Examining the body of law Created by the U.S. Government

U.S. Federal Law

Subscribe to U.S. Federal Law: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get U.S. Federal Law: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

U.S. Federal Law Authors: Jason Bloomberg, marlin xp, Maureen O'Gara

Related Topics: U.S. Federal Law

U.S. Federal Law: Article

Information Security Assurance

Why there's no single solution

Information security assurance is a topic that has developed quickly over the last few years. Drivers for its rapid development include the development of computers at the pace of Moore's Law during the information revolution of the last century. Motivation for interest in the topic stems from the more recent Internet revolution, the focus on critical infrastructure related to Homeland Security, the increased emphasis on corporate governance, and the increasing awareness of privacy matters as society recognizes the dangers that accompany IT advances.

No wonder we occasionally see confusion, and more disturbingly, inappropriate use of standards, schemes, and activities in the security assurance arena. Below is the information security ecosystem in a way that will clarify and demystify some of the key factors and the certification frameworks in common use for information security.

Information security is a pervasive concept. It transcends every aspect of an organization, system, product, component, even protocols. We have to consider information security at every point. In our society, we must consider it as an important aspect of our organizations and their departments, systems, applications, people, protocols, algorithms, and equipment.

There is no single solution to the information security assurance problem. In the software engineering world, Fred Brooks wrote, "There is no silver bullet." He asserted no single software engineering development will produce an order of magnitude improvement in programming productivity. Over the years, this assertion has turned out to be quite true, and I contend this notion is equally true for information security.

There's no silver bullet for information security and, so we must approach the problem with a pellet gun. Symptomatic of such an approach is the variety of frameworks and certifications used to provide assurance at different points in the system. This article discusses the frameworks available and commonly used in the U.S. that offer a certification of some kind and are relevant to the commercial sector. However, there are many other excellent frameworks and schemes apart from those mentioned. Please note, the discussion is general and the specific examples chosen illustrate the information security taxonomy of today.

This "pellet gun" or "piecemeal" approach to information security has the benefit of being very flexible. Existing frameworks can meet the requirements of governments, commercial businesses, and other organizations. However, the approach brings its own risks. One of the major risks is the reliance of each piece on its environment. You might have the strongest, most robust cryptographic algorithm in the universe, but if the staff writes the pass phrase in a text file, it's not secure. You might have an application that has security certifications galore, but if it runs on a system administered by a blackmailing kleptomaniac, it's not secure. You might have a properly accredited system, but if the computer room door isn't locked, or there is no disaster recovery plan, it's not secure. You might have a perfect IT environment, but if the business is run by corrupt people, well, it's just not secure. These scenarios highlight the importance of providing an appropriate environment as a starting point for security.

A quick review of the much-used and often misused term "security assurance" reminds us security assurance is just that:an assurance, or a level of confidence, that things are as we said they should be. There are no absolutes. There is no such thing as perfect security. All we can offer is the ability to make an assessment of how likely it is that things will go wrong. We hear over and over again about "the weakest link." The truth is it's rare to have only one weak link. It's more likely that we have several of them in our "chain." The link that actually fails depends on the particular stresses and use we put on the chain.

To gain any assurance at all, you must trust the person or organization making that assurance. Some important qualities of the assuror are:

  • Independence (Assurance is not influenced by relationships, fears, etc.)
  • Competence (Assuror must be competent to measure the assurance.)
  • Trustworthiness
At this point, the third tier of assurance comes in. Accreditation of those making assurances is a way of federating trust. You only need to have trust in one accreditation organization, and then you can call on that organization to tell you who can be relied on to make assurances.

For example, Cryptographic Module Testing laboratories and Common Criteria Testing Laboratories are accredited by the National Voluntary Laboratory Accreditation Program to provide assurance. For ISMS (Information Security System standards) (ISO/IEC 27001:2005, which used to be BS 7799-2), certification bodies are accredited by accreditation organizations such as the U.K. Accreditation Service (currently there is, no U.S. accreditation organization).

At the highest levels of security, we observe legislation often governs the environment for information security. This legislation can be at the local, state, or national level. Sometimes political or ethical agreements are made at an international level. (For example, the OECD (Organization for Co-operation and Development) guidelines for information security resulted from a G8 conference.) These guidelines are the agreed-on principles that permeate through the various layers and facilitate consistency.

Figure 1 shows some key U.S. legislation, key drivers for information security, the growth in the number of hosts, and selected key events.

Given information security is pervasive, it's not surprising much of the legislation that's having a substantial effect on information security in the U.S. isn't dedicated to the topic, but is embedded in legislation that tackles a wider issue. One example of such legislation is the Sarbanes-Oxley Act of 2002, which includes a requirement for internal controls in Section 404 and which has led to many certification schemes, including those linked to the financial sector (SAS/70) and more general schemes, including CobIT and BS 7799-2 (now ISO/IEC 27001). Another example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has been phased in over a number of years, and currently specifies some fairly detailed Information Security requirements for the health industry. However, while the standards' requirements are mandatory, no independent certification scheme was identified with the legislation, nor has an independent certification scheme developed in the years since its enactment. Several commercial entities offer certification schemes, but without a trusted accreditation scheme, the independence, competence, and even trustworthiness of commercial providers are often in doubt.

In the U.S., legislation and other policy manifestations have made certification mandatory for providers of products to federal agencies. Examples include DOD Directives #8500.1 and #8500.2; Presidential Decision Directive and 63 Homeland Security Presidential Directive #12.

We also see voluntary regulation in certain industry sectors, where frameworks for security are agreed on, often internationally. An example of such regulation is the ICAO specifications that are being used for passports throughout the world.

More Stories By Fiona Pattinson

Fiona Pattinson joined atsec information security corporation in 2004 as quality manager. She also manages the Cryptographic Module Testing Laboratory, the successful accreditation of atsec’s Cryptographic Module Testing Laboratory. She contributes in atsec’s Common Criteria laboratory as a project manager and evaluator for the US scheme. Fiona earned her Master of Science in computing for commerce and industry from the UK’s Open University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.