How secure are IT services and technical devices? The IT Security Label is intended to provide consumers with guidance in the future. The BSI gave an overview at a meeting of the eco Competence Group Abuse.
The IT Security Label of the Federal Office for Information Security (BSI) promises more transparency for consumers. Starting at the end of 2021, it is expected to be initially granted for the broadband routers and email services product categories. This is based on the technical guidelines BSI TR 3148 and BSI TR 3108. Joshu Wiebe, head of the “Issuing of IT Security Labels” unit, reported on the new label at a meeting of the eco Abuse Competence Group on 18 August.
In his presentation, he gave an overview followed by a discussion with the participants on the advantages of the safety label for industry and consumers. The planned security label was welcomed as it can make a meaningful contribution to the transparency of the IT security level of products and services and thus offers added value for the consumer.
Demonstrate security features for broadband routers and email services
To ensure that the BSI’s IT Security Label is successful in the market, it is intended to convey information in a comprehensible and transparent manner. It should not make unfulfillable promises of security, but rather offer added value and set a practicable framework. It highlights that the labelled products are compatible with certain specified standards.
The BSI will issue the IT security mark for broadband routers if the manufacturer has tested the product’s conformity with the “Secure Broadband Router” Technical Guideline (BSI TR-03148) and confirmed its fulfilment by means of a manufacturer’s declaration. After the manufacturer has submitted the application for the IT security mark, the BSI checks that the application and the manufacturer’s declaration are complete and plausible. Once the application has been positively assessed, the BSI sends out a notification authorising the use of the respective IT security mark for a specified period of time. In addition, the BSI creates a product information page that serves to inform consumers about the respective product and the manufacturer’s declaration issued for it. The product information page can be reached via a permanent link, which is also an integral part of the label as a QR code.
At a later date, the IT security mark will also be issued for email services. This is based on the implementation of BSI TR-03108 “Secure EMail-Transport”, which defines concrete requirements for an email service provider and allows them to provide independent proof of the security performance of their email service.
The IT Security Label is a voluntary service that providers and manufacturers can request for their products and services. It will be granted if they meet certain requirements defined by the BSI. Unlike certification, the BSI initially relies on the manufacturer’s or service provider’s statement. Whether the requirements are actually met is controlled downstream by the BSI within the framework of market supervision. Overall, consumers will benefit because they will be able to assess the security features of devices and services with the help of comprehensible and defined criteria.