Cybersecurity certifications on the fast track
The Information Security Certification Body or ISCB, is a department within the national cybersecurity specialist agency, CyberSecurity Malaysia. It has the pivotal role of determining the information security services and products Malaysian private and public organisations, use.
In summary, the ISCB manages and provides certification services based upon three main international standards and guidelines, namely Common Criteria (ISO/IEC 15408), ISMS (ISO/IEC 27001) and the World Trustmark Alliance (WTA) Code of Conduct.
According to Head of ISCB, Wan Shaifuddin Zainudin (or Wan Shafi), the certification body would award certifications, although evaluation of products and services is done by Malaysian Security Evaluation Facility (MySEF), or licensed facilities that belong to external commercial partners.
BAE Systems Applied Intelligence MySEF is one example of a licensed MySEF laboratory.
MySEF evaluates ICT products, systems and protection profiles against ISO/IEC 15408:2009 – Information technology — Security techniques — Evaluation criteria for IT Security.
Certifications for Malaysia – MyCC, MTPS and CSM 27001
According to the ITU Global Security Index of 2018, Malaysia had ranked 8th ahead of countries like Australia, France and Canada. This is due to Malaysia scoring high on the index for Capacity Building, which includes its active initiatives around cybersecurity certification.
Malaysia also has equal footing with countries like Singapore and Australia when it comes to technical expertise.
ISCB has been offering certifications for Common Criteria, ISMS and the Malaysia Trustmark since the 10th Malaysia Plan.
Malaysia was accepted as an Authorising Participant of CCRA or the Common Criteria Recognition Arrangement in 2011. What this means is that products with this certification will be recognised globally by CCRA member countries.
As of December 2018, ISCB has certified 52 products under MyCC scheme. MyCC or the Malaysