Welcome to this video on Service Assurance and Standards. 

We’ll look at what is meant by assurance, and a number of the standards and frameworks that could be used in assessing an organization’s security position. You'll cover:  

• Assurance services; &  
• Assurance Accreditation 

Firstly, let’s look at what is meant by assurance. The definition we will use for assurance is that it involves: 

‘confirming that the security controls that have been selected to reduce risks are in place and are effective’. 

Assurance is confirming that the security controls that have been selected to reduce risks are in place and are effective and is an on-going process. It is vital at the beginning of the operational lifecycle of any system, but is also required throughout the system’s lifetime. 

The diagram shows the layout of a four layer security assurance framework: 

• Intrinsic assurance involves looking at how the system is built, and asks questions about the system. For example, was security baked-in to the system development lifecycle? Was the supply chain thoroughly verified? Did the system undergo a formal assurance process?   
• Extrinsic assurance involves investigating the system from the outside, such as vulnerability or penetration testing. 
• Implementation assurance refers to how we actually implement security into the system, and checks the implementation for compliance with audit policies or an Information Technology Health Check. 
• Finally, Operational assurance looks at the on-going checks to ensure that the system is functioning correctly. 

There are a number of assurance services available, and this slide lists many of those available in the United Kingdom. The UK government has launched a number of cyber-security initiatives. As can be seen in the slide, many of these are associated with the National Cyber Security Centre, or NCSC. This organization is a part of Government Communications Headquarters, or GCHQ. 

These services can assist an organization in assuring the security in their goods and services, as well as their overall security position. Commercial Product Assurance (CPA) evaluates vendor products, meaning potential customers can see that the product has received external assurance from cyber-security experts.  

Common Criteria is an International Standards Organization (ISO) scheme that achieves the same thing. 

The CHECK, IT Health Checks, CREST and Tiger schemes are for assessing an organizations security position.  The first two are UK government sponsored, with Tiger being an initiative of the University of South Wales. CREST is a multi-national organization. 

The NCSC offers other services in the information assurance and cyber-security arena, such as Intrusion Detection, Technical Design reviews and other Cyber-Security consultancy. 

G-Cloud is a UK government initiative designed to help organizations with sourcing cloud services. The Cyber Essentials Scheme is aimed at all organizations, and is designed to help them in thinking about the cyber-threats they may face. The Cyber Security Model is for organizations that wish to work with the UK’s Ministry of Defense. Finally, the Public Service Network is a network infrastructure run by the government which helps public sector organizations work together, reduce duplication and share resources. 

A Security Policy Framework has a number of Security Objectives, including Good Governance, Culture, risk management, Technological and physical security, amongst others. Good governance requires that the senior leaders within an organization have oversight of security compliance. 

One of the easiest ways that an organization can improve its security position is to adopt a security culture. Training and awareness for staff ensures that their behavior is consistent with the required level of security and is appropriate. Assurance is not a one-time, tick-box exercise; the threat landscape is constantly shifting, and it is vital that an organization regularly checks that its security processes remain effective. Ultimately, any organization adopts a security position so that it can protect the information it holds, and it will need to verify that its chosen security controls are effective in achieving this. 

When looking to secure technology and services, it is important to adopt a risk-based approach. You need to understand what technologies your organization employs and what the risks are to those technologies – that is, you need to be informed about the risks you face, and can therefore apply the appropriate security controls. 

People are a vital part of any organization, and it is essential that any assurance program extends to looking at ‘securing the person’. Insider risk refers to the risk from trusted staff posing an intentional, or unintentional threat to the organization’s security.  

An assessment of these risks, along with an appropriately robust system for vetting staff, allows the organization to obtain the required level of assurance. Security assurance must include consideration of the physical security of the organization.  

It is no use employing technology based security solutions such as firewalls or similar technology, only for the door to your datacenter to have no locks, and thus, no security. An attacker will bypass all of your network controls and simply find a way to gain physical access to your data assets. 

Finally, organizations must plan for how they respond to security incidents. Again, this is not a one-time effort. The assessment of the organization’s risk needs regular review, particularly where that risk concerns a critical asset. Any critical asset must have a plan in place to ensure its resilience in the face of a security incident.

A number of certification schemes are available to organizations who wish to prove their competence in cyber security. The ISO schemes are offered by the International Standard Organization, with ISO 27001, and its related standards, relating to Information Security Management. ISO 28000 relates to security assurance in the supply chain. 

The Cloud Security Alliance are a not-for-profit organization dedicated to promoting the use of best practices for providing security assurance within Cloud Computing, and providing education on the uses of Cloud Computing to help secure all other forms of computing. The CBEST scheme was developed in conjunction with the Bank of England, and is aimed at testing and improving the cyber resilience of the UK’s financial sector. 

Other schemes include the aforementioned Cyber Essentials Scheme and the Cyber Security Model.  We shall now look at some of these standards in more depth. 

The ISO 27001 is regarded as the ‘gold standard’ in Information Security Management. Any organization that has achieved the ISO 27001 standard has demonstrated that it has a serious commitment to security, and a deep understanding of its security position. 

There are some caveats though. Not all certifying bodies are recognized by the United Kingdom Accreditation Service (UKAS), which could cast some doubts over the value of an assessment carried out by one of these bodies. 

