CMMI Case Study
Written By: Subrata Guha
DQS has conducted an integrated assessment combining ISO 9001, ISO 20000-1, ISO 27001, CMMI-DEV and CMMI-SVC. This case study explains the approach used and benefits derived from this method. All data used in this document are indicative. Actual data could not be shared to protect the confidentiality of the customer.
Guiding Standards for Cybersecurity
What is cybersecurity?
Cybersecurity has become a buzz word in the industry for last couple of years. How is it different from Information Security? Cybersecurity means ensuring the security of three critical elements i.e. (1) Security of critical infrastructure (2) Data protection and (3) Privacy protection.
Information security is mostly focused on data protection. The most popular standard used for this purpose is ISO IEC 27001. It does address some part of infrastructure security and privacy but not to the extent that other Cybersecurity standards cover infrastructure security.
The main guiding standards for Cybersecurity are:
- NIST cybersecurity framework
- ISO IEC 27032 – Guideline for Cybersecurity, to be used along with ISO 27001 standard.
- General Document on Privacy Requirements (GDPR) – New privacy regulations from EU to be released in May 2018.
To implement the Cybersecurity framework basic requirements is to conduct risk assessment using the NIST Risk Management Framework (RMF) and implement controls from the applicable NIST 800 series standards.
Why NIST standards?
- All Federal Government and Defense organizations use NIST standards for their Information Security.
- All Federal and Defense contractors handling (storing, processing and transmitting) information falling under the Controlled Unclassified Information (CUI) category must comply with NIST SP 800-171 before end of 2017.
What is Controlled Unclassified Information (CUI)?
CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act (National Archives).
A CUI Registry has been published by the National Archive to provide categories and subcategories based on industry segments. Some examples of CUIs for Technology Contractors (under Controlled Technical Information categories) are contract data, requirement specification, design specifications, and project plans related to Government projects that are stored in the computer systems of the contractor.
General Document on Privacy Requirements (GDPR)
The General Data Protection Regulation will replace the EU Data Protection Directive and will be effective starting on May 25, 2018. This is occurring due to the European Commission’s aim at unifying data protection laws across the union via one regulation, such as the GDPR.
The protection of personal and organizational data is always crucial in a constantly growing cross border market environment. The General Data Protection Regulation requires safeguards and measures for protecting personal data, ensuring safe data processing, and managing notifications of potential breaches.
The GDPR applies to organizations collecting, processing, and storing EU citizens’ personal data or EEA. This regulation also applies to:
- Organizations with a physical presence in at least one-member state of the European Union.
- Organizations located outside of the EU, if they offer services, monitor, or process data subjects which belong in the European Union, even if the company location is not in the European Union.
Overlap with ISO 27001:
ISO/IEC 27001, NIST standards, and GDPR at their core have the commitment to protect sensitive information from unauthorized access, i.e. store, process, and transmit sensitive information in a secured way, in common.
ISO 27001 is a generic standard as it defines the objectives and intents of the security controls. It also allows organizations to select appropriate controls from annex A and/or from any other standards. Both ISO and NIST require a security risk assessment, but ISO does not provide any method for conducting risk assessment. NIST RMF could be a nice supplement for that purpose.
ISO 27001 provides an Information Security Management System Framework, which helps an organization to sustain and continuously improve its security posture.
The below diagram shows how ISO 27001 can be used as an overarching framework.
Trainings: DQS can offer awareness trainings on the following subjects:
- GDPR requirements
- Risk Management Framework (RMF)
- NIST SP 800-53 requirements
- NIST SP 800-171
Conformity assessment: Why is an Independent Conformity Assessment Required?
NIST standards are developed for government organizations to secure their Information Systems. GDPR is for ensuring privacy of personal information. None of these are intended to be used for the purpose of third party certifications (like ISO standards), and there is no certification scheme available for NIST standards or GDPR. Application of NIST standards are now extended beyond the government agencies. Contractors are now required to comply with NIST SP 800-171 with target deadline. Very often the government also requires contractors to comply with NIST SP 800-53.
How can an organization show evidence of compliance to GDPR or NIST standards? A Conformance assessment report from an independent organization is the only option.
How to achieve conformity?
Option 1: ISO 27001 Registration:
There is a considerable amount of overlap between the controls provided in NIST SP 800-171, NIST SP 800-53 or GDPR with the controls provided in Annex A of ISO 27001. Additional controls from the NIST standard or GDPR can be added to the Statement of Applicability (SOA) of ISO 27001 registration audit. Registration scope statement will mention that the SOA includes controls from NIST standard.
You can request a quote for registration here.
