|
Security standards: a stitch in time
'Standard,' when used as an adjective, refers to something
that is 'widely recognised or employed as a model of authority or excellence.'
In the case of information security, standards like ISO 27001 fill the breach.
Anil Patrick R takes a look at how India Inc is faring on this front
 It
is difficult to pinpoint the information security best practices that an organisation
should adopt. This is how standards like ISO 27001/17799 (nee BS 7799) first
came to be formulated as a mechanism to enable the sharing of best practices
in information security among organisations.
"Security standards have had a significant impact on Indian organisations,
especially on IT and BPO entities"
- Pradeep Udhas
Executive Director
Head of Sourcing &
Technology Advisory Services
KPMG India |
These standards provide organisations with the means to define
and put information security mechanisms in place. Information security standards
are in many ways similar to quality standards like the ISO 9000 series or the
software industry’s Capability Maturity Model. These security standards
basically help a company with the guidelines and the controls to put an ISMS
(Information Security Management System) in place.
"Certification makes it easier for companies
to go in for tie-ups. It also brings in some level of comfort to the
relationship"
- Sivarama Krishnan
Executive Director
Pricewaterhouse Coopers |
Pradeep Udhas, Executive Director, Head of Sourcing and Technology
Advisory Services, KPMG India, is of the opinion that Indian organisations are
well ahead on the security standards road. “These standards have had a
significant impact on Indian organisations, especially among IT and BPO entities,
where they have helped to raise security awareness and levels.” In IT and
BPO, ISO 27001/ ISO 17799 standards have now become de facto requirements mandated
by organisations outsourcing work to India. “Furthermore, banking industry
regulatory guidelines [read RBI] have led to the adoption of the ISO 27001/ISO
17799 standard by Indian banks,” adds Udhas.
India’s ISO/BS slant
As far as the Indian subcontinent is concerned, BS 7799 remains
the most popular security standard for existing certificates. With BS 7799 being
replaced by ISO 27001/17799, the current focus is on upgrading to, or going
in for, certification on these latter-day standards.
"Regulations like Sarbanes-Oxley specify factors like the need for
a security policy, and are privacy-specific. Privacy however is contextual
and user-specific"
- Dr Ramachandran
Practice Lead
Regulatory Compliance, Patni |
Going by the register of globally certified organisations
(www.iso27001certificates.com) that have certified ISMS in place, India ranked
third with 201 certified organisations at the time of writing. This is below
Japan (1,730) and Britain (262). It is interesting to note that most of India
Inc is certified on the older BS 7799-2:2002 standard. This shows that Indian
companies are among the early adopters on the global scene, especially since
the US has just 42 ISMS certificates to its credit.
Sivarama Krishnan, Executive Director, PricewaterhouseCoopers,
estimates that among the Indian ISO 27001/BS 7799 certifications the IT/BPO
vertical is likely to account for 60 to 70 percent. “This is because practices
and re-alignment are easier for companies involved in offshoring, BPO and security.
Certification makes it easier for these companies to go in for newer tie-ups.
It also brings in some level of comfort to the relationship. Supply chain integration
is another area where we see people asking for certifications.”
As is evident, security standards have made a significant impact on the way
ITOs operate. “ITOs need to be compliant due to their interfaces with overseas
clients. This is why most Indian ITOs are compliant with standards such as BS
7799, ISO 27001 and the PCI (Payment Card Industry) data security standard,”
says Dr Ramachandran, Practice Lead for Regulatory Compliance at Patni.
India has fewer ISO 27001-certified organisations. However, existing BS 7799-2
certified organisations have to compulsorily upgrade by October 2006. Considering
the fact that most organisations have to undergo a mandatory surveillance/review
audit on a quarterly or half-yearly basis, it is just a matter of months before
existing BS 7799-2 certificates undergo the transition programme to become ISO
27001-certified.
While the ISO 27001/17799-BS 7799 quadruplets hog
most of the popular attention, there are quite a few security standards
which are as good (if not better).
- SP 800-53 from NIST (National Institute of Standards
and Technology). India's STQC has contributed significantly to the development
of this standard. 2007 is the timeframe for adoption of SP53 in India.
This standard is expected to be implemented in critical infrastructure
areas such as power.
- SEI's OCTAVE (Operationally Critical Threat, Asset, and Vulnerability
Evaluation).
- IT Baseline Protection Manual Standard security safeguards from Germany's
BSI [not to be confused with the British Standards Institute. This BSI
is Bundesamt fur Sicherheit in der Informationstechnik].
- ISM3 or ISM-cubed (Information Security Management Maturity Model).
- Trust Services (from AICPA, CICA). These include WebTrust and SysTrust,
and are applicable for companies providing e-commerce-related services.
- Common Criteria (ISO 15408), a security standard for product companies.
- PAS 56 standard for BCP.
|
Different names, same game
Although multiple security standards are available, the ISO 27001/17799 and
BS 7799 standards remain the most widely accepted of the lot. While these come
from two different standards bodies, it is interesting to note that they are
very similar; in fact they are almost identical.
