Security Certification and Accreditation Programs Help Build Secure Applications

Two years ago, Bruce Bonsall decided to build an addition to his house. Plans in hand, Bonsall’s first stop was his town’s building authority to begin the permitting process. Along the way, Bonsall, the CISO for MassMutual Financial Group, got to thinking: What if there were a building permit process for IT projects?

At the time, Bonsall recalls, “Too many projects were making it almost to production without adequate security consideration.” On more than one occasion, tipped off by the auditing department that a new system did not adhere to security policies, Bonsall had the unappealing task of sending it back for more worksuch as building in a connection to the enterprise electronic authentication systembefore the application could be deployed. Needless to say, these situations left everyone unhappy.

“I wanted to create a process that adds value and gets [security] involved up front, rather than stall the project at the 11th hour,” he says. Extending the building permit analogy to IT projects suddenly seemed like the ticket. “Before you start [a building project], the building inspectors want to see your plans, they want to ask you some questions about your project. As you go along, you have some inspections. When you’re done, they sign off that everything was done properly and you get a certificate of occupancy. Most people are familiar with the process,” says Bonsall.

Bonsall had stumbled upon a concept that got its start in the Department of Defense roughly 15 years ago. Goaded by late ’80s risk legislation, the federal government requires its IT projects to go through a

formal security certification and accreditation (SC&A) processknown by the unwieldy acronym Ditscap (see “How the Feds Do It,” this page)from inception. “Certification is the documentation and evaluation of the system against a specific set of guidelines. Accreditation refers to the point where a decision maker outside the security organization chooses to accept whatever residual risk remains with the system. That person then has the responsibility to actively manage that risk,” says Hart Rossman, chief technology officer for the enterprise security solutions business unit at Science Applications International Corp. (SAIC), which has a practice helping organizations establish SC&A programs.

Many private-sector companies have in the past shown a reluctance to invest the time necessary to build security into the IT project lifecycle. Now that’s changing, driven in part by the greater accountability created by the Sarbanes-Oxley Act and other regulations. Two financial services companies profiled here, MassMutual and Nationwide Mutual Insurance, provide insight into making the SC&A process work. Late application changes are costly, regardless of what industry you’re in, so CISOs may find these ideas worth imitating.Starting with AttitudeIn MassMutual’s case, the familiarity of the building permit concept also helped Bonsall and his group smooth over some political bumps in establishing the program about a year ago. For starters, the security group was not “out to get” the IT staff any more than the town building officials were throwing their weight around with local homeowners. Still, going from having no formal process to having a full-bodied program is difficult. “There was a fair amount of campaigning up front. Senior management immediately understood why we needed to do this,” he says. With the critical executive support in place, 18-year MassMutual veteran Bonsall (who reports to the company’s CIO) and his staff (two of the 28 information security personnel would serve as IT project security consultants) had to convince the IT professionals that this was worthwhile, tailoring the message to fit the specific audience. “The developers had to understand why they were being forced to go through this. Project managers had to understand there are security processes that have to be adhered to,” says Bonsall.

And change is a two-way street. Bonsall’s group altered its process to better meet the IT group’s needs. When IT building permits first began, everyone who wanted to buy a product, build an application or outsource a system had to spend at least an hour filling out a detailed questionnaire, including information such as what kind of data was involved and which platforms the new application would touch. After some feedback (read: complaints), Bonsall put in a preliminary step called triage. Anyone with a project in the works now calls or e-mails one of the security consultants, who quickly determines whether the project is completely innocuous (if there is no confidential information and the project will not affect the infrastructure at all, for example) or whether it merits closer scrutiny. About 15 percent of proposed projects skate past the full-blown review, saving everyone time and paperwork.

Responsiveness and a willingness to tweak the process go far toward establishing information security as a trusted corporate adviser rather than a cop or enforcer. That is key, according to Jack Jones, CISO and associate vice president for Nationwide Mutual Insurance. Jones implemented an SC&A process four years ago. “We’d rather play the role of counselor,” he says. “It isn’t that difficult because no one likes the stress and conflict associated with all those 11th-hour crises. We worked hard to make it streamlined rather than a boat anchor…. We have become a member of the team rather than the enemy.”To Each His OwnEach organization implements SC&A in its own way (see the boxes on this page).

Though Nationwide started its SC&A in 2000, it is only in the past two years that the process has matured and become part of its system development lifecycle. Jones leads a team of 100 in information security; between 25 and 30 people work exclusively on SC&A. This year about 800 projects (including significant hardware purchases as well as packaged and homegrown applications) will go through the SC&A process. Each project is assigned a consultant who will be part of the project, ideally from concept to retirement. Each consultant owns from six to 20 projects at a time, the high end of that range being for short periods when a business unit has a particular push for new applications. The consultants are first and foremost security expertsgenerally holding CISSP or GIAC certification, not formal project management certificationbut Jones notes that they also require excellent communication and people skills.

The conclusion of the process is also important. At MassMutual, when the consultant signs off on the appropriate measures being in place, Bonsall comes back to sign the certificate of occupancy, then the application or system is ready to be placed into production. Bonsall’s group consulted on about 360 projects last year.

Nationwide’s final step, called accreditation, has a twist that borrows from the federal government’s model. Here, a decision-maker from outside the security domain (such as the CIO or a business executive) attests that security has been accounted for and then accepts the responsibility for tracking and managing the residual risk in running the system. No matter how much security is built in, every application or system has some leftover risk. “Some security executives believe businesspeople can’t make the right decision about taking on information security risk. I believe those decisions should be made by businesspeople because risk is a business issue. Our job is to give them enough information to make an informed decision,” says Jones. Even at the end of a lengthy certification process, the deciding authority might make a decision that you don’t agree with. “There are times when we provide the information, and we personally believe they are not making the right call,” says Jones. That’s OK, because “they understand the project’s reward component; we don’t have visibility into that. At the end of the day, these are business decisions.”

MassMutual’s process has not been in place long enough for Bonsall to have metrics on money or time saved. Bonsall believes he will have that evidence within the next year. Jones, who has been at this roughly twice as long, sees many benefits. For one thing, with each new project everyone learns more about security. “The IT people begin to absorb what we’re doing and come to understand our perspective. They have become much more self-sufficient over time so the issues that we do see are much less problematic,” he says.

Also, Nationwide tracks its SC&A efforts in a knowledge base. Jones now has the luxury of showing his boss, the vice president of IT risk management, how many projects started out high-risk that were labeled low-risk by the end of the process. (Nationwide declines to make the numbers public.) He can also pull up the number of pending and completed projects and how much time each took. Says Jones, “We have a tremendous amount of information about how we’re managing this process. Now we can show management our value proposition.”