ISO 27001 is heavily focused towards cyber risk, but the auditors used by the certifying body may not have the same bias towards cyber risk. Again, this may cast some doubts over the value of an assessment carried out by one such auditor. 

ISO 28000 is focused on Security Management within the Supply Chain. It doesn’t assess the security of any given supplier. Rather, it examines the security of the transportation systems used in the supply chain. As such, it is more focused towards personnel and physical security, rather than cyber. 

The Cyber Essentials Scheme is a UK government scheme aimed at any organization that wants to demonstrate that it is thinking about its cyber-security. 

The scheme requires the organization to complete a self-assessment of their cyber security position based against a questionnaire issued by the scheme. The answers given are checked by an external assessor, who may request evidence. The Cyber Essential Plus accreditation further includes an external penetration test. Any organization that wishes to work on a UK government contract needs to attain the accreditation. 

The Ministry of Defense Cyber Security Model is similar to the Cyber Essentials Scheme, but relates to organizations that wish to work on MoD contracts. Depending on the type of service included in the contract, there are varying levels of assurance. This ensures that any contractor working on high security contracts is subject to a demanding cyber security assessment. 

The contractor is responsible for making decisions about the level of assurance required from their suppliers. 

The Cloud Security Alliance (CSA) are a not-for-profit organization dedicated to promoting the use of best practices for providing security assurance within Cloud Computing, and providing education on the uses of Cloud Computing to help secure all other forms of computing. 

This organization was established in 2008 by a group of individuals who wanted to provide objective user guidance on the adoption and use of cloud computing. One of the key products from the CSA is the Cloud Controls Matrix, or CCM. It is an integral part of the overall Governance, Risk Management and Compliance framework. 

The CCM applies to cloud service providers, but can be used by cloud customers to assess their risk when utilizing a cloud service. The CCM is derived, in parts, from many of the other popular security frameworks, but with a particular focus on cloud concerns. Like many other assurance frameworks, the CCM correlates with a questionnaire process for gathering information. This questionnaire is called the Consensus Assessments Initiative, or CAI. 

The Common Criteria set of principles are an ISO standard for evaluating the security of IT products. There are seven levels of assessment – it should be noted that these seven levels refer only to the depth to which the product has been evaluated, not the actual security of the product. 

The diagram shows how a product can be assessed under the Common Criteria. Users specify their functional, assurance and security requirements for a product.  These are developed into a product, and the developer will make claims of how well their product matches to the users' requirements. The product will then be evaluated against the vendors’ claims, and an appropriate assessment level awarded. 

The NCSC also has its own framework for evaluating the security of technology products. This framework is called Commercial Product Assurance, or CPA. It is used for evaluating Commercial Off-The-Shelf, or COTS, products, and the evaluation is carried out against published standard for security and development. The evaluation awards a grade to the product showing that it is suitable for use for information classified as Official under the Government Protective Marking Scheme. 

In common with the Common Criteria process, CPA produces a list of security requirements that are published and taken up by vendors. The vendors create a product which attempts to meet these requirements, and this product is tested to verify if it does. Should it do so, then the product is certified as such. 

The Federal Information Processing Standard, or FIPS, is a US based standard relating to Cryptographic assurance. FIPS is managed by the National Institute for Standards and Technology (NIST). There are four levels of assurance in the scheme, demonstrating the level of cryptographic assurance that the product offers, as shown in the table. 

Control Objectives for Information and Related Technologies, or COBIT, is a good-practice framework for the governance and management of IT.  It is a product of the Information Systems Audit and Control Association, more commonly known simply as ISACA. 

It details principles, practices and analytical tools which can be used to assess IT against a number of different models.  In common with many other frameworks, it corresponds closely to other major standards such as the ISO 27000 family or the Information Technology Infrastructure Library, ITIL. 

PAS 555 is a Publicly Available Standard created by the British Standards Institute. It is a framework that defines the outcomes of good cyber security practice. This means that it extends beyond the technical aspects of cyber security to look at physical and people security aspects as well.  

PCI-DSS is the worldwide Payment Card Industry Data Security Standard, set up to help businesses process card payments securely and reduce card fraud.  Many payment card firms had their own security programs, but the PCI-DSS scheme pulled these together into one set of consistent rules. It’s a comprehensive set of requirements for the handling of payment card data, whether that be storing, processing or transmitting card information. Although it is not a legally mandated standard, any organization that processes card payment data must comply with it in order to work with other card data firms. 

The Open Web Application Security Project, or OWASP, is a not-for-profit organization that aims to promote security and safety in software. It monitors software vulnerabilities and the ways they are exploited in the real world, producing a top 10 list of these every few years. The list shown in the slide is the most recent top ten list. Injection has been at the top of the OWASP list for several years now and refers to all the methods whereby code can be injected into an application by an attacker, to cause the application to function in a non-standard fashion. 

Items A4, A8 & A10 were new to the most recent list, with item A5 being an amalgamation of two previously separate entries. This list can be used as a prioritization list for assurance - if you are constrained in resources, and usually you are, you should start with the OWASP list, as it covers the most exploited vulnerabilities. One should take care of the items on this list in the first place but dealing ONLY with these is a false sense of security. OWASP also maintains a top 10 list of vulnerabilities affecting mobile computing platforms.