Under the French Military Programming Act (MPL), certification is a mandatory procedure that applies to Vitally Important Operators (VOI). It helps to manage the issues and security levels for all Vitally Important Information Systems (VIIS)

Certification is a core issue to the MPL compliance strategy, because it provides a concrete and operational means of breaking down the MPL’s requirements while reducing security risks.

ANSSI—The French National Cybersecurity Agency—has produced a guide that describes the key steps in certification. These steps are:

• Defining a certification strategy (a scoping document describing how to achieve certification)
• Performing a risk analysis on a VIIS
• Conducting a certification audit
• The certification decision
• Post-certification monitoring

The approval decision must be made by the Certification Authority (CA), which is the legal entity responsible for certifying VIIS. It is assisted by the Certification Commission, an internal group of experts responsible for doing the preparatory work for the certification decision.

The information required to make the decision is compiled in the certification file. This allows the Certification Commission to attest to the level of security and accept the residual risks. Ultimately then, it is the Certification Commission that attests to the fact that the risks are being properly managed.

An approach to quickly assess existing VIIS

Retro-certification: how to certify VIIS already in production

For existing VIIS, the certification model is different, although the objectives remain the same. An assessment of existing VIIS is the starting point for certification, and performing a dry-run audit (or using a previous audit report) serves to speed up the gathering of information and the identification of risks.

Conversely, the security measures have to be applied to a history that can be challenging to transpose. Compensatory measures therefore have to be identified, prioritized, and implemented.

This retrospective certification, or retro-certification, must enable the business to consider the risks in an exhaustive fashion, and prioritize the actions, in order to reduce them to an acceptable level by making the necessary investments.

While it’s important to design the certification process such that it has the capacity to process future VIIS, it is mostly for existing VIIS that VOI are actually busy with, and retro-certification is, therefore, a priority.

Adopting a test & learn approach

In order to define and deploy a certification procedure within the framework of the MPL, VOI can define an initial pilot stage to test and refine the process before using it—at full scale—on a VIIS.

The objective of this pilot phase is to compare the methodology and the reality on the field, with the aim of validating the approach and the steps defined (procedures, people who need to be involved, etc.). Taking such approach highlights areas of difficulty (related to IS administration, partitioning, patch management, etc.), and enables a concrete and achievable remediation plan to be put together.

The choice of pilot VIIS is essential in anticipating the problems that will be encountered. It makes sense to choose a pilot VIIS that is representative of all the other VIIS (typical size, limited interactions, etc.).

Demonstrating the security level generated by the MPL

Among the various work streams and projects triggered by the MPL, it’s the certification program that enables security to be strengthened effectively. This can be achieved not just by highlighting security at high level both internally (with senior management and those with accountability for certification) and externally (with ANSSI and the government), but also by quantifying the degree of risk reduction required (through risk analysis) and achieved (through audit).

Achieving certification enables actual risks to be communicated, and the players involved to be made responsible and aware (particularly senior management—as a result of interactions with those accountable for certification).

All the activities undertaken for MPL compliance are compiled in a certification file, which gives them a practical reality. This includes observations about security, obstacles encountered, and an overview of the complexity involved in compliance.

The certification file must be made available to ANSSI. The file represents a showcase for ANSSI with respect to the VOI’s compliance with the MPL—and it pays not to cut corners! The VOI must demonstrate the gains made in security and the clear validation of the theoretical responses to compliance.

Maintaining a high level of security over time

Creating a certification mindset

Certification doesn’t end when the certification decision has been made and the system put into production. This only marks the start of the risk-management process. It’s then a question of maintaining momentum, increasing visibility, and ensuring the ongoing management of security. Certification must be renewed at least every three years, or during periods of major change to the VIIS, something that forces a reconsideration of whether the VIIS is actually secure in the way described in the risk analysis.

Therefore, for an existing VIIS, a process needs to be set up to monitor and identify security-related changes to it. This must be carried out in the context of an organizational structure, for example with a named person holding the responsibility to identify and assess any changes. This person, can, in particular, establish a list of key events, for example: changes to the level of exposure of the VIIS, the arrival of new Service Providers, functional developments in the VIIS, or modifications to infrastructure or operational management); these will provide a basis for assessing any requirements for the system to be overhauled.

The establishment of a certification governance committee ensures a degree of momentum in the certification process. Updating the methodology for integrating security into projects enables new projects to be taken into account, risk management to be applied from the beginning, and advance preparation for VIIS compliance.

Providing a clear and understandable framework for application owners

Application owners are key players in maintaining security and certification over time. This is not just because they have a good overview of their VIIS, but also because they are aware of developments to it. If their attitude is one of fear of the MPL, this can lead to a poor approach to security. Conversely, a good understanding of MPL issues, certification, and continuous improvement, can enhance VIIS security.

Special attention should be paid to supporting application owners, and raising their awareness about security in general, and the certification process in particular. To achieve a win-win approach, and improve security over time, you must bring application owners together and get their buy-in.

Security certification: an approach that enhances risk management over time

Beyond essential regulatory requirements, the MPL has to be seen as a catalyst that can enhance risk management within a VOI: from operational level, through application owners, right up to the senior management.

After taking the first step of overhauling and implementing risk-reduction measures on an existing VIIS, certification ensures that levels of security are maintained right across it. Given this, it’s vital that the players involved remain engaged over time to ensure that the initial momentum is maintained.

Cet article Security certification: the key to complying with the french military programming Law (MPL) est apparu en premier sur RiskInsight.

 CISA®, culture IT par excellence

Le CISA® est un recueil des meilleures pratiques en matière de Gouvernance, Management et Suivi des risques IT. Il couvre tous les domaines de l’Audit des Systèmes d’Information, des plus techniques aux plus organisationnels :

– Processus d’audit des systèmes informatiques,

– Gouvernance des SI,

– Gestion du cycle de vie et de l’infrastructure des systèmes,

– Fourniture et support des services,

– Protection des avoirs informatiques,

– Plan de continuité et de secours informatique.

Ce n’est bien sûr pas la seule certification existante – mais ce label représente depuis 1978 un certificat de référence dans le monde anglo-saxon, qui en fait un critère de recrutement et de promotion pour tous les professionnels chargés de veiller à ce que les technologies et systèmes de l’entreprise soient convenablement contrôlés, suivis et évalués : auditeurs, directeurs sécurité, directeurs informatiques, directeurs des risques, consultants informatiques, etc.

Quel développement en France ?

Posséder ce certificat offre une reconnaissance à l’international – mais alors que l’on compte plus de 35000 professionnels CISA® dans le monde, seuls 300 d’entre eux seraient français, d’après le site web de l’AFAI (Association Française d’Audit et de Conseil Informatiques). Alors, pourquoi ce certificat n’est-il pas plus diffusé en France ?

Cet article Certifications : CISA, la caverne d’Ali Baba des auditeurs et consultants informatiques ? est apparu en premier sur RiskInsight.