Haris Hamidovic, CIA, ISMS IA, IT Project+
Government and commercial organizations rely heavily on the use of information to conduct their business activities. Loss of confidentiality, integrity, availability, accountability, authenticity and reliability of information and services can have an adverse impact on organizations. Consequently, there is a critical need to protect information and to manage the security of IT systems within organizations. Alongside significant benefits, every new technology introduces new challenges for the protection of this information. The requirement to protect information is particularly important in today’s environment because many organizations are internally and externally connected by networks of IT systems.1
IT systems are prone to failure and security violations due to errors and vulnerabilities. These errors and vulnerabilities can be caused by many factors, such as rapidly changing technology, human error, poor requirement specifications, poor development processes or underestimating the threat. In addition, system modifications, new flaws and new attacks are frequently introduced, which contributes to increased vulnerabilities, failures and security violations throughout the IT system life cycle.2
The industry came to the realization that it is almost impossible to guarantee an error-free, risk-free and secure IT system due to the imperfection of the opposing security mechanisms, human error or oversight, and component or equipment failure.3
Completely secure IT systems do not exist; only those in which the owners may have varying degrees of confidence that security needs of a system are satisfied do.4
In addition, many information systems have not been designed to be secure. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures.5
The task of IT security (ITS) engineering and management is to manage the security risk by mitigating the vulnerabilities and threats with technological and organizational security measures to achieve an IT system with acceptable assurance. ITS management has an additional task: establishing acceptable assurance and risk objectives. In this way, the stakeholders of an IT system will achieve reasonable confidence that the IT system performs in the way intended or claimed, with acceptable risk and within budget.6
ISO/IEC TR 15443 Information technology—Security techniques—A framework for IT security assurance is a multipart technical report intended to guide ITS professionals in the selection of an appropriate assurance method when specifying, selecting or deploying a security service, product or environmental factor (known as a “deliverable”).7 The objective of ISO/IEC TR 15443 is to present a variety of assurance methods and to guide the ITS professional in the selection of an appropriate assurance method (or combination of methods) to achieve confidence that a given IT system satisfies its stated ITS assurance requirements. ISO/IEC TR 15443 analyzes assurance methods that may not be unique to ITS; however, guidance given in the standard is limited to ITS requirements. This article introduces the fundamental concepts of ITS assurance based on ISO/IEC TR 15443.
It is important to emphasize that assurance and confidence are not identical and cannot be used in place of one another. Too often, these terms are used incorrectly because they are closely related.8
ISO/IEC TR 15443 defines these terms as follows: “Confidence, from the perspective of an individual, is related to the belief that one has in the assurance of an entity, whereas assurance is related to the demonstrated ability of an entity to perform its security objectives. Assurance is determined from the evidence produced by the assessment process of an entity.”9
For security engineering, “assurance” is defined as the degree of confidence that the security needs of a system are satisfied.10 Assurance does not add any additional controls to counter risks related to security, but it does provide confidence that the controls that have been implemented will reduce the anticipated risk. Assurance can also be viewed as the confidence that the safeguards will function as intended.11
It is also important to understand that assurance does not automatically imply good security. Assurance implies only that an enterprise meets its security objectives. In other words, assurance provides confidence that the deliverable enforces its security objectives without examining whether the security objectives appropriately address risk and threats.12
In terms of ITS, adequate assurance signifies that specific, predefined security assurance requirements have been satisfied by performing appropriate assurance processes and activities.13
Security assurance requirements are determined by “analyzing the security requirements of the IT system, influencers, policies, business drivers and the IT system’s target environment. Influencers are any considerations that need to be addressed as they may affect the IT system assurance requirements. The influence can have any origin and may include such intangibles as politics, culture, local laws and mandated requirements.”14
Security is concerned with the protection of assets. “Assets” are entities upon which someone places value.15 Many assets are in the form of information that is stored, processed and transmitted by IT products to meet requirements laid down by owners of the information. Safeguarding assets of interest is the responsibility of the owners who place value on those assets. Actual or presumed threat agents may also place value on the assets and seek to abuse assets in a manner contrary to the interests of the owner.16
A risk assessment is performed to provide an in-depth look at asset sensitivity, vulnerabilities and threats to determine the residual risk and recommendations for existing and proposed safeguards. The recommendations implemented are factored into the original security requirements to revise the security assurance requirements.
It is also important to note that “assurance requirements are unique to each environment due to the myriad business and security requirements of each environment. The same IT system may not be suitable to other environments without modifications because different assurance requirements will usually need to be satisfied.”17
Application of appropriate assurance activities establishes confidence that the IT system satisfies its security objectives. Confidence is realized by reviewing the assurance evidence gained through assessment processes and activities during development, deployment and operation and through experience gained in using the IT system. Any activities that can reduce uncertainty by producing evidence attesting to the correctness, effectiveness and quality of the IT system’s attributes are useful in determining security assurance.18
There are many existing assurance methods, but only a small number are specific to ITS. However, non-ITS assurance methods may also contain certain assurance properties that are relevant to ITS assurance.19 Due to the small number of available assurance methods specific to ITS, it is important to recognize the value of all assurance methods, since many nonsecurity-related assurance methods are used throughout the IT industry. Anything that can be used to construct an assurance argument and, thereby, reduce the uncertainty associated with a particular deliverable is of considerable importance.20
Selecting a security assurance method and the appropriate amount of assurance should be based on the organizational security assurance policy, business requirements and type of deliverable (i.e., product, process, environment, system, service or personnel). For example, some assurance methods are applicable only to processes (i.e., ISO/IEC 21827), others are applicable to products (i.e., ISO/IEC 15408 Information technology—Security techniques—Evaluation criteria for IT security) and others are applicable to security management (i.e., ISO/IEC 27001 Information technology—Security techniques—Information security management systems— Requirements). The following are brief descriptions of three commonly used models:
The selected assurance method should be compatible with the organization’s environment and should be capable of examining the desired attributes and life-cycle stages of the deliverable. The assurance method selection must take into account available resources (e.g., time, personnel, budget) to ensure that the resources expended are reasonable for the type and amount of assurance obtained.
