computing (inclusive of Cloud Computing & Internet of Things)

Benefits

Benefits of CC Evaluation

  • Enhance customer confidence with Common Criteria certification

  • Improve the quality and development of the product

  • Support customers and users in the reduction and management of their risks

  • The benefits extend to end-users of a product security

  • Gain access to international markets for Malaysian IST products in local IST market

  • Enhance security of Malaysia's information infrastructure by ensuring the availability of ICT products, with independently-verified security features

  • Enhance Malaysia's repitation as a provider of ICT security assurance services globally

Benefits of IPSA and IVA Evaluation

  • Improve the competitiveness of Malaysian ICT products in local ICT market

  • Enhance security of Malaysia's information infrastructure by ensuring the availability of ICT products

  • Enhance Malaysia's reputation as a provider of ICT security assurance services globally

Benefits for End-User

  • Gain confidence in the security provided by the product

  • Get more secure IT products and system

  • End-User can make a comparison between other products in the marketplace that without the CC

  • Improve the management of technology risks

  • Reduce the risk of reputational damage to their organization

Application

Common Criteria Evaluation Application Process

Pitching Session

  • This includes a product demo or product technical presentation in terms of its security features by a client. CyberSecurity Malaysia MySEF will score the product using the MySEF Evaluation Project Acceptance Form. During this presentation, we will have a discussion on the security features of the product, scope of evaluation, the Evaluation Assurance Level (EAL) that is required, whether the product is completed or under development, product documentation and commitment towards the evaluation process

  • If the score meets the requirement to proceed with evaluation, we will proceed with developing a business proposal, describing the evaluation process, price, timeline and deliverables by both parties

  • If the client accepts the proposal, the client will sign the acceptance form in the business proposal and revert to CyberSecurity Malaysia MYSEF

  • CyberSecurity Malaysia MySEF will proceed with preparing the Service Level Agreement (SLA) to be signed by both parties. Once completed, client is required to submit a purchase order and CyberSecurity Malaysia will issue an invoice

  • During the legal and finance process, the client can start preparing the Security Target (ST) document which is a crucial document to begin evaluation and submit it to CyberSecurity Malaysia MySEF. For a sample of the stated Security Target (ST), one can refer to the publicly available security targets on the Internet or at the MyCC website

  • CyberSecurity Malaysia MySEF will review the ST and proceed with an evaluation proposal to the Malaysian Common Criteria Certification Body (MyCB) to start the technical evaluation on the client's product.

  • For Protection Profile evaluation application process, please contact the Lab Manager for further information.

IPSA/IVA Application Process

  • Similar to Common Criteria evaluation application process; except that the client is not required to develop a Security Target.

  • Please contact the lab manager for more information

Additional Information

Evaluation Assurance Level (EAL), Duration and Fee

  • Currently we are offering Evaluation Assurance Level (EAL) EAL1 up to EAL4+ augmented.

  • Duration for evaluation may take three months and above, depending on Evaluation Assurance Level (EAL) that the client chooses and the client's commitment towards such evaluation.

  • Evaluation fee will depend on the scope, complexity of the Target of Evaluation (TOE) and Security Features Requirements (SFRs). The cost will be higher if specialized testing under AVA and ATE is needed. If the testing requires access to specialized test equipment or facility, then we will partner with other CC labs and any direct costs incurred by CyberSecurity Malaysia will be passed on to the client.

  • The quoted fee is based on the assumption that there is no major evaluation observation reports (EOR) raised throughout the evaluation process and the iteration is not more than two times.

Training

  • CyberSecurity Malaysia MySEF is able to provide evaluator training and developer training for developing Common Criteria documentations and relevant scope of training modules that may be required by a client. The language for the training content can either be in Malay or English

Site Visit

  • Site visits by CyberSecurity Malaysia MySEF will be conducted within the evaluation execution period. Cost for the first site visit will be covered but additional site visits to resolve EOR will be needed and it is chargeable.

