[ISM3 Users] Tuesday Insight - Blast from the Past - Paradox of choice & SOA cheats

[Vicente Aceituno]

****Paradox of choice & SOA cheats****originally posted Sun Dec 3,
2006 8:25 am***
Dear All,

Accreditation of ISMS using ISO27001 gives you degrees of freedom. One
is your Risk Assessment method, another you Scope, expressed in the
statement of applicability, and you can choose to leave some controls
out as well, if you can explain why they don't apply to you.

Choice is generally speaking good. But for accreditation, this brings
a reputation issue. The reputation of a certificate holder is as good
as the market perception of the performance of the worst of all
certificate holders. This happened to ISO9000 in India.

Education certifications and diplomas, for example, carry more
reputation the LESS choice you have in your studies, not the more
choice you have. Doctors can't choose not to take Anatomy, but Arts
can mean nearly anything (depending on what country are you based)

The existence and significance of the statement of applicability is
well beyond anyone who is not a specialist. This means it is possible
to choose a very small SOA, totally unrelated to your critical systems
for the sake of getting accredited, regardless of your real
information security posture. This is bad for certificate holders that
choose real SOAs, as their competition can get the same reputation for
a far smaller investment.

With ISO27001, it is possible that a bakery shop and an aerospace
company get ISO27001 certified. I think that is BAD, as the effort,
resources and quality of implementation can be quite different.

If I ran a big company I wouldn't specially like to spend a lot time,
effort and resources to get a certificate that just anyone can have,
doing far less.

As ISO27001 an take a lot of resources, not many small companies have
certified, which has prevented this issue to surface so far. (Not many
as they are few in total numbers, but that they are few in comparison
with how many small companies there are)

Another side effect of choice (SOA et al) is that a big financial
company with several sites get as easily certified as a small
technology company with only one site. Again, I think this is BAD, as
simple technology infrastructure should be simpler to secure than a
complex one. With ISM3, it will be more difficult for complex
companies to become Level 5 certified than for simpler and more
technology focused companies.

For all these reasons ISM3 v2.0 will give as little choice as possible
for certification. It will be possible to choose a maturity level, but
not to choose what processes to implement within that level.

This will bring the highest value for certificate holders, as
certificates will have as a real meaning as possible.

I would like to hear ideas from you about objective criteria to
prevent "fake" SOAs, so all critical company systems fall within ISMS
protection.

**************************
Vijay said:
Hi Vicente

It might actually be helpful to look at what the ISO 27001 certificate
is all about.  Does it indicate that a company is "secure", or has an
"appropriate security posture", or does it have a process to "identify
and treat risks, and improve its security management processes over a
period of time."  The basis for the standard, according to me, is the
final one.  As a discerning customer of this company, my reaction to
the ISO 27001 certification is that there is a process that this
company follows to manage information security, but still requires
work to do for information security compliance on an ongoing basis,
and I will never take it at absolute assurance level.  Similar to the
ISO 9000 case, it is a process quality standard and not the end
product standard.

The SOA cannot be cheated upon if it has a direct linkage between the
information assets classification and risk management exercise the
company carried out, and therefore, it is the responsibility of the
certification authority to provide enough due diligence for
ascertaining the assumptions and validity thereof of the company's
risk assessment processes, on the basis of which the SOA is required
to be built.

Regards
Vijay

*****************
Vicente answered:

> It might actually be helpful to look at what the ISO
> 27001 certificate is all about. security posture",
or > does it have a process to "identify and treat
risks, > and improve its security management
processes over a > period of time."
I agree with you 100%, this is the intention of the standard. I am not
saying the intention of ISMS certification is other, I say it is used
for that intented use among others. For example, managers of a Soviet
factory paid bonuses for how many kilograms of vases for produced,
with the intention of fostering making many vases. The got very heavy
vases made instead.

What I am talking about is not "ISO27001 is about reputation" I am
talking "Some companies use ISMS certification for reputation it
brings"

> assurance level. Similar to the ISO 9000 case, it
> is a process quality standard and not the end
> product standard.
I know (quoting Han Solo) :)

> The SOA cannot be cheated upon if it has a direct
> linkage between the information assets
> classification and risk management exercise the
> company carried out
I know of cheat SOAs, I don't know if they are widespread, that is the
reason I ask the list for ideas to prevent that, poor risk assessment
methods and excessive choice for designing accredited ISMS. It is not
a ISO27001 specific or ISM3 specific issue; it is a ISMS certification
issue.

> it is the
> responsibility of the certification authority to
> provide enough due diligence for ascertaining the
> assumptions and validity thereof of the company's
> risk assessment processes, on the basis of which the
> SOA is required to be built.
I can't see how the certification authority can have any
responsibility. If you are a ISMS Auditor, you can't say "Your risk
assessment method stinks", because you don't have *any* criteria to
accept or reject a risk assessment method.