Option 2: Conformity Assessment:
If organization is not willing to go for ISO 27001 registration, DQS can conduct an independent conformity assessment against the NIST standard and GDPR. After successful assessment, DQS will issue a “Letter of Conformance” (LOC) and detailed assessment report as evidence of conformance to the applicable NIST standard or GDPR. Assessment report and LOC will be valid for one year. Reassessment will be required for continuous evidence of conformance. Please contact us for more information on this.
ISO 27001:2013 Highlights of Change to the New Revision
ISO Has released new version of its information security management standard ISO IEC 27001 in September 2013. Supporting guideline ISO IEC 27002, has been also updated. All organizations already certified under ISO IEC 27001:2005 have to transition to the new version by October 2015.
The effective use of these standards can help companies achieve best practices in information security, avoid re-inventing security controls, optimize the use of scarce resources, and reduce the major security risks such as loss of proprietary information, hacking of network, spread of malware, , data compromise and failures of service providers to understand and meet customer requirements.
Thousands of companies have adopted ISO/IEC 27001 and 27002 as their standards for information security programs and controls. Together, they are the de facto standards and provide the requirements and code of practice for security requirements. ISO IEC 27001 also enable organizations to achieve regulatory compliances like FISMA, HIPAA and GBLA. They provide a baseline for initiating, implementing, maintaining and improving an information security management system in any size organization.
Increased scope of security risk to include enterprise risk assessment. This will enable organizations to use it for their Governance, Risk and Compliance (GRC) program. This is a major change towards a very right direction. This has also simplified documentation requirements to a great extent by replacing the word „documented procedure“ with „documented information“
New standard has also simplified the list of controls in Annexure A by reducing number of controls from 133 to 114. However, scope of application of the controls has significantly expanded.
Some of the major changes in the controls are:
- Inclusion of System engineering and project management: New controls added to address information security in project management (A.6.1.5), Secure development policy (A.14.2.1), Secure system engineering principles (A.14.2.5)
- Mobile device policy (A.6.2.1): This is to address increasing use of mobile devices in information processing and also use of personal devices to access organizational information assets.
- System security testing (A.14.2.8): information processing systems should be tested for its compliance to security requirements. This testing is in addition to the regular system acceptance test conducted after system changes.
Many of the changes will better align security objectives with business goals and objectives and that alignment will help everyone across the whole organization to better appreciate the importance of information security to the company’s sustainability, viability and reputation.
Interested in… Discussing the establishment of security controls in your organization? Developing testing protocol to ensure a self-sustaining system? A one-day security system review? Considering ISO 27001:2013 certification?
Please contact your local UL DQS Inc. Sales Executive:
Ernie Cumming – WA, OR, ID, MT, WY, UT, CO, AL, HI, Northern CA
Paul Mullenhoff – NV, AZ, Southern CA
Steve Pinter – ND, SD, NE, KS, MO, IA, MN, WI, IL
Randy Spivey – NM, TX, OK, AR, LA
Scott Adams – MI, IN, OH, KY, TN, WV
Morgan Blue – MS, AL, GA, SC, NC, VA. DC, PR, Caribbean Islands
Larry Dorf – FL
Jeff Spizuco – NY, VT, NH, ME, RI, MA, PA, NJ, DE, MD, CT
New ISO IEC 20000-1: Alignment with ISO 27001
“We need ISO 20000 and ISO 27001, which one should we get first?” – I hear this question very often these days. This is a very intriguing question. In my opinion, these two standards are closely linked and should be implemented as a single management system. The new release of ISO 20000-1 has made this process easier than ever before.
- Management responsibility
- Document management
- Resource management
- Management reviews
- Internal audit
- Continuous improvement
Once an organization addresses the requirements listed above, they will have laid the foundation for ISO 20000-1 and ISO 27001. Now, let’s look at section 6.6 (Information Security Management) of ISO 20000-1. The key elements of this section are:
- Information security policy
- Risk management
- Information security controls
- Security incident management
Requirements for security policy and incident management have been defined in ISO 20000-1; however, no details are provided on risk management and security controls. Let’s discuss the critical elements of risk assessment:
- Methodology for risk assessment
- Risk analysis
- Evaluation of risks
- Risk treatment options
- Calculation of residual risks
Section 4.2.1 of ISO 27001 provides these details. Where will you find the security controls? You can define your own controls or refer to a security standard. The best available source that I have found is Annexure A of ISO 27001. With a list of 133 security controls, there is no need to reinvent the wheel. Organizations can easily identify the controls applicable to their business and integrate them with their service management system.
Now you see why I think these two standards should be implemented together. Having said so, I’d like to clarify one point. It is not a pre-requisite to implement these two standards together. I have worked with many organizations that have successfully implemented ISO 20000-1 without referring to ISO 27001. However, I recommend the integrated approach that will establish an effective IT Service Management system with a robust backbone of an Information Security Management system.