SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)  
YOU ARE IN GAMMA’S RESEARCH ARCHIVES — THIS PAGE IS OF HISTORIC INTEREST ONLY — EXIT

 

Commercially-driven independent accreditation: an effective way ahead

Overview

This paper examines why the directors of the Insurefast Company are seeking a public statement of assurance in the security of their service. It shows that this is a burgeoning requirement as business dependency in electronic commerce grows, and that metrics such as the ITSEC and BS7799 are insufficient to provide the necessary assurance. This is because the notion of a 'system' must be extended to include customer and legal factors. The paper concludes with a proposed scheme (AccredIS) which encompasses all these factors.

This paper was written by Dr. David Brewer and Mr. Richard Wilsher and was presented at the Eurosec 97 conference in Paris on 18 March 1997, Copyright © Gamma Secure Systems Limited, 1997 and the Zygma partnership, 1997.

Insurefast

Insurefast is an electronic service to expedite the provision of marine cargo insurance and the processing of claims. Distributors register specific shipments to their customers with Insurefast. Insurefast issues an insurance certificate on behalf of the distributor's insurers and notifies the insurance company. Should the goods not arrive in good order, the customer contacts Insurefast. Insurefast initiates the claims process and notifies the distributor. The distributor is now at liberty to contact the customer to agree alternative shipping or other arrangements to maintain a high level of customer service. In addition, Insurefast can provide statistical, or otherwise sanitised information concerning the marine cargo insurance business as a whole, e.g. the shipping routes least likely to incur an insurance claim for particular classes of goods.

Prior to the introduction of services like Insurefast, distributors would be unlikely to learn that their goods had been lost or damaged in transit until the anniversary of their insurance premium. Moreover, it was also likely that premiums would be increased to the value of the actual claims paid out on their policies.

Business Risk Review

A particular concern of the Insurefast Company, prior to the introduction of their service, was "where, on a scale from zero to 'Fort Knox', should the security of Insurefast sit?". To answer this question we carried out a business review which sought to identify the company's exposure, liability and risk in providing the service. We employed two primary techniques to do this:

  • structured interviews of the company's future customers (e.g. distributors, insurance companies and brokers), principal shareholders, directors, senior management, operations staff, system development and maintenance staff;
  • an audit of the company's relevant management and information security control systems.

A particular conclusion of our review was that the Insurefast Company would be wholly reliant on the successful operation of the service. In financial terms, it was anticipated that in ten years' time there would be over 5,000 corporate customers and profits could exceed GB£20M. Customer dependency on the service would grow as the utility of the more traditional manual systems decreased. Direct financial exposure would also increase with time, requiring additional controls in compliance with the security requirements for the electronic funds transfer systems of Insurefast's bankers.

Secondly, and perhaps more importantly, the directors and the future customers that we interviewed all recognised that the Insurefast service would "empower corporations to manage their businesses more effectively". Using Insurefast, a corporation would have access to precise data concerning the shipments it and its subsidiaries made all over the world, and the likelihood of loss and cost involved. Much of this information would be stored on Insurefast's central servers. Those interviewed were fully aware of the risk that a competitor (who could even be a bone fide user of the service) could hack into the system and gain access to their sensitive corporate information. Moreover, there was also a risk of sensitive data leaking out, e.g. via the sanitisation process. Invariably Insurefast's customers said they:

  • wanted to carry out their own security audit before agreeing to use the service;
  • would sue "for every penny" in the event of any disclosure of sensitive information, for whatever reason.

The Need For A Public Statement of Assurance

Technically, the disclosure problem is not difficult to solve and could be addressed in the first instance through the use of information labels, e.g. by using ITSEC F-B1 technology. The labels would be used to distinguish corporate ownership of the data and whether it was sanitised or not, although the best way to treat spin-offs, acquisitions and mergers has yet to be determined. The need for assurance in the provision of such functionality grows with the number of customers.

Of greater concern, however, are the audit and liability issues. With a potential for over 5,000 customers, there could be an overwhelming number of audits and, if things go wrong, a significant number of law suits. To compound the issue, some customers consider it highly undesirable that their competitors could ever be allowed to conduct an audit as the latter cannot be regarded as being neutral; were they to stumble across sensitive information belonging to another customer, the damage of disclosure will have already been wrought, irrespective of the fidelity of the finder.

To address this problem, the directors of the Insurefast Company are seeking a public statement of assurance in the security of the Insurefast service, but how can this be provided?

