Information security audits & certification. Security in Organizations 2011 Eric Verheul

Transcription

1 Information security audits & certification Security in Organizations 2011 Eric Verheul 1

2 Main literature for this lecture: Literature 1. NOREA beroepsregels +en+beroepsregels/richtlijn+assurance-opdrachten 2. TTP.NL schema ( NL_Scheme_version_8.1_final June_2010_.pdf ) Variants on ISO 2700* 3. Common Criteria part 1 ( 341_ISO_IEC_ _2009.zip ) 2

3 Assignment #5 Assignment #3 is on Blackboard It uses VMWARE image. This is available: Through Klaus/DVD On-line sftp://lilo.science.ru.nl/vol/xpsoftware/sio2009/image_ /*.* Variants on ISO 2700* Note: starting the VMWARE image takes time; first start the image then read the assignment 3

4 Outline Audit introduction IT security audits in general management system certification audits IT security product certification audits ( common criteria ) Recap & Practicum 4

5 Audit introduction Types of audits The audits we are discussing include: IT security audits in general, management systemcertification audits, IT security product certification audits As there is as far as we know no common terminology used for these three types of audits simultaneously, we will introduce our own terminology. This is actually based on a combination of terms taken from these audit types. 5

6 Audit introduction Terminology An audit is the process in which an competent, impartial judgment ( opinion ) is formed on one or more aspects of an object ( criteria ). The result of an audit is typically a document in which the auditor expresses his opinion, the supporting findings and the limitations that apply. The opinion provides assurance to the auditee itself or to a third party. The assurance can be either positive or negative: Positive assurance - An affirmative statement or opinion given by the auditor, generally based on a high level of work performed. Negative assurance - A statement indicating that nothing came to the auditor's attention indicating that the subject matter in question did not meet a specified criteria. 6

7 Audit introduction Terminology Criteria maintainer Scheme maintainer (e.g. association organization) Independent overseer (e.g. association organization) Audit Object Audit Criteria Audit Scheme Auditor Opinion (report) 7

8 Audit introduction Terminology The audit process should be reproducible and should not depend on the (qualified) auditor. An opinion can also take the form of a certificate. Audits are historically associated with accounting: a financial audit of the financial accounts ( jaarrekening audit ) performed by (registered) accountants. In this situation the criteria are based on the laws on accounting ( Wet op de jaarrekening ). In the accounting context the term audit is a very sensitive notion. 8

9 Audit introduction Terminology The audit is performed for a client, that also sponsors the audit. The aspects that form the basis of the audit are formulated as a set of criteria (audit criteria), determined prior to the actual audit and agreed upon with the client. In Dutch these criteria are sometimes de gehanteerde (audit) norm. The set of criteria could be an open standard, a tailored version of it, or even some assertions made by the client management. In the latter case, the opinion can be a statement of the auditor that the assertions are correct. The object type can vary, examples are: a person, a product, a process, a system or an organization. 9

10 Audit introduction Audit schemes Closely linked with the audit criteria is the audit scheme used. These are rules describing how the audits shall be conducted and what requirements should be met by the auditor organization itself An audit scheme provides a manual for conducting audits and typically answers questions like: What steps shall an audit have? When is a criterion met? What qualifications should an auditor have? When can the auditor built on prior work done by other auditors? When can an opinion be provided and what can be part of it? 10

11 Audit introduction Audit schemes Important general topics in audit schemes are: impartiality requirements of auditors and the organizations they work for, confidentiality, providing auditees the opportunity to respond to findings ( hoor en wederhoor ) ethics, e.g., do not audit your own work, quality, e.g. filing of evidence 11

12 Audit introduction Audit schemes The audit scheme can be: an open standard itself, e.g., ISO Guidelines for quality and/or environmental management systems auditing ISO/IEC Requirements for bodies providing audit and certification of management systems, and its particularization ISO Requirements for bodies providing audit and certification of information security management systems a dedicated document, e.g., the TTP-NL scheme Scheme For Certification of Certification Authorities against ETSI TS or it could be part of the rules of conduct of the professional associations ( beroepsverenigingen ) of auditors, e.g. of NOREA ( +en+beroepsregels/richtlijn+assurance-opdrachten) or ISACA ( 12