Assurance methods can be categorized into three high-level approaches:26
ISO/IEC TR 15443 defines these three high-level approaches as follows. Assessment of a deliverable involves an examination of the deliverable (e.g., product, system, service). In this case, these assurance methods examine the deliverable and its associated security design documentation independent of the development processes.
Assessment of a process involves an examination of the organizational processes used in the production and operation of the deliverable throughout its life cycle (i.e., development, deployment, delivery, testing, maintenance, disposal). Assurance is gained through the inference that the processes implemented by people affect the quality of the development and implementation of the deliverable and, therefore, yield security assurance when applied to ITS deliverables.
Assessment of the environment involves an examination of the environmental factors that contribute to the quality of the processes and the production of the deliverable (it does not examine a deliverable or process directly). These factors include personnel and physical facilities (e.g., development, production, delivery, operation).
Assurance methods produce specific types of assurance depending on their technical and life-cycle focus. Some of the more widely known assurance methods for a given focus include:27
Assurance can be viewed as the confidence that safeguards will function as intended. This confidence derives from the properties of correctness and effectiveness.28
“Correctness assurance” refers to the assessment of the deliverable to verify the correct implementation according to the design. In contrast, “effectiveness assurance” refers to the suitability of the deliverable’s security functions to counter the perceived or identified threats.29
The concept can be illustrated with two examples from ISO/IEC TR 15443:30
Traditionally, assurance has been associated only with IT products and systems composed of hardware or software and referred to as “product assurance” or “system assurance.” It is now recognized that to address a wider range of risks, there is a need for assurance of other security objectives such as a security service, process, personnel, organization or other environmental factors.
Assurance may be sought by the stakeholders of IT systems who have assets at risk in IT systems. Therefore, the determination of an acceptable assurance method and level of assurance may be required/and or influenced by the stakeholders.
Assurance does not add any safeguards or services to the deliverable. Thus, it is sometimes difficult for nonsecurity personnel to understand what benefit they are receiving from the investment of resources in assurance.
Direct qualification or valuation of the contribution of assurance or increased assurance to the organization is not easy to achieve. However, increased assurance of a security control reduces the uncertainty associated with the risk, specifically the vulnerability components of the risk that the control is implemented to address.
It is necessary to understand how each assurance method establishes assurance in order to decide whether a particular assurance method will satisfy the organization’s assurance requirements.
1 International Organization for Standardization (ISO), ISO/IEC 13335-1:2004 Information technology— Security techniques—Management of information and communications technology security—Part 1: Concepts and models for information and communications technology security management, Switzerland, 20042 ISO, ISO/IEC TR 15443-1:2005 Information technology— Security techniques—A framework for IT security assurance— Part 1: Overview and framework, Switzerland, 2005 3 Ibid.4 Dražen, Dragicevic; Computer Crime and Information Systems, Informator Zagreb (in Croatian), 19995 ISO, ISO/IEC 27002:2005 Information technology— Security techniques—Code of practice for information security management, Switzerland, 20056 Op cit, ISO/IEC TR 15443-1:20057 Ibid.8 Ibid.9 Ibid.10 US National Institute of Standards and Technology (NIST), NIST Internal Report (NISTIR) 5472 A Head Start on Assurance: Proceedings of an Invitational Workshop on Information Technology (IT) Assurance and Trustworthiness, USA, 199411 ISO, ISO/IEC 21827:2002 Information technology— Systems Security Engineering—Capability Maturity Model® (SSE-CMM®), Switzerland, 200212 Op cit, ISO/IEC TR 15443-1:200513 Ibid.14 Ibid.15 ISO, ISO/IEC 15408-1:2009 Information technology— Security techniques—Evaluation criteria for IT security— Part 1: Introduction and general model, Switzerland, 200916 Ibid.17 Op cit, ISO/IEC TR 15443-1:200518 Ibid.19 For example, while ISO 9000 Quality management systems is a quality assurance standard originally intended for manufacturing organizations, it also contains process assurance properties applicable to software and, as such, to ITS software products and systems.20 Op cit, ISO/IEC TR 15443-1:200521 Op cit, ISO 200222 Op cit, ISO 200923 Op cit, ISO/IEC 27002:200524 Ibid.25 ISO, ISO/IEC 27001:2005 Information technology— Security techniques—Information security management systems—Requirements, Switzerland, 200526 Op cit, ISO/IEC TR 15443-1:200527 Ibid.28 Op cit, ISO 200229 Op cit, ISO/IEC TR 15443-1:200530 Ibid.
Haris Hamidovic, CIA, ISMS IA, IT Project+, is chief information security officer at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North American Treaty Organization-led Stabilization Force in Bosnia and Herzegovina. He is the author of five books and more than 70 articles for business and IT-related publications. Hamidovic is a certified IT expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina and the Federal Ministry of Physical Planning of Bosnia and Herzegovina. He is a doctoral candidate in critical information infrastructure protection at the Dzemal Bijedic University, in Mostar, Bosnia and Herzegovina.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.