The public deliverable D3.2 Tools and techniques for the management of trustworthy evidence-v2, from Tecnalia, FhG, Fabasoft and Xlab, was successfully submitted to the European Commission last October. This deliverable aims at presenting the MEDINA Evidence Management Tools and the MEDINA Evidence Trustworthiness Management System that aims at ensuring that all evidence and assessment results are secured. The architecture, data model and sequence diagrams of these tools are described in detail. There are different types of evidence management tools:
- Technical Evidence Collection tools that discover resources properties and map the collected data to evidence (Clouditor, Wazuh, Vulnerability Assessment Tool or Generic Evidence Collector).
- Application-Level Evidence Collection tools that gather evidence from the static code analysis or specifications of applications (Codyze).
- Organizational Evidence Gathering tools that automatically collect organizational evidence by examining the Repository of Documents and transform this evidence in the form of technical evidence (AMOE that uses Natural Language Processing (NLP)).
All these evidence can be securized in terms of integrity through the Blockchain based MEDINA Evidence Trustworthiness Management System whose functional and implementation descriptions are also included in the deliverable.
Furthermore, the current coverage of the automated monitoring and the high-level assurance of the EUCS certification scheme identified in the draft candidate version of August 2022 has been matched with the different tools comprising the MEDINA Evidence Management Tools. Besides, although MEDINA focuses mostly on the automated monitoring and the high-level assurance of the EUCS certification scheme, CSPs may still struggle in the basic level, especially the smaller ones. Therefore, a checklist has been described to guide these small CSPs in their self – assessment and can know which kind of evidence they should provide to the CABs when carrying out a third-party assessment.
A future version of this deliverable will be submitted in April 2023 including the updated versions of the MEDINA Evidence Management Tools and the MEDINA Evidence Trustworthiness Management System.