13 Audit introduction Terminology Object Scheme Source: Criteria Opinion 13

14 Audit introduction Terminology Criteria maintainer Scheme maintainer (e.g. association organization) Independent overseer (e.g. association organization) Audit Object Audit Criteria Audit Scheme Auditor Opinion (report) 14

15 Outline Audit introduction IT security audits in general management systemcertification audits, IT security product certification audits ( common criteria ) Recap & Practicum 15

16 IT security audits in general IT (security) audits An IT security audit is a particular type of an IT audit. An IT audit is also known as an EDP audit and focuses on the following aspects of IT systems (cf. COBIT): Effectiveness Efficiency Compliance Reliability Confidentiality Integrity Availability An IT audit can therefore include much more than information security. 16

17 IT security audits in general IT audit aspects Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. Efficiency Concerns the provision of information through the optimal (most productive and economical) usage of resources Reliability Relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations Compliance Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria 17

18 IT security audits in general IT effectiveness 18

19 IT security audits in general IT audit aspects Confidentiality Concerns protection of sensitive information from unauthorized disclosure. Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations. Availability Relates to information being available when required by the business process, and hence also concerns the safeguarding of resources. 19

20 IT security audits in general IT security audits IT security audits (aka IT security reviews) concentrate on information security aspects, i.e.: Confidentiality Integrity Availability Sometimes IT security audits are called IT security reviews to prevent confusion with financial audits. IT security audits can be: technically oriented; then the objects are IT systems, e.g., a whole IT infrastructure, a network, a Windows environment, a specific application process oriented; then the objects are IT processes, e.g., a security management process, a change management process. The audit criteria are typically formulated in information security objectives or security controls, e.g. based on ISO

21 IT security audits in general Example of technical IT Security criteria 21

22 IT security audits in general Example of non-technical IT Security criteria 22

23 IT security audits in general Audit evidence Practically speaking, the auditor should: determine the scope of the audit (e.g., Windows based office automation network), agree the audit criteria with the audit sponsor and put them in a table and compare the criteria with the object setting. But what should an auditor accept as compliance evidence? 23

24 IT security audits in general Audit evidence What if the IT administrator says in an interview: Sure, we have this password policy and account lockout setting? What if there is an official document stating compliance with these setting? When should you believe this setting is actually implemented? 24

25 IT security audits in general Audit evidence What if the IT administrator shows you the Windows settings. Can you be sure that this will not be changed tomorrow? 25

26 IT security audits in general The three audit assurance levels In IT audits one therefore distinguishes three types of audit assurance levels : Design The auditor has reviewed the relevant design based on documentation and interviews but not on actual inspections. In effect, the auditor can not provide assurance is designed is actually implemented. Existence The auditor has additionally performed inspections of system settings, paper archives and other things providing him with assurance that the design is at least implemented during the audit. Operational Effectiveness The auditor has additionally looked for evidence that the implemented controls were effective for a certain amount of time. These audit levels build upon each other, i.e. you can only have Design, Design + Existence or Design + Existence + OE The audit level is an integral part of the opinion report! 26

27 IT security audits in general Terminology Object Scheme Source: Criteria Opinion 27

28 IT security audits in general The three audit assurance levels In IT audits one therefore distinguishes three types of audit assurance levels : Design The auditor has reviewed the relevant design based on documentation and interviews but not on actual inspections. In effect, the auditor can not provide assurance is designed is actually implemented. Existence The auditor has additionally performed inspections of system settings, paper archives and other things providing him with assurance that the design is at least implemented during the audit. Operational Effectiveness The auditor has additionally looked for evidence that the implemented controls were effective for a certain amount of time. 28

29 IT security audits in general The opinion It is vital that the opinion minimally states: For who the audit was conducted (client) by whom (auditor) The objective of the audit The object and its boundaries The period in which the audit was performed The followed procedures, e.g., documentation review, interviews, inspections etc. The audit criteria used and the related audit scheme The assurance level of the audit ( design, existence or operational effectiveness The opinion itself and any reservations or limitations regarding the opinion. Optionally one can supplement the opinion with recommendations however some schemes preclude on grounds of impartiality. 29