A Common Requirement

The Insurefast Company is not alone in this requirement. Indeed, S.W.I.F.T. was undoubtedly the first organisation to understand the problem and do something about it over 20 years ago, through a system of internal, external and specialist security audit reports to its members. Since 1977 S.W.I.F.T. has delivered over four billion messages, with a value currently exceeding US$ 2 trillion a day, and not one message has been lost (according to the 1995 Annual Report). This is an enviable track record which S.W.I.F.T. hopes to equal with future systems such as BOLERO, which aims to dematerialise commercial trade documentation (e.g. bills of lading).

In the domestic context, the Internet has already started to revolutionise the way we shop. With the introduction of SET and electronic cash systems, undoubtedly new trading systems will emerge, particularly those which can use the Internet itself as the delivery mechanism. These too may demand a public statement of assurance in some form. Indeed, at least one organisation has already set out to do this.

A Question Of Trust

With the rise in electronic commerce, the demand for reliable public key cryptography has increased and the issue of key escrow has arisen. This issue has highlighted the need to understand what we really mean by the word "trust" in Trusted Third Parties (TTPs) and Trusted Third Party Services (TTPSs). Accordingly, the UK Department of Trade and Industry (DTI) has commissioned a study to find out the true meaning of trust, prior to recommending legislation in this area. The project seeks to answer two key questions:

  • What are the elements of a Trusted Third Party Service that influence the degree of trust which commercial and public users would place in the both the provider of and the operational aspects of the service?
  • What processes would be appropriate to deliver that trust and how would such processes differ according to the type of service and the trust level required?

The project plans to interview over 40 private and public organisations, drawn from the UK and mainland Europe, that are concerned, either now or in the future, with the provision, use, audit or regulation of Trusted Third Party Services.

Preliminary Results

At the time of writing this paper, just over half of the interviews have been conducted and the project team is beginning to get a feeling for the results. Most importantly, the need to take seriously responsibility and liability is paramount for many organisations and possibly even fundamental to the issue of trust. Indeed, one international service provider expressed this succinctly by saying "I will deliver; there are processes in place to assure you that I will, I will pay if I fail and my insurers will pay if I cannot". Key to the demonstration of assurance appears to be the need for a service provider to:

  • demonstrate a deep understanding to the customer of the value of his or her information as perceived by him or her, i.e. "I will treat your information with at least the same regard as you";
  • be open in the way the provider provides trust, e.g. through independent security audit results and publicly available legally binding documentation concerning information security claims;
  • be neutral, i.e. the provider should have no vested interests.

Absolute Trust

A fundamental view is that trustworthiness is a black and white issue. Either a service can be trusted absolutely, or it cannot. Absolute trust is independent of the actual level of security risk involved. This implies that a means to continually evaluate, counter, mitigate and otherwise manage risk needs to be in place.

The concept of absolute trust, of course, is a fundamental principle of business rather than a scientific principle. Specifically, it is the service provider's directors that are responsible (and liable) for the provision of trust in that service. In practice, that responsibility will be delegated to their staff and, in the case of electronic commerce, some aspects may even be delegated to their customers and other service providers as well. For example, in the Insurefast case, certification and registration authority services could be provided by some third party organisation and Insurefast customers would have to take responsibility for the security of their private keys. In delegating (as opposed to abdicating) responsibility, the directors must maintain a supervisory role, and it is our belief that this is a fundamental component of assurance . The collapse of Barings is, of course, a classic example of what can happen if the basic principles of delegation are ignored. In the electronic environment, this supervisory role is facilitated through the usual (but often disregarded) computer accounting and auditing features.

According to one distinguished Fellow of the British Computer Society, the level of supervision is dependent upon the level of trust that can be placed in the individual or organisation to whom responsibility is delegated, and it can only be offset by the acceptance of liability. We can draw two immediate conclusions from these remarks, which we hope to explore further as our study develops:

  • trust is recursive, comprising networked and nested systems of responsibility and liability;
  • in assessing a trusted service, it is perhaps better to start with the directors with the greatest responsibility and liability and work down towards the IT components, rather than the other way round.

Indeed, there are perhaps three levels, or systems, of trust. In descending order these are (1) responsibility and liability (R&L), (2) supervisory and (3) technical.

