S 2.66 The importance of certification for procurement

Initiation responsibility: Top Management

Implementation responsibility: Purchasing Department

When procuring IT products and IT systems, it must be checked at an early stage whether the mere assurance by the manufacturer, distributor or provider regarding implemented security functions and offered services can be considered as sufficiently trustworthy. Particularly with regard to high or very high protection requirements, the trustworthiness of the products and/or services concerning IT security can only be guaranteed by having these tested and evaluated by independent inspection authorities. On this basis, a certificate can be issued.

Certification of products

The harmonised European "Criteria for the Evaluation of the Security of IT systems (ITSEC)" and the evaluation manual ITSEM have offered a generally accepted basis for these evaluations since 1991 as have the globally agreed "Common Criteria for the Examination and Evaluation of the Security of IT systems" / Common Criteria (CC) since 1998. In Germany, the BSI implements certifications of this kind. In the event that the evaluation results are positive and the conditions of ITSEC and ITSEM or the Common Criteria are fulfilled, a security certificate is issued by BSI as the certificate authority for the assessed product or system.

The certification report states at which test depth each functionality was investigated and what the result of the evaluation was. The test depth ranges from evaluation level E 1 (lowest test depth) to evaluation level E 6 (highest test depth) for the ITSEC and from evaluation assurance level EAL 1 (lowest test depth) to evaluation assurance level EAL 7 (highest test depth) for the CC. Evaluation level E 1 of the ITSEC approximately corresponds to evaluation assurance level EAL 2 of the CC and so on. Additionally, the strength of the security functions is stated, which represents the degree of difficulty in overcoming the security functions. In this respect, the ITSEC and CC differentiate between the mechanism strengths low, medium and high. Indications are also given regarding the general conditions which must be observed when using the product.

In the event that several products with an acceptable price/performance ratio are available when procuring IT products, an existing security certificate can be considered as a positive criteria for selection. Security certificates should be considered in particular if the evaluated scope of functions (mainly) corresponds with the minimum functionality and the security strength corresponds with the protection requirements (see S 4.41 Use of a appropriate security products for IT systems). The higher the test depth stated in the certificate, the higher the trustworthiness of the effectiveness and correctness of the security functions of the product is.

Certification of management systems

Before purchasing external services, it should be checked whether the service provider has a certified security management system. When working together with external service providers, a lot of internal information requiring protection is transferred to them in most cases. The information must be protected by the service providers according to their protection requirements. It is thus recommended to rely on service providers whose information security management system is certified according to ISO 27001 based on IT-Grundschutz. For services which need to be highly available, it can make sense to rely on service providers whose business continuity management is certified according to ISO 22301.

Certification of persons

If IT services or security services such as consulting services to improve a security management system are to be contracted, consideration should be given to relying on persons certified accordingly in this context.

There is a large number of certificates, with which persons can prove their qualification in certain areas. In this respect, various personal certifications which are aimed particularly at the area of information security and/or data protection are available. These include for example:

• CISSP (Certified Information Systems Security Professional) and other personal certificates by (ISC)², an independent association of security experts worldwide
• TISP (TeleTrusT Information Security Professional), an expert certificate by TeleTrusT, a German IT security association focussed on the German-speaking market
• CISA (Certified Information Systems Auditor) and CISM (Certified Information Security Manager) are certificates by ISACA, a professional association of IT auditors and security managers
• IT Security Coordinator according to ISO 17024
• For the German government agencies, the Bundesakademie für öffentliche Verwaltung (BAköV) [Federal Academy for Public Administration] together with the BSI "IT-Sicherheitsbeauftragte in der öffentlichen Verwaltung [BSI "IT Security Officer in Public Administration"] are responsible for certification.

These certificates enjoy a relatively high level of approval, as it is necessary to prove clearly defined, practical and documented expertise and qualifications to be granted such certificates. Prior to certification, the knowledge required for this must be acquired through training and professional experience. In addition, it must also be proven that the holders of the certificates undergo advanced training in their specialist area at regular intervals in order to maintain the certificate.

Certification of service providers

For specific types of services, there are also certificates, with which service providers can prove the quality and comparability of their work results. The BSI issues certificates, for example, for IS audits, IS consulting services and penetration tests. If services of this kind are purchased, it is recommended to rely on service providers who are certified accordingly.

Summaries

The certificate authorities regularly issue summaries of which products have a certificate. A summary of the IT products, IT systems, information security management systems, IS auditors, IS consultants and penetration testers certified by the BSI can be obtained from the BSI web site. The BSI also publishes recently issued certificates in the magazine KES, a magazine for information security. This information can also be obtained from the BSI web sites.

Review questions:

• When using products with high or very high protection requirements, is a certification according to Common Criteria taken into consideration?