Common Criteria

Note Website: Common Criteria

The Common Criteria project was initiated to harmonize the ITSEC, CTCPEC (Canadian criteria) and the US Draft Federal Criteria (FC) and TCSEC (Orange Book) into a Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating products and systems; and for stating security requirements in a standardized way. Its aim is to replace national and regional criteria with a worldwide set of standards. The CC has seven assurance levels, however, only the Common Criteria Recognition Agreement (CCRA) recognizes only the first four. The Assurance Level Page contains detailed information about the seven CC levels.

Assurance Levels

The CC has seven assurance levels: from EAL1 (the lowest) to EAL7 (the highest). At present, only assurance levels up to EAL4 have been incorporated within the international Common Criteria Recognition Agreement (CCRA). The seven CC levels are described below.

Level

Purpose

EAL1

Functionally Tested. Provides analysis of the security functions, using a functional and interface specification of the TOE, to understand the security behavior. The analysis is supported by independent testing of the security functions.

EAL2

Structurally Tested. Analysis of the security functions using a functional and interface specification and high-level design of the subsystems of the TOE. Independent testing of the security functions, evidence of developer "black box" testing, and evidence of a development search for obvious vulnerabilities.

EAL3

Methodically Tested and Checked. The analysis is supported by "grey box" testing, selective independent confirmation of the developer test results, and evidence of a developer search for obvious vulnerabilities. Development environment controls and TOE configuration management are also required.

EAL4

Methodically Designed, Tested and Reviewed. Analysis is supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for obvious vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

EAL5

Semi Formally Designed and Tested. Analysis includes all of the implementation. Assurance is supplemented by a formal model and a semiformal presentation of the functional specification and high level design, and a semiformal demonstration of correspondence. The search for vulnerabilities must ensure relative resistance to penetration attacks. Covert channel analysis and modular designs are also required.

EAL6

Semi Formally Verified Design and Tested. Analysis is supported by a modular and layered approach to design, and a structured presentation of the implementation. The independent search for vulnerabilities must ensure high resistance to penetration attack. The search for covert channels must be systematic. Development environment and configuration management controls are further strengthened.

EAL7

Formally Verified Design and Tested. The formal model is supplemented by a formal presentation of the functional specification and high-level design showing correspondence. Evidence of developer "white box" testing and complete independent confirmation of developer test results are required. Complexity of the design must be minimised.

Certified Product Register

Common Criteria Product List

The listing contains products with:

  • Status "Certified" - Have completed Common Criteria evaluation and certification
  • Status "In Progress" - Currently being evaluated by CSM MySEF
  • Status "Certification Phase" - Currently under certification phase by certification body

Assurance Level

Certificate Date

Product Name and Version

Product Sponsor/Developer

Status

EAL4+

In Progress

Passport Smart Card OS ePassport

MCS Sdn Bhd

In Progress

EAL2

September 6th, 2017

SecureMi (DLP) version 1.2

EVAULT Sdn Bhd

Certified

EAL4

June 6th, 2017

CENTAGATE ver 3.0.10

SecureMetric Technology Sdn Bhd

Certified

EAL2

May 11th, 2017

DNSVault version 4.8

DNSVAULT

Certified

EAL2

March 19th, 2015

Biocryptodisk Encryptor Model SD302(Ver5.11-3.03), SD302CR( Ver5.11-5.03), ST302(Ver5.11-1.00), and ST302B(Ver5.11-1.00) with Remote Token Management System v1.00

BioCryptoDisk Sdn Bhd

Certified

EAL2

January 29th, 2015

Smart Data v1.4.0.0

Smart Consult Solutions Sdn Bhd (Datasonic Group)

Certified

EAL2

December 24th, 2014

d'Compass v2.0.0

TriAset Sdn Bhd

Certified

EAL2

July 9th, 2014

EXTOL ePassport Suite Version 3.0

EXTOL Berhad

Certified

EAL1

March 8th, 2011

SCAN S3 Security Manager Console Version 1.0 Release 14556 integrated with SCAN S3 Identify Services Infrastructure Version 1.0 and SCAN S3 Multi Authentication Version 1.0

Scan Associates Berhad

Certified

EAL2

July 9th, 2014

SCAN S3 Security Manager Console Release 14556(v2.0) integrated with SCAN S3 Agent (v2.0.1.6.2)