30 IT security audits in general Is Penetration Testing auditing? A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. (source: wikipedia). One could say a penetration test concentrates on existence and operational effectiveness of information security and not on documented design. There are implicit criteria and frameworks such as The Open Source Security Testing Methodology Manual (OSSTMM) and Guideline on Network Security Testing (NIST SP ) and the Testing Guide of the Open Web Application Security Project (OWASP). There also exist professional associations of penetration testers. Dependence on the competence of penetration tester is higher than in a typical audit, making the reproducibility difficult. 30

31 Outline Audit introduction IT security audits in general management systemcertification audits IT security product certification audits ( common criteria ) Recap & Practicum 31

32 management system certification audits Certification of management systems A management system is framework of policies, procedures guidelines and associated resources to achieve the objectives of the organization. (source: ISO 27000) An Information Security Management System (ISMS) is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. (source: ISO 27001) Certification of a management system, such as a quality or environmental management system of an organization, is one means of providing assurance that the organization has implemented a system for the management of the relevant aspects of its activities, in line with its policy. (source: ISO 17021). 32

33 management system certification audits Limitation We limit our selves to these two IT security (management) systems: ISO Information security management systems which we have focused on in the first three lectures TTP.NL which relates to the European guideline on electronic signatures. Certification auditors are typically called Certification Bodies and need to have management systems of their own to reflect the proper process of certification. The basis for the management system for Certification Bodies is described in ISO

34 management system certification audits IT security management certification framework Criteria Maintainer (ISO, ETSI) Scheme maintainer (ISO, ECP-EPN) Accreditation Body (RVA) Management System Standard (ISO, ETSI) Certification Scheme Certification Body Certificate (report) 34

35 management system certification audits Accreditation The management systems of the certification Bodies are inspected by the Dutch Accreditation Council (Raad voor Accrediatie, see in a similar way as the Certification Bodies perform certification. This process is called accreditation. There is actually a standard for Accreditation Bodies themselves (ISO General requirements for accreditation bodies accrediting conformity assessment bodies ). (Nearly) every country has its own Accreditation Council and mutual agreements exist. The national councils also perform peer reviews. 35

36 management system certification audits The schemes ISO scheme Criteria: ISO Scheme: maintained by ISO ISO which is based on ISO (who) and ISO (how) Accreditation Body: RVA TTP.NL scheme Criteria: ETSI TS Scheme: Maintained by ECP-EPN TTP.NL scheme which is based on ISO (who) and ISO (how) Accreditation Body: RVA 36

37 management system certification audits Audits within a certification There exist several types of audits within in the context of a certification: Trial audits (optional) Initial audits (consisting themselves of documentation and implementation audits) Follow-up audits Surveillance audits Recertification audits very similar to initial audits. Special audits, when major changes take place in the client s organization 37

38 management system certification audits Certification overview A certificate is valid for three years. Trial-audit (optional) Follow-up audits Documentation Audit Implementation Audit Certification Decision Recertification Surveillance Audit (yearly) Surveillance Audit (yearly) 38

39 management system certification audits Audit plan For each type of audit, the audits makes an audit plan prior to conducting it. The audit plan describes: the timing of the audit, the topics of the audit (preferably in reference with the criteria) the staff (internal/external) that needs to be interviewed (when/where) any visits or inspections (in implementation and surveillance audits) The audit plan is interactively compiled with the client, typically through . 39

40 management system certification audits Opening meetings Each audit commences with an opening meeting. Typical things addressed are: introduction of team members scope and methodology of the audit (understanding of) the audit plan any unresolved issues from earlier audits timing of the closing meeting 40

41 management system certification audits Closing meetings Each audit ends with an closing meeting. In this meeting the lead auditor provides its general impression on the organization and more specifically the negative findings. There exist two types of negative findings: Minor nonconformities also known as deficiencies Major nonconformities Each of these is separately documented in a (draft) nonconformity report and discussed with the client. The findings are (preferably) formally accepted ( signed ) in the closing meeting. Only negative findings are documented. 41

42 management system certification audits Documentation audit Part of initial audit, also known as Stage I audit in ISO The auditor reviews the documentation and keeps interviews to check consistence with the audit criteria. This audit will familiarize the auditor with the organization and will allow him to formulate attention points for the Stage II ( implementation ) audit. ISO ETSI TS

43 management system certification audits Implementation audit Part of initial audit, also known as Stage II audit in ISO The auditor checks the existence of controls in consistence with the documentation. ISO ETSI TS

