Security standards, evaluation and certification

For years, the business com m unity has been searching for an adequate approach or technique for evaluating the security o f information and IS, and simultaneously searching for a practical security standard, one that can provide a company with best practices and can be both cost-effective and reasonably achievable.

However, the literature reveals that the evaluation o f information and IS security is not an easy task and one in which there is a lot o f confusion and inconsistency.

Conrath and Sharm a (1993) in an extensive study in the IS evaluation literature revealed that there were no generally accepted performance measures. Von Solms (1996) presented a num ber o f evaluation and certification techniques and schemes that can be linked to inform ation security. These techniques are Trusted Security Evaluation Criteria Schemes, ISO 9000 (BS 5750) i.e. the leading international quality assurance scheme, the Code o f Practice for Information Security M anagement (BS 7799) and self- evaluation.

In addition, Abu-M usa (2002c) agreed with Von Solms (1996) and indicated that information security evaluation could be done against one o f the following criteria:

- Trusted Security Evaluation Criteria, which includes the Trusted Computer Security Evaluation Criteria (TCSEC), the Information Technology Security Evaluation Criteria (ITSEC), and the Canadian Trusted Com puter Product Evaluation Criteria (CTCPEC);

- The ISO 9000 Series o f Standards;

- Code o f Practice for inform ation security management (BS 7799); and - Comparisons.

However, Conrath and Sharma (1993) stated that no single measure is adequate, so a combination is necessary to avoid the deficiencies o f each method and to enhance the potential benefits through integration o f these methods. Consequently, in their study, they combined the checklist questionnaire and the risk analysis methods in evaluating computer based IS.

Furthermore, the literature reveals that many organisations and standardisation bodies have been producing inform ation and IS security standards, guidelines and best practices. The AICPAs and the CICAs developed the SysTrust: Principles and Criteria for Systems Reliability (AICPA/CICA 2001). Thus, a system is reliable when measured against four essential principles: availability, security, integrity and maintainability.

BSI IT Baseline Protection M anual developed by the German Federal Information Security Agency (BSI 2000) presented a set o f recommended standard security controls or safeguards. Its goal is to achieve a security level for IT systems that is reasonable and adequate to satisfy normal protection requirements and can serve as the basis for IT systems and applications requiring a high degree o f protection (Hone and Eloff 2002).

In addition, the International Organisation for Standardisation (ISO) and the International Electrotechnical Com mission (IEC) technical committees produced the

‘ GMITS (ISO/IEC TR 13335) Guidelines for the M anagement o f IT Security. The

ISO/IEC TR 13335 consists o f five parts under the general title: Information Technology - Guidelines for the management o f IT Security:

Part 1: Concepts and m odels for IT Security (1996);

Part 2: M anaging and planning IT Security (1997);

Part 3: Techniques for the managem ent o f IT Security (1998);

Part 4: Selection o f safeguards (2000); and

Part 5: Safeguards for external connections (2003).

Moreover, the Inform ation Systems Audit and Control Foundation developed the Control Objectives for Inform ation and Related Technology (COBIT 2000). Its objective is to research, develop, publicise and promote an authoritative, up-to-date, international set o f generally accepted IT control objectives for day-to-day use by business managers and auditors.

The Standard o f Good Practice developed by the Information Security Forum (ISF 2005) provides an achievable target for companies against which they can measure their performance regarding information security management. It examines information security from a business perspective and focuses on how companies can keep the business risk associated with critical IS under control in today’s ever- changing technological environment.

In the USA, the N ational Institute o f Standards and Technology (NIST 800-14 1996) developed the Generally Accepted Principles and Practices for Securing Information Technology Systems (GAASP) to provide a baseline that companies can use to establish and review their security programs.

From the above, it is clear that many organisations and standardisation bodies have been producing security standards, guidelines, principles and evaluation techniques.

However, most o f them are technical and therefore impractical in terms o f meeting business needs. Gordan (2005) argued that there was no one standard or set o f best practices that had em erged as a generally accepted international security standard.

As the trend in inform ation security has recently changed from technical security controls to a concern for overall risk management, which shifts information from a

strictly IT focus to a business practice issue, one set o f standards has come forward that helps organisations in successfully managing risks in this new environment: the British Standard on Inform ation Security (BS 7799).

The British Standard BS 7799 (now ISO 27000) started its life as the UK Department o f Trade and Industry (DTI) Code o f Practice for Information Security. It was first published in Septem ber 1993. In 1995, it became a British Standard and was renamed BS 7799 (Sweren 2006; Von Solms 1999). The original BS 7799 comprised two parts: a code o f practice (part 1) and a specification for an information security management system (part 2). In 1999, it was revised with the addition o f accreditation and certification components. These components comprise BS 7799 part 2 which was updated in 2002. In 2003, part 1 was fast-tracked through ISO and became 17799 (ISO 17799). Then in 2005, the BS 7799 part 2 became ISO 27001.

