Security certification, taking a risk-bases approach to ISS
Under the French Military Programming Act (MPL), certification is a mandatory procedure that applies to Vitally Important Operators (VOI). It helps to manage the issues and security levels for all Vitally Important Information Systems (VIIS)
Certification is a core issue to the MPL compliance strategy, because it provides a concrete and operational means of breaking down the MPL’s requirements while reducing security risks.
ANSSI—The French National Cybersecurity Agency—has produced a guide that describes the key steps in certification. These steps are:
- Defining a certification strategy (a scoping document describing how to achieve certification)
- Performing a risk analysis on a VIIS
- Conducting a certification audit
- The certification decision
- Post-certification monitoring
The approval decision must be made by the Certification Authority (CA), which is the legal entity responsible for certifying VIIS. It is assisted by the Certification Commission, an internal group of experts responsible for doing the preparatory work for the certification decision.
The information required to make the decision is compiled in the certification file. This allows the Certification Commission to attest to the level of security and accept the residual risks. Ultimately then, it is the Certification Commission that attests to the fact that the risks are being properly managed.
An approach to quickly assess existing VIIS
Retro-certification: how to certify VIIS already in production
For existing VIIS, the certification model is different, although the objectives remain the same. An assessment of existing VIIS is the starting point for certification, and performing a dry-run audit (or using a previous audit report) serves to speed up the gathering of information and the identification of risks.
Conversely, the security measures have to be applied to a history that can be challenging to transpose. Compensatory measures therefore have to be identified, prioritized, and implemented.
This retrospective certification, or retro-certification, must enable the business to consider the risks in an exhaustive fashion, and prioritize the actions, in order to reduce them to an acceptable level by making the necessary investments.
While it’s important to design the certification process such that it has the capacity to process future VIIS, it is mostly for existing VIIS that VOI are actually busy with, and retro-certification is, therefore, a priority.
Adopting a test & learn approach
In order to define and deploy a certification procedure within the framework of the MPL, VOI can define an initial pilot stage to test and refine the process before using it—at full scale—on a VIIS.
The objective of this pilot phase is to compare the methodology and the reality on the field, with the aim of validating the approach and the steps defined (procedures, people who need to be involved, etc.). Taking such approach highlights areas of difficulty (related to IS administration, partitioning, patch management, etc.), and enables a concrete and achievable remediation plan to be put together.
The choice of pilot VIIS is essential in anticipating the problems that will be encountered. It makes sense to choose a pilot VIIS that is representative of all the other VIIS (typical size, limited interactions, etc.).
Demonstrating the security level generated by the MPL
Among the various work streams and projects triggered by the MPL, it’s the certification program that enables security to be strengthened effectively. This can be achieved not just by highlighting security at high level both internally (with senior management and those with accountability for certification) and externally (with ANSSI and the government), but also by quantifying the degree of risk reduction required (through risk analysis) and achieved (through audit).
Achieving certification enables actual risks to be communicated, and the players involved to be made responsible and aware (particularly senior management—as a result of interactions with those accountable for certification).
All the activities undertaken for MPL compliance are compiled in a certification file, which gives them a practical reality. This includes observations about security, obstacles encountered, and an overview of the complexity involved in compliance.
The certification file must be made available to ANSSI. The file represents a showcase for ANSSI with respect to the VOI’s compliance with the MPL—and it pays not to cut corners! The VOI must demonstrate the gains made in security and the clear validation of the theoretical responses to compliance.
Maintaining a high level of security over time
Creating a certification mindset
Certification doesn’t end when the certification decision has been made and the system put into production. This only marks the start of the risk-management process. It’s then a question of maintaining momentum, increasing visibility, and ensuring the ongoing management of security. Certification must be renewed at least every three years, or during periods of major change to the VIIS, something that forces a reconsideration of whether the VIIS is actually secure in the way described in the risk analysis.
Therefore, for an existing VIIS, a process needs to be set up to monitor and identify security-related changes to it. This must be carried out in the context of an organizational structure, for example with a named person holding the responsibility to identify and assess any changes. This person, can, in particular, establish a list of key events, for example: changes to the level of exposure of the VIIS, the arrival of new Service Providers, functional developments in the VIIS, or modifications to infrastructure or operational management); these will provide a basis for assessing any requirements for the system to be overhauled.
The establishment of a certification governance committee ensures a degree of momentum in the certification process. Updating the methodology for integrating security into projects enables new projects to be taken into account, risk management to be applied from the beginning, and advance preparation for VIIS compliance.
Providing a clear and understandable framework for application owners
Application owners are key players in maintaining security and certification over time. This is not just because they have a good overview of their VIIS, but also because they are aware of developments to it. If their attitude is one of fear of the MPL, this can lead to a poor approach to security. Conversely, a good understanding of MPL issues, certification, and continuous improvement, can enhance VIIS security.
Special attention should be paid to supporting application owners, and raising their awareness about security in general, and the certification process in particular. To achieve a win-win approach, and improve security over time, you must bring application owners together and get their buy-in.
Security certification: an approach that enhances risk management over time
Beyond essential regulatory requirements, the MPL has to be seen as a catalyst that can enhance risk management within a VOI: from operational level, through application owners, right up to the senior management.
After taking the first step of overhauling and implementing risk-reduction measures on an existing VIIS, certification ensures that levels of security are maintained right across it. Given this, it’s vital that the players involved remain engaged over time to ensure that the initial momentum is maintained.