44 management system certification audits Certification decision The certification manager certification decides upon certification based on the stage I and stage II reports. The certification manager must not have been part of the audit team. The client documents for each Non-Conformity a Corrective Action Report (CAR) which includes a cause analysis, a corrective action and its planning. It is impossible to be certified if there still exist major non-conformities; these need to be addressed and reassessed ( follow-up audit ) before certification. The certificate is valid for three years and every year surveillance audits are conducted (typically much smaller than an implementation audit). After three years a recertification audit is conducted, similar to the initial one. 44

45 management system certification audits Surveillance audit At least once a year, the certification body carries out a surveillance audit consistent with the same requirements the initial audit was conducted. The surveillance is a combination of a documentation and implementation audit. These periodic assessments serve to make sure all requirements are assessed at least once during the certificates period of validity Each surveillance audit will address fixed elements as well: open non-conformities the internal audits carried out by the organization, the complaints of customers, management reviews of the management system 45

46 management system certification audits Audit time To conduct certification audits the auditor has rather limited time, implying that the implementation audits are only of limited depth. ISO

47 Outline Audit introduction IT security audits in general management system certification audits IT security product certification audits ( common criteria ) Recap & Practicum 47

48 IT security product certification audits ( common criteria ) IT security product certification framework Scheme maintainer (ISO, BSI, TNO) Accreditation Body (BSI, RVA) IT product Common Criteria (ISO15408 ) CC-CEM (ISO 18045) Evaluator (laboratory) CC Certificate 48

49 IT security product certification audits ( common criteria ) NL product example (fox-it) 49

50 IT security product certification audits ( common criteria ) IT product security Several governments have early recognized the inherent security risk of computer systems, e.g.: the risks of not having the right controls in the systems (security functionality) the risks of not having adequate assurance that controls are properly implemented (assurance) Security of a system is function of security functionality and assurance Systems A and B could have the same security functionality (e.g. a password based authentication mechanism) but if the system A s development of A is more thorough than that of system B; system A is probably more secure than B. What is required is an IT-product security certification framework enabling: users to formulate their security needs in requirements for IT products manufacturers to develop (potential) conformant IT products technical laboratories to independently evaluate these IT products against the set requirements authorities to certify these IT products based on the evaluation report users to apply these IT products in the right way (accreditation) 50

51 IT security product certification audits ( common criteria ) TCSEC In the 1980s the US defense department initiated the Trusted Computer System Evaluation Criteria (TCSEC) program for assessing the effectiveness of computer security controls built into an operation system. It is commonly known as the Orange Book based on the color of its cover. The Orange Book focuses on OS and leaves out many important information security aspects (such as networks!). This gave rise to many other (colored) books resulting in what called the Rainbow series. The Orange Book distinguishes the following OS types: D: minimal protection C[1-2]: Discretionary protection: users can decide which information is accessible by others B[1-3]: Mandatory protection: information is labeled with classifications, e.g. restricted, confidential, secret, and the system enforces access based on the clearance of users A[1]: Verified protection: builds further on B but includes formal design and verification techniques. The classes are a rigid combination of security functionality and security assurance. 51

52 IT security product certification audits ( common criteria ) ITSEC The critique on TCSEC is that it is rather rigid TCSEC focuses on confidentiality The TSCEC ratings are a fixed combination of functionality and assurance. TCSEC does not provide users flexibility in describing security requirements different than those in TCSEC. In the 1990s France, Germany, the Netherlands, and the United Kingdom published their own evaluation framework called the Information Technology Security Evaluation Criteria (ITSEC). ITSEC is more flexible and allows users more flexibility in describing their security requirements than TCSEC. Moreover ITSEC separates functionality and assurance. ITSEC introduces 7 assurance classes E0 E6 where E0 represents the lowest and E6 the highest assurance. ITSEC suggest a comparison between its assurance classes and the implicit assurance classes in the TCSEC classes (D, C1, C2, B1, B2, B3, A1). 52