You say "The SOA cannot be cheated upon IF (my capitals) it has a
direct linkage between the information assets classification and risk
management". As you don't have criteria to reject a risk assessment
method, you can't guarantee that direct linkage.

Thanks a lot

Vicente

***************************
Anthony B.Nelson said:
There are only two reasons to implement an ISMS:

1. To prove to my organization that I have implemented a security
management system that is going to protect the organization.

2. To prove to outsiders that my organization has a security
management management system that will protect third party
information.

If #1 is the case, I can certify or not. I can probably set up
internal auditing and satisfy management that the system is in place
and running to the satisfaction of management without certification.
Management is not likely to be fooled by a fake SOA.

If the situation is #2 then the client is relying on the
certification, he usually does not trust my internal audits, so he
wants a trusted third party. Any perceived degradation of the value of
the certification hurts everybody. If I go to an engineer in our
engineering subsidiary and ask about ISO 9000 the response is "that is
just paper, you have to trust the manufacturer" While ISO 9000 has
value it has been degraded and now only has value for "trusted"
manufacturers. And it is not just China, I can point to North American
manufacturers who have lost the "trust" associated with their ISO 9000
certification. The way that SOA works for 27001 is opening it up to
the same degradation.

A. B. Nelson

*****************
Cosming said:

Your explanation of the problem with ISO 27001 seems faulty. The idea
behind certification is not to have a piece of paper that you can wave
in front of people. The idea is to get companies to think about
security in a formal manner and to attempt to use proven methods to
improve their security. Ultimately all decisions makers have to answer
to someone and explaining why one left critical processes out after a
compromise will not be pleasant. Thé certification process is supposed
to be about having an outside party double check that you did all the
right things and not about bragging rights. Therefore it doesn't
matter how big your company is and how hard it was to secure it. Thé
important part is that for the first time companies small and large
are starting to pay attention to security and that's a good thing.
Allowing for some flexibility in the process will only reduce the
barrier to entry. After all in the security business there is no "one
size fits all" solution.

Regards,

Cosmin Stejerean

******************
Vicente answered:

> Your explanation of the problem with ISO 27001 seems
> faulty.
To say that it is faulty is like saying that there is a "correct"
explanation and an "incorrect" one. My explanation is nor "the truth"
neither "correct". It is just my point of view.

> The idea
> behind certification is not to have a piece of paper
> that you can wave
> in front of people.
Your point of view is that is not a question of reputation, but for
some companies it is. The same thing can be said about professional
certifications. Some people are not particularly interested in
learning what it takes to become a CISA, for example. They just want
others to think they are certified, and therefore competent and
knowledgeable.

> The idea is to get companies to
> think about
> security in a formal manner and to attempt to use
> proven methods to
> improve their security.
Perhaps those who designed ISO27001 had that in mind, but one thing is
intentions, other thing is reality. Certification is good to show
compliance, for reputation, and for building trust relationships. For
example I might prefer to work with an Indian BPO that is ISO27001
certified rather than other that doesn't.

Now my point of view is that the more degrees of freedom are provided
for creating accreditable ISMS, the less comparable they become. You
might say that a Macintosh apple (the fruit) a Starking apple and a
rotten apple are all certified "APPLE". But they are not the same
thing, and this is sometimes relevant.

> Ultimately all decisions
> makers have to answer
> to someone and explaining why one left critical
> processes out after a
> compromise will not be pleasant.
A scenario where a decision maker is questioned harder on why a
process is not certified instead of why it wasn't protected is
difficult to envision for me. Not to be certified is compatible with
being or not being adequately protected.

> The certification
> process is supposed
> to be about having an outside party double check
> that you did all the
> right things and not about bragging rights.
Your point of view is that is not, my point of view is that
certification is in part about gaining reputation and establishing
trust relationships based on that reputation.

> Thé
> important part is that for the first time companies
> small and large
> are starting to pay attention to security and that's
> a good thing.
I agree implementing an accreditable ISMS is a driver for better
security practices. I have never said otherwise.

> Allowing for some flexibility in the process will
> only reduce the
> barrier to entry. After all in the security business
> there is no "one
> size fits all" solution.
Flexibility is both an advantage and a trap. It is easier to become
certified, but the meaning of certification becomes diluted lowering
the value of the certification for all certificate holders.

ISM3 flexibility comes from using maturity levels and letting you
express your business objectives and security targets building you
ISMS around those. More flexibility than that, like allowing ISMS with
different implemented processes become Level 5 certified, would lower
the reputation of a Level 5 certificate.

Thanks a lot

Vicente