Lineman (2005) argued that several changes to business environments and new ways of doing business guided the developm ent o f the revised standards. These changes include the growing dependence on the use o f external services, changes in risks and threats facing businesses, em erging technologies and greater connectivity and the impact o f this on inform ation security, and the growing security requirements for regulatory compliance.

The literature reveals that the British Standard BS 7799 is widely acknowledged as an important framework for security in both the UK and overseas (DTI 2006; Gordan 2005). In addition, in 2007, the ISO built on this standard to create a family o f International Standards on Information Security (27000 series). Sweren (2006) presented this series as follows:

- 27000 - Vocabulary and Definitions;

- 27001 - Inform ation Security M anagement System Requirements (Certification) (replaced BS 7799 part 2);

- 27002 - Code o f Practice (replaced BS 7799 part 1);

- 27003 - Implem entation Guidance;

- 27004 - Inform ation Security M anagem ent Metrics and M easurement Standard;

*- 27005 - Information Security Risk M anagement Standard; and

- 27006- Requirem ents for Bodies Providing Audit and Certification o f Information Security M anagem ent Systems.

Security professionals have claimed that ISO 17799 (part 1: Code o f Practice) was one o f the leading standards o f information security. It is a suitable model for information security m anagem ent and an appropriate vehicle for addressing information security m anagem ent in m odem organisations (M a and Pearson 2005). In addition, ISO 27001 (part 2: Certification) is the set o f requirements for developing an information security m anagem ent system. This is the standard that a company will need to adhere to in order to receive ISO 27001 certification. Compliance with or certification in ISO 27001 will give the company strong IT-related controls that will also help satisfy the requirem ents o f many regulatory standards. It ensures that the right people, processes and technology are in place that are appropriate to the business and that facilitate a proactive approach to managing security and risk (Brenner 2007).

Certification to ISO 27001 assures clients, employees, suppliers, business partners and future customers that a com pany has a continuous protection methodology allowing a flexible, effective and defensible approach to security compliance (Kouns 2007). This certification can provide third-party assurance that a company is serious about information security and m anaging associated risks (Brenner 2007).

The ISO 27001 (2005) presents a number o f controls that can be considered as a good starting point for im plem enting information security. These controls fall into two basic categories: legislative controls and common best practices. Legislative controls are considered essential to a company from a legislative point o f view and include data protection and privacy o f information, protection o f organisational records and intellectual property rights. On the other hand, the common best practice controls include:

- Information security policy document;

- Allocation o f inform ation security responsibilities;

- Information security awareness, training and education;

- Business continuity management;

M anagement o f inform ation security incidents and improvements;

* - Technical vulnerability m anagement; and - Correct processing in applications.

In addition, the standard consists o f 15 sections, where each section provides a wide range o f security control m easures relevant to the specific section. These sections are the risk m anagement, security policy, organisation o f information security, asset management, hum an resources security, physical and environmental security, communications and operations management, access control, software acquisition, development and maintenance, incident management, business continuity management, and compliance.

Despite the worldwide acceptance o f this standard, the DTI Information Security Breaches Survey (DTI 2006) revealed that the penetration o f BS 7799 into UK businesses remains disappointing. Among people responsible for their com panies’

information security, only one in ten is aware o f the contents o f the standard;

however, the adoption o f the standard continues to rise among those who are aware o f it. The survey results revealed that there is a wide potential audience for the standard, but the pricing and distribution o f it are acting as barriers, in particular to small companies. In addition, the BERR Information Security Breaches Survey (BERR 2008) indicated that aw areness o f the standard is greater among respondents who hold a security qualification.

The literature further reveals that a few studies have addressed the British Standard and its two parts. M a and Pearson (2005) conducted an empirical investigation into the validity, reliability and robustness o f the international standard ISO 17799 through a web-based survey. K arabacak and Sogukpinar (2006) proposed a quantitative survey method for evaluating ISO 17799 compliance. In a recent study, Saleh et al. (2007) examined the developm ent o f a mathematical model that enables the investigation o f companies’ com pliance w ith ISO 17799 and with its associated standard ISO 27001.

This model is based on strategy, technology, organisation, people and environment (STOPE).

From the above it seems that there are a large number o f standardisation bodies and organisations, and a large num ber o f standards, best practices, guidelines, principles and evaluation techniques for information and IS security. However, ISO 27000 is the only standard that has gained worldwide publicity in both the UK and overseas. It helps companies in identifying, assessing, mitigating and m onitoring information

security risks and threats by following a rigorous process-based approach and in selecting and implem enting appropriate controls in order to ensure that risks and threats are reduced to an acceptable level.