53 IT security product certification audits ( common criteria ) ITSEC assurance classes 53

54 IT security product certification audits ( common criteria ) Common Criteria According to some TCSEC is too hard and ITSEC is too soft. The Common Criteria for Information Technology Security Evaluation or simply Common Criteria (or CC) is based on three underlying IT-product security certification frameworks: ITSEC (EU), TCSEC (US) and CTCPEC (Canada). The CC are published as ISO standards (ISO/IEC 15408): Part 1: Introduction and general model Part 2: Security functional requirements Part 3: Security assurance requirements The guidelines for the CC evaluators (Methodology for IT security evaluation) is also published as an ISO standard (ISO 18045) They can be freely downloaded from 54

55 IT security product certification audits ( common criteria ) Short history 55

56 IT security product certification audits ( common criteria ) Protection Profile (PP) Typically a user community compiles a Protection Profile (PP) for a TOE (Target of Evaluation) type, e.g., a firewall or a smartcard application (e.g., an SSCD). A PP defines an implementation-independent set of IT security requirements for a category of TOEs which are intended to meet common consumer needs for IT security. A PP contains The TOE description, The TOE environment (including threats) Security Functional Requirements (SFRs) as specified in CC-part2 Security Assurance Requirements (SARs) as specified in CC-part3 Security Requirements for the IT Environment Security Requirements for the non-it Environment A rationale Additional SFRs and SARs can be formulated. 56

57 IT security product certification audits ( common criteria ) Security Functional Requirements (SFRs) and Assurance Requirements (SARs) Security Functional Classes Security Assurance Classes Class FAU: Security audit Class ACM:Configuration management Class FCO: Communication Class ADO:Delivery and operation Class FCS: Cryptographic Class ADV:Development support Class FDP: User data Class AGD:Guidance documents protection Class FIA: Identification and Class ALC:Life cycle support authentication Class FMT: Security management Class APE:Protection Profile evaluation Class FPR: Privacy Class ASE:Security Target evaluation Class FPT: Protection of the Class ATE:Tests TSF Class FRU: Resource Class AVA:Vulnerability utilisation assessment Class FTA: TOE access Class FTP: Trusted path/channels 57

58 IT security product certification audits ( common criteria ) Evaluation Assurance Levels A PP also defines an Evaluation Assurance Level which in fact is a package of SARs. The CC distinguishes 7 EAL levels from EAL1 to EAL7. 58

59 IT security product certification audits ( common criteria ) Security Targets In some cases the Protection Profiles contains more SARs than necessary for a certain EAL level. In that case one uses the term augmented. So EAL 4 augmented (or EAL4+) means all SARs required in EAL 4 plus some additional ones. When creating a product in compliance with a PP, the manufacturer creates a Security Target for its product. The manufacturer refers to the PP. In the evaluation process the product (TOE) is evaluated against the SFRs by the evaluator ( laboratory ) in accordance with the SARs. Based on the evaluation report typically another party certifies the product, but in some schemes it is the laboratory itself. In Germany, the Bundesamt für Sicherheit in der Informationstechnik performs the accreditation of the laboratories ( Prüfstelle ) and issues the certificates based on the evaluations. 59

60 IT security product certification audits ( common criteria ) PP example 60

61 IT security product certification audits ( common criteria ) PP example 61

62 IT security product certification audits ( common criteria ) Security Target example 62

63 IT security product certification audits ( common criteria ) Security Target example 63

64 IT security product certification audits ( common criteria ) Certificate example 64

65 IT security product certification audits ( common criteria ) NL Certificate example 65

66 Certification of Secure Signature Creation Devices (SSCDs) IT security product certification audits ( common criteria ) An SSCD is a combination of hardware ( chip ), generic operation system and application. Nowadays many chip applications are applets based on the Java platforms ( Javacards ). In many cases the chip and the Java virtual machine (called JCOP for NXP) are separately certified. In the Dutch context the certification of the SSCD can be replaced by (roughly) by a suitably certified platform (chip + java VM) and a tested JAVA applet. See NL_GuidanceNote2_June_2010.pdf 66

67 IT security product certification audits ( common criteria ) Links for certified products ierungundakkreditierung/zertifizierungnachccundit SEC/ZertifizierteProdukte/zertifizierteprodukte_node. html 67

68 Outline Audit introduction IT security audits in general management system certification audits IT security product certification audits ( common criteria ) Recap & Practicum 68

69 Recap & Practicum See blackboard Please submit to before 28 November 2011 Room: