Section 27
Certify Computer Security
Some computer security risks threaten the very existence of an organization. Critical decisions regarding the adequacy of security safeguards in sensitive applications must be made by managers and must be based on reliable technical information. Computer security certification gives managers such reliability. A major advantage of a security certification program is the increased security awareness created by the certification process.
This is an optional step in information systems audit. It should be performed when security is important to the successful operation of the system. To provide a certification (or opinion) on the adequacy of security controls, the IT auditor must examine the controls, identify security risks, and provide recommendations on how they can be reduced.
CERTIFICATION TASKS
Certification consists of a technical evaluation of a sensitive application to see how well it meets security requirements. The process is composed of five tasks:
- Planning. This involves performing a quick, high-level review of the entire system to understand the issues, placing boundaries on the effort, partitioning the work within those boundaries, identifying areas of emphasis, and drawing up the certification plan.
- Data collection. Critical information that needs to be collected includes system security requirements; risk analysis data showing threats and assets; system flow diagrams showing input, processing steps, and output, plus transaction flows for important transaction types; and a listing of application system controls. If this information is not available in documents, it should be obtained from application personnel by use of tutorial briefings and interviews.
- Basic evaluation. A basic evaluation is always performed in a certification. Its three subtasks are:
- Security requirements evaluation. Are the security requirements documented and acceptable? If not, they must be formulated from requirements implied in the application, and compared with federal, state, organizational, and user requirements.
- Control implementation determination. The IT auditor must verify that security functions have been implemented. Physical and administrative controls require visual inspection; controls internal to the computer require testing.
- Methodology review. The IT auditor must review the acceptability of the implementation method (e.g., documentation, project controls, development tools used, skills of personnel).
- Detailed evaluation. In application areas in which a basic evaluation does not provide enough evidence for a certification, the quality of the security safeguards is analyzed by using one or more of three points of view:
- Functional operation. Do controls function properly (e.g., parameter checking, error monitoring)?
- Performance. Do controls satisfy performance criteria (e.g., availability, survivability, accuracy)?
- Resistance. Can controls be easily broken or circumvented? (This establishes confidence in safeguards.)
- Report of findings. This is the primary product of a certification. It contains both technical and management security recommendations. It should summarize applied security standards or policies, implemented controls, major vulnerabilities, corrective actions, operational restrictions, and the certification process used, and should include a proposed accreditation statement.
The basic evaluation is high level and is the minimum requirement for security certification. In general, a basic evaluation suffices for most aspects of an application under review. Most security tests, however, need detailed work in problem areas and therefore require a detailed evaluation as well.
The time and resources required to perform a security test vary widely from case to case. In all instances, however, potential security risks must be weighed against certification costs. If the risk is low, certification costs must also be kept low. Risk analysis can help decide the degree of certification review that should be performed on an application. Typical staff resources for security testing vary from several days to many months. Minimum products required from certification and accreditation are a security evaluation report and an accreditation statement.
The certification process described here identifies what must be done and presents a general functional view of how to accomplish it. It does not present a detailed step-by-step method for performing security evaluation. The specifics of security testing differ widely from case to case, and any evaluation method must be adapted to meet individual needs. There is no shortcut to avoid the analysis required for this situational adaptation. Detailed methods and aids (e.g., matrices, flowcharts, and checklists) are helpful in the adaptation process. This special test procedure organizes and focuses the test process. Because the security certification process described is at a functional level, it can be applied to both applications under development and those already operational. Functionally, the two situations are similar; both include a review of similar application documentation (e.g., functional requirements documents and test procedures and reports).
Nevertheless, the detailed evaluation methods used within the certification process differ for the two situations because of differences in the following areas:
- Available data. Certification performed in parallel with development is more apt to have available security-relevant products from the developers. Such products might include vulnerability analyses and security design tradeoff analyses. Certification performed on operational systems has such operational documents as problem reports, audit journal data, availability statistics, and violation reports that are not available during development. Applications under development might be reviewed for acceptability by several offices or by a project steering committee. These reviews can be used to gather evidence for certification. For operational applications, users can be interviewed and can provide unique forms of evidence based on their personal experience.
- Organization of work. Certification activity during development is event-driven, being interleaved with the development process and based primarily on the availability of application documentation. Interim certification findings can be used to influence the development process itself. Certification work assignments can thus have peaks and valleys of activity as the development process occurs. Evaluations of an operational application can follow a more circumscribed, project-oriented structure and rely on a skill-based partitioning of the application.