COI Report – Part VII
Page 287 of 425
830. ISO/IEC 15408 is the international standard for evaluating and certifying products/applications, which implements security functions ranging from authentication to access control to encryption. Briefly, the standard requires a product/application to be subject to, inter alia, examination of the design of the security functions, functional testing, vulnerability assessment and penetration testing
70
Using the knowledge gained about the product/application, the evaluators would find whatever creative ways they canto compromise it. If a product/application has been certified ISO/IEC 15408, it would provide assurance that the product/application has undergone such rigorous security testing and evaluation.
831. In similar vein, Richard Staynings (“Richard”) proposed in his report implementing stronger third-party vendor risk management requirements for applications and other systems that have access to electronic medical records, personally identifiable information, or other confidential/non-public information.
832. In this connection, Richard commented that in its marketing and documentation materials, Allscripts claimed that it was ISO 27001 and SOC 2 certified. We note that ISO 27001 does not relate to whether products have been securely developed and tested, but rather, whether an organisation has policies and controls in place to safeguard information. ISO 27001 would thus not be relevant as a security standard for the SCM application product.
833. Further, according to Richard, the materials did not stipulate the frequency with which both assessments were updated, the control objectives of the SOC 2 attestation or whether a SOC 2 Type I report (where the controls are described and evaluated at a point in time to determine if they are functioning as they are The penetration testing referred to here is specifically fora product/application; c.f. for example, the network penetration testing that the GIA had conducted in FY, which involved network sniffing, running scripts to harvest credentials, lateral movement to compromise domain controllers, but not penetration testing of the SCM application and SCM database (which are not in the typical scope of a network penetration test. Penetration testing of a product/application and the product evaluation are complementary.
|