ITSEC, Common Criteria and BS7799

By design, ITSEC is only relevant to the IT component(s) of a trusted service. ITSEC does require personal, procedural and physical security measures to exist (where these are directly relevant to the secure operation of the evaluated components), but there are no criteria to assess their effectiveness or completeness. It therefore addresses trust at the technical level. Unfortunately, the ITSEC falls down due to the prominence afforded to the E-levels. Given the principle of absolute trust in business, an ITSEC E3 certificate (e.g. for an automated teller machine offered in defence in a 'phantom withdrawal' case) would undoubtedly play directly into the hands of the plaintiff. As a bank has an absolute duty of trust, and E3 is just over half way up the ITSEC scale of E0 - E6, E3 cannot be considered to be in any way 'absolute'. Nevertheless, ITSEC offers a sound, internationally accepted and technically reliable way of establishing that IT security claims are met.

Undoubtedly, the Common Criteria will prove superior. In this case a requirement specification for the IT component in the form of a Protection Profile (PP) can be generated as the end product of a business risk analysis which takes account of the responsibility and liability issues. The PP will group the most appropriate functionality and assurance components together in a single package. Prominence will be given to the PP as something fit to uphold the principle of absolute trust, rather than attracting unwarranted attention to misleading assurance level values.

For many people, BS7799 provides a useful starting position to address the overall security management issues, and in that sense comes significantly closer to meeting the higher level requirements of responsibility and liability. There are problems with BS7799, however. For example:

  • Despite its title, "Information Security Management", BS7799 has a strong IT bias and fails to give adequate consideration to the security requirements for information when it is not held on computer or communications systems;
  • In particular, it does not address the evolution of information systems security over time;
  • BS7799 is really a code of practice, as opposed to a standard per se;
  • There is a common feeling, even amongst the authors of BS7799, that the ten 'key controls' do not constitute a useful baseline.

Several countries, including the Netherlands and the UK, are in the process of establishing accreditation schemes and taking positive action to address the above mentioned shortfalls. Accreditation against the scheme would imply that the directors have a security management system in place and are therefore able to reliably discharge their supervisory duties. As the standard is currently worded, however, accreditation would not necessarily imply that a security management system meets the requirements for responsibility and liability. Nevertheless, since national schemes are likely to follow the Dutch example, in which accreditation can be against a superset of BS7799, this need not present a problem, as additional criteria can be introduced.

AccredIS

The requirement to provide public statements of assurance in the security of services, such as Insurefast, can usefully use standards and schemes such as BS7799, the Common Criteria and ITSEC. However, none of these fully address all the requirement for demonstrating trust, particularly those concerning responsibility and liability. Something else is needed, which the authors call AccredIS.

AccredIS is really three things:

  • a means to design an electronic commerce/information service which takes prior account of the responsibility and liability issues before considering the IT issues;
  • a means to select the trust assessment mechanisms best suited to the needs and nature of the information service in question and to craft the 'glue' to bind together these mechanisms;
  • a means to independently audit an organisation to demonstrate that it has the necessary supervisory and technical systems in place to meet its responsibility and liability obligations for the service in question.

The AccredIS process starts with the discovery (e.g. in the case of design, through a market survey) of the market requirements for the service in terms of "responsibility and liability" (R&L). This is very much like the business risk review that we carried out for the Insurefast Company. In simple terms, the design process then continues by identifying those supervisory and technical measures necessary to counter, mitigate or otherwise manage the risks. The audit requirement must be explicitly addressed at this time, in order to generate the necessary records to facilitate auditing at some later date. Particular use is made of BS7799 for identifying the supervisory controls, although these are recast as necessary to ensure traceability back to the requirements for responsibility and liability. The use of BS7799 is important, as our hope will be to use such an AccredIS-extended BS7799 accreditation to produce the required public statement of assurance.

With regard to technical measures, the full extent of ITSEC is not required, as in designing the service from the legal requirements downwards we can afford to be very selective in which assurance components we really need . This is very much akin to the technique developed by Brewer for the security evaluation of electronic funds transfer systems. These techniques actually predate ITSEC, so it is not so much that AccredIS makes use of ITSEC like concepts, it is rather the other way round. Product manufacturers cannot afford this luxury since they cannot know in advance how their products will be used

In summary, AccredIS strips out the non-essential elements of BS7799 and ITSEC and adds others to create service specific criteria, certifiable using the proposed BS7799 accreditation schemes, that address all three levels of trust: R&L, and technical.

Summary And Conclusions

This paper has examined the nature of trust in the provision of electronic trading and information services. There appear to be three levels of trust: R&L, supervisory and technical, all of which need to be addressed. ITSEC and BS7799, whilst being valuable components of an overall security assessment are by themselves insufficient to provide the necessary level of accreditation; they need to be combined with some new ingredient called AccredIS. As this new ingredient only makes use of supervisory and technical criteria necessary to meet the R&L objectives, it ought to be capable of being implemented quickly and without undue expense.