Scan Associates Berhad

Certified

EAL1

July 9th, 2014

ePassport Suite

Extol MSC Berhad

Certified

EAL2

May 12th, 2014

Encr8tor version 7.25

SuperEncipherment Technology Solution | SETS

Certified

EAL2

December 17th, 2013

MQAssure â„¢ Ne0n v3.0

MagnaQuest IT Solutions Sdn Bhd

Certified

EAL2

November 20th, 2013

PKID ECC Generator v1.1

WannaStation Sdn Bhd

Certified

EAL2

November 4th, 2013

iDERAS Unified Threat Management(UTM) v5.02

Infosys Gateway Sdn Bhd

Certified

EAL2

September 6th, 2013

Single Card Access Maximum Security (SCAMS) 1.0 includes Ohanae Connect 2.1.2.0

Reseitech Sdn Bhd

Certified

EAL2

February 13th, 2013

Log Radar

TecForte Sdn Bhd

Certified

EAL4+

Sept 25th, 2012

MCS Small Machine Operating System Common Criteria (SMOSCC) v1.0.0

MCS Microsystems Sdn Bhd

In-Progress

EAL1

April 16th, 2012

NetSignOn v2.0

MagnaQuest IT Solutions Sdn Bhd

Certified

EAL4

April 11th, 2011

MQAssure/AppShield v1.2_CR6 Integrated with MQAssure/IAM v1.0_CR6

MagnaQuest IT Solutions Sdn Bhd

Certified

EAL3

November 23rd, 2010

MyBOX Firewall System, Version 3.1

Tracenetwork Corporation Sdn Bhd

Certified

EAL1

October 28th, 2011

Mec-Wise HR, Version 3.1 R1

StarVision Information Technology Sdn Bhd

Certified

EAL2

July 8th, 2011

OREACryptHDisk version 2.1

OREA Technologies Sdn Bhd

Certified

EAL1

July 8th, 2011

ePassport Suite v2.5

Extol Corporation (M) Sdn Bhd

Certified

EAL2

June 27th, 2011

OREA Crypt USB version 5.1

OREA Technologies Sdn Bhd

Certified

EAL2

June 15th, 2011

NexCode National Security Suite Release 3

S5 Systems Sdn. Bhd.

Certified

EAL2

April 19th, 2011

e-Trust Certificate Management System Version 3.5

eVault Technologies Sdn Bhd

Certified

EAL2

March 15th, 2011

NetMATRIX TLE v1.0 Build number 00010003

GHL Systems Berhad

Certified

EAL2

March 8th, 2011

VirtualEye v5.0

I-Pocket Solutions Sdn Bhd

Certified

EAL2

February 8th, 2011

IDOTTV Web Portal 2.0

Idottv Sdn Bhd

Certified

EAL1

May 25th, 2011

BT-Direct version 2010.1.0.0

EA-Link System Sdn Bhd

Certified

EAL1

May 16th, 2011

E-Jari version 4.0

Neural Services Sdn Bhd

Certified

EAL1

March 8th, 2011

VirtualEye v5.0

Viewtech International Sdn Bhd

Certified

EAL1

March 8th, 2011

SCAN S3 Security Manager Console Version 1.0 Release 14556 integrated with SCAN S3 Identity Services Infrastructure Version 1.0 and SCAN S3 Multi Authentication Version 1.0

SCAN Associates Berhad

Certified

EAL1

February 8th, 2011

IDOTTV Web Portal2.0

IdotTV Sdn Bhd

Certified

EAL1

January 13th, 2011

eWorkshop Version 1.0

Triangle Sphere Sdn Bhd

Certified

Protection Profile List

The list contains protection profiles with:

  • Status "Certified" - Have completed Common Criteria evaluation and certification
  • Status "In Progress" - Currently being evaluated
  • Status "Certification Phase" - Completed evaluation and have entered certification phase by certification body

Certificate Date

Product Name & Version

Product Sponsor / Developer

Status

15 January 2016

Card Acceptance Device Protection Profile (CADPP) Version 0.5.

