|
Security Standards
Adopting security standards
Organisations need to select security standards that suit
their requirements. The choice of a security standard depends on the stakeholders’
requirements, key business processes, regulatory needs and management priorities,
says N Kamalanand.
N Kamalanand |
As information technology became the centre of an enterprise’
functioning, it brought in tremendous productivity gains for the organisation
and also made it vulnerable to information security threats.
Towards the mid-1990s organisations pooled together their resources to develop
and share best practices in information security. Standards organisations and
industry forums leveraged best practices to draft security standards and certification
schemes for said standards. At the same time, statutory watchdogs leveraged
best practices to prescribe security-related requirements to regulated organisations.
Organisations face the challenge of selecting security standards that suit their
requirements. The choice of a security standard depends upon the stakeholders’
requirements, key business processes, regulatory needs and management priorities.
Organisations derive significant benefits by adopting security standards. In
addition to lower security vulnerability and greater stakeholders’ confidence,
many regulators consider adoption of security standards as an accepted way of
complying with security requirements of regulations. Also, in many countries,
organisations that have security certifications are required to pay lower insurance
premium. Discussed here are some widely accepted and promising new security
standards.
ISO 27001 (beyond BS 7799)
The most widely accepted and well known information security standard is BS
7799. About 2,000 organisations across the globe are certified for this standard.
It has been accepted by the International Standards Organisation and with some
changes has been adopted as the ISO 27001 standard. It advocates a management
system for the organisation to secure its information.
The security risk assessment for information is a core activity and based on
the results of the assessment the organisation chooses security controls across
IT, personnel and physical domains. Considering that this standard addresses
management of information security for an organisation, it is holistic but the
controls prescribed in it lack detail.
Being a management system driven standard, ISO 27001 is suitable for organisations
across the industry. It is of great value to organisations that are keen on
assuring their customers about the information security environment within an
organisation. In India however, it is the IT and the ITeS organisations that
are in the forefront in adopting the standard. It has become a qualifying requirement
in most offshoring and outsourcing bids.
A PDCA plan
|
Organisations start their initiatives with an information
security risk assessment. Here all information and IT assets are assessed
for information security risks, existing controls are identified and in
case of any deficiency in the controls, counter measures are implemented
|
A Plan–Do–Check–Act framework has to be implemented
for information security management. Organisations start their initiatives with
an information security risk assessment. Here all information and IT assets
are assessed for information security risks, existing controls are identified
and in case of any deficiency in the controls, counter measures are implemented.
There are many commercially available software tools like CRAMM, COBRA and Art
of War that may be used for risk assessment based on which a Statement of Applicability
is prepared that lists the controls an organisation intends to implement from
the recommended 133 controls in the standard. Further, the organisation is required
to prepare a relevant security policy for the implementation of required controls.
Finally, it has to institute an internal audit mechanism to monitor the implementation
of security policy and efficacy of the implementation on an ongoing basis.
ISO 15408–framed by NATO
This standard was developed by national security organisations of NATO for security
assurances of a product or a system. The evaluation process involves a formal,
rigorous analysis and testing to examine all the security aspects of a product
or system. The activities delve into the developer’s proprietary processes,
implementation and documentation. Extensive testing activities involve a comprehensive
and formally repeatable means of confirming that the security product indeed
functions as claimed. Security weaknesses and potential vulnerabilities are
specifically examined during an evaluation.
The standard is rigorous and detailed but is limited to the evaluation of system
or a product. It is used by systems or product vendors to demonstrate the security
robustness of their products and by procuring organisations to assure themselves
about the quality of a system or product that they intend to procure.
ISO 15408 is a product or a system specific security certification; hence this
is generally adopted by organisations developing security critical products
or systems. Over the last couple of years the adoption of the standard has risen
owing to the proliferation of “Protection Profiles”—the benchmark
for evaluating product categories. Defence and government organisations increasingly
procure ISO 15408 evaluated products.
Documenting the security target
 To
begin with, an organisation has to identify the product or system “Target
of Evaluation” (TOE) and prepare a security target document that details
IT security requirements of the TOE. The evaluator verifies the requirements
stated in the document corresponding to a security requirement in the standards,
and that each one is met by a TOE.
In addition to the previous step for evaluating a security target, four separate
procedures for four different Evaluation Assurance Levels (EAL) have to be in
place. EAL1 being the lowest degree of scrutiny and EAL4 representing the highest
degree of scrutiny imposed on the TOE. The evaluation processes’ final
product is the Evaluation Technical Report (ETR). The ETR details how closely
the TOE conforms to the standards requirements and whether the TOE passes or
fails the evaluation.
SSE CMM–building on CMM
The Security Engineering - Competency Maturity Model (SSE-CMM) applies to secure
product developers, secure system developers and integrators and organisations
that provide security services and security engineering. The SSE-CMM addresses
security engineering activities that span the entire trusted product or secure
system life cycle, including concept definition, requirements analysis, design,
development, integration, installation, operations, maintenance and decommissioning.
It is maturity model-based and is limited to the software development life cycle
process.
This standard is of great value to any organisation that purchases it as it
provides software development services. The practice assures the recipient of
the software that security controls and features are actively considered during
its entire development life cycle. It reduces the probability of security vulnerabilities
in the software and consequently the need for a separate security audit for
it.
Software gets SSE
Since the beginning of 2005 many leading software services organisations have
started adopting this standard especially for their banking, financial services
and insurance clients.
Looking beyond CMMi
For IT services organisations that are CMMi certified, the SSE-CMM model builds
on the existing CMMi processes by incorporating security-engineering practices
in the software development life cycle followed by the organisation. SSE practices
are incorporated at each stage of the software development process including,
requirements gathering, designing, coding and testing activities. The revised
processes are then appraised by a SSE-CMM Lead Appraiser to assess the compliance
with SSE-CMM requirements.
N Kamalanand is Manager, Ernst &
Young. He can be reached at n.kamalanand@in.ey.com
|