The BS 7799 standards set has been the forerunner of today’s ISO 27001/17799
information security standards. By helping to define and put in place an ISMS,
these standards help organisations achieve their security goals. Formulated
by the British Standards Institute (BSI) in 1995, the BS 7799 standards set
lay down best practices and step-by-step methods to implement a security programme
(ISMS).
The standard consists of two parts. BS 7799-1 is more of a code of practice
towards the creation of an ISMS. These are essentially guidelines for organisations
on how to put together an essential security programme. These standards were
adopted by the International Standards Organisation (ISO) to become the ISO/IEC
17799 standard. The standard contains 17 new controls. Many of the old controls
have also been merged or deleted altogether in the new standard.
Since both BS 7799-1 and ISO 17799 are just guidelines, there is no certification
as such for these. At present ISO 17799 is an appendix to the new ISO 27001
standard. It is slated to become the new ISO 27002 standard by 2007.
On the other hand, BS 7799-2 consists more of a ‘hands
on’ approach to put an ISMS in place. It employs an approach known as PDCA
(Plan-Do-Check-Act) towards security programme implementation.
The BS 7799 standards were adopted by ISO with the intention
of making them an international standard. This resulted in BS 7799-1 being renamed
ISO/IEC 17799 in 2000. It was reviewed and modified in June 2005 to become ISO
17799:2005.
ISO also modified BS 7799-2 to include a risk management
focus and additional controls, creating the ISO 27001:2005 standard in the process.
Apart from ISO 27001’s adding a domain to BS 77999’s 10, six control
objectives to the earlier 33, and six security controls to the existing 127,
ISO 27001 and BS 7799-2 are quite similar. Since the adoption by ISO, the ISO
27001 standard is designed to work in tandem with the ISO/IEC 9001 and ISO/IEC
14001 standards.
| Apart from ISO 27001, a couple of other variants
of the ISO 27000 series are expected. The first of these will be ISO 27002,
which is basically expected to be a re-labelled ISO 17799 with hardly any
modifications. This standard is expected to make its appearance in 2007.
Next up is ISO 27003, which will deal with implementation
guidance for those implementing ISO 27001. Expected to be published in
October 2008, not much is known about this standard apart from the fact
that it will deal with ISMS implementation.
ISO 27004, which deals with security metrics, will
follow. This standard will deal with information security management and
measurement. It will address how an organisation can go about measuring
the effectiveness of its ISMS implementation in terms of processes and
controls. The standard is presently at the draft stage, and it is expected
to be published in 2007.
Information risk management has become crucial
for most organisations. This is why the ISO has proposed ISO 27005 to
cover information security risk management. It is likely that this standard
will be based on the recently published BS 7799-3 that deals with information
risk management.
Also on the charts is ISO 27006, a proposed set
of guidelines for DR services. These guidelines are based on the SS507
(Singapore Standards for Business Continuity/Disaster Recovery Service
Providers).
|
The PDCA stages
Irrespective of whether it is ISO 27001 or BS 7799, the following
stages remain common. The plan stage involves establishing an ISMS, while the
do stage consists of implementing and operating the ISMS. Checking involves
monitoring and reviewing the ISMS on a periodic basis. The act stage consists
of maintenance and improvement of the ISMS based on the feedback from the check
stage.
These stages will involve various measures such as defining
an information security model, defining the ISMS’ scope, doing
a risk assessment, and managing the identified risks. Once the risks
have been identified, it is time to implement and apply controls
(technical and otherwise). A Statement of Applicability (SoA) is
prepared after these steps. (See the box, The certification con
game, which has a few pointers on some of the things that can go
wrong or can be made to ‘look right’ on the SoA front.)
| Being ISO 27001 or BS 7799-2 certified does not necessarily
mean that the company is thoroughly covered on the security front. This
is usually due to two main reasons—lack of risk assessment expertise
or the need to get ‘easily’ certified (usually for marketing reasons).
This manipulation usually takes place at the SoA
(Statement of Applicability) stage. Typically, the SoA is formulated after
a risk assessment audit. The trick lies in the definition of SoA. The
ISO/BS standards allow the flexibility for an organisation to define its
ISMS’ scope. The scope can be limited to part of the organisation
or all of it. This allows the organisation to define its own sets of controls—which
is where the problems start.
An organisation can define only a minimal set of
controls and get away with it. “A company could be meeting just the
basic ISO 27001 requirements, but the SoA has to have a much stricter
internal scope. That is the baseline when it comes to getting certified,”
says Pradeep Udhas of KPMG India.
These issues happen because it is difficult (and
time-consuming) for most organisations to put all the required controls
in place. This is why it is not uncommon to find consultants and organisations
taking shortcuts and deploying only the bare essentials.
So the next time you hear about an organisation
getting ‘certified’ in just two or three months, you might want
to take a closer look.
International companies are awakening to this kind
of cheating by specifying the controls that they require from their partners
and the companies that they outsource to. “If you look at the tenders
of US companies, the kinds of controls required are clearly defined. However,
Indian tenders merely ask for BS 7799 certification, and this can be a
problem,” point of Capt Felix Mohan of SecureSynergy.