CyberSecurity Malaysia

Certified

27 October 2015

Protection Profile for Data Leakage Protection

CyberSecurity Malaysia

Certified

21 August 2015

Protection Profile for Financial Transaction Application on Mobile Device

CyberSecurity Malaysia

Certified

IPSA Product List

The list contains products with:

  • Status "Evaluated" - Have completed IPSA evaluation
  • Status "Certified" - Have completed IPSA evaluation
  • Status "In Progress" - Currently being evaluated
  • Status "Certification Phase" - Completed evaluation and have entered certification phase by certification body

Certificate Date

Product Name & Version

Product Sponsor / Developer

Status

-

DERMALOG Fake Fingerprint Detection LF10 (SDK version 2.1.1.1743) with Biometric System Version 6.1.0.0

Jabatan Imigresen Malaysia

In Progress

-

NERS Card Reader

Jabatan Imigresen Malaysia

In Progress

7 December 2017

Dermalog LF10) with Biometric System version 1.3.6.0

jabatan Imigresen Malaysia

Evaluated

26 July 2017

Angkasa Spatial Smart City Delivery Engine

Agensi Angkasa Negara (ANGKASA)

Evaluated

28 October 2016

Sistem Kira Undi Elektronik Angkasa

Angkatan Koperasi Kebangsaan Malaysia Berhad (ANGKASA)

Evaluated

23 September 2016

MySecc (Mobile app)

KUPTM

Evaluated

20 September 2016

Damballa Failsafe

iDerasTech Sdn Bhd

Evaluated

1 September 2016

Mobile Application Security Testing

UPM

Evaluated

30 June 2015

IPv6 Network Assessment

CSM

Evaluated

11 March 2015

DNSVault ver 4.8

DNSVAULT

Evaluated

3 March 2015

MediaSphere ver 1.8

Dasar Jati

Evaluated

14 November 2014

Log Radar

TecForte Sdn Bhd

Evaluated

22 September 2014

SecureM® version 1.2

Evault Technologies Sdn. Bhd.

Evaluated

8 August 2014

Smart Dragon Card Management System Version 1.2.0.2

Datasonic Group Sdn Bhd

Evaluated

30 June 2014

TOMSS (Web based)

Rayyan Solutions Sdn Bhd

Evaluated

26 June 2014

Two factor Authentication Solutions (IDAS) Version 3.2

NWC dot COM Sdn Bhd

Evaluated

9 June 2014

D'Compass Treasury System Version 1.0

TriAset Sdn Bhd

Evaluated

-

CyberArmor version 3.012

Cyber Technology Research Department (CSM)

Evaluated

30 June 2014

SypherLite v1.1 (PKID:84AA1500F7DA03DA & 84AA1500F7DA0396)

WannaStation Sdn Bhd

Evaluated

16 June 2014

Hospital Automated & Clinical information Management System (HACIM) Version 1.5

Megaplus/Infosys Gateway Sdn Bhd

Evaluated

14 February 2014

MyKad MS2525 Software Development Kit with OMNIKEY HID 5321

JPN

Evaluated

17 April 2014

iDERAS 2U

Infosys Gateway Sdn Bhd

Evaluated

-

Biocryptodisk Crypto Test

BioCryptoDisk Sdn Bhd

Evaluated

16 October 2010

PKI Generator Crypto Test

WannaStation Sdn Bhd

Evaluated

28 January 2013

IRIS CAD BCR300C (P1121 Smart Card Core v2.1.0)

IRIS Corporation

Evaluated

21 December 2012

iDERAS 1U

Infosys Gateway Sdn Bhd

Evaluated

18 April 2011

IRIS eBIO in MyKAD

IRIS Corporation

Evaluated

IVA Product List

The list contains protection profiles with:

  • Status "Evaluated" - Have completed IVA evaluation
  • Status "In Progress" - Currently being evaluated

Completion Date

Product Name & Version

Product Sponsor / Developer

Status

16 February 2017

Kloner

Digital Forensics ( CyberSecurity Malaysia )

Evaluated

20 January 2017

Pendua

Digital Forensics ( CyberSecurity Malaysia )

Evaluated

MyCC Scheme

Contact Us

Any application or inquiries on our various services, please contact:


MySEF
Norahana Salimin
CyberSecurity Malaysia
Head, MySEF
E-Mail: norahana@cybersecurity.my

Phone: +603 8992 6888
Fax: +603 8945 3205