The extent of certification is another area where
is representation happens. For example, say only one unit of an organisation
is BS 7799-2 certified (usually in promotional communications). It is
wrong for such a company to claim to be ‘ISO 27001 certified’
or ‘BS 7799-2 certified’ unless it clearly states the extent
of certification achieved.
|
"Companies look at getting certified in
available security
standards which have
similar objectives as the laws that have to be complied with"
- Capt Felix Mohan
Director
SecureSynergy |
Once these steps have been successfully carried out, a third-party
audit has to be conducted on the ISMS before it can be certified. The third-party
auditors for ISO 27001 in India include BSI, STQC, DNV India, and TUV Rheinland
Industrie Service GmbH. The certificate is valid for three years subject to
surveillance and review audits that are conducted regularly.
|
Security standards are primarily
technological in nature, and regulations do not specify how to comply
with these. This is why companies are opting for standard certifications
according to a standard’s relevance to regulations
|
Regulator’s viewpoint
As already pointed out, RBI guidelines for banking accept
ISO 27001/BS 7799-2 certification as a sufficient safeguard on the technical
front. So is this also the case with other regulations, especially now that
global business dictates that Indian organisations conform to international
regulations?
"Regulations like SOX definitely have parts that are similar to ISO
17799. For example, SOX sections 303 and 404 have the same domains as
ISO"
- Prosenjeet Banerjee
Head
Information Security Services
HCL Comnet |
The answer is ‘yes’ and ‘no.’ On the negative
front, regulations are focussed more on risk management, which most standards
do not address. “Being certified on security standards does not normally
help on the regulatory front. Risk management systems are what you need here,”
informs Krishnan.
Security standards are primarily technological in nature,
and regulations do not specify how to comply with these. This is why companies
are opting for standard certifications according to a standard’s relevance
to regulations. “Regulations ensure that certain security requirements
have to be met with to protect stakeholders. This is why companies look at getting
certified in available security standards which have similar security objectives
as the laws that have to be complied with,” points out Capt Felix Mohan,
Director, SecureSynergy.
“Regulations like the Sarbanes-Oxley Act (SOX) just specify
factors like the need for a security policy, and are privacy-specific. Privacy,
however, is contextual and user-specific. Security has to empower these objectives,
and standards provide this support for regulatory purposes,” says Dr Ramachandran.
He highlights this with an example of how ISO 17799/BS 7799 can provide the
general IT controls required by SOX.
This view is shared by Prosenjeet Banerjee, Head of Information Security Services
at HCL Comnet. “Regulations like SOX definitely have parts that are similar
to ISO 17799. For example, SOX sections 303 and 404 have the same domains as
ISO. This is not so detailed, but covers aspects like environmental security
and DR/BC.”
| A common doubt vis-à-vis security standards
is whether complying with them can help companies when it comes to implementing
frameworks such as COBIT (Control Objectives for Information and related
Technology), which is emerging as a popular framework in India. This is
why we decided to ask experts whether being certified for a security standard
matters when going in for COBIT.
Sivarama Krishnan, Executive Director, PricewaterhouseCoopers,
points out the difference between a certification and a framework. "COBIT
is an IT governance framework. Although COBIT does deal with security,
it is more from the standpoint of security governance. If you look at
ISO 27001, the standard is more about how to implement security in an
organisation and not about organisational governance."
COBIT has more to do with how IT can help achieve business
objectives, as Captain Felix Mohan, Director of SecureSynergy clarifies.
"All businesses have processes, most of which depend on IT for their
functioning. COBIT's focus is on how a company can meet these business
objectives by using and managing IT in the best possible manner. Security
is just a small component of the COBIT framework."
While COBIT does mention what needs to be done on the
IT front, it does not specify how this can be achieved. That's where ITIL
(the IT Infrastructure Library) steps in for ITSM (IT Service Management).
ITIL's focus is purely on IT processes, and it pays lip-service to information
security since it is more of a framework.
Standards are highly prescriptive in nature whereas frameworks
are not. "COBIT is open and not prescriptive in nature. It gives
you the freedom to implement whatever you want in alignment with your
business plan. Security is just one part of the entire framework since
the emphasis is on how to run an IT organisation," says Dr Ramachandran,
Practice Lead for Regulatory Compliance, Patni. As opposed to this, security
standards are highly implementation-specific. When it comes to security
standards, the emphasis is more on factors like how to formulate a security
policy or what specific controls to put in place.
The next difference is that there is no certification
when it comes to a framework. Putting standards in place usually means
that an organisation gets certified, or is on the way there as is the
case with ISO 27001.
At the moment, the number of Indian organisations complying
with one or more security standard is much higher than those that are
complying with frameworks such as COBIT. This is because most international
client interfaces demand that these organisations be compliant with standards
like ISO 27001 or PCI. The number of organisations adopting frameworks
like COBIT is bound to rise-but that's a topic for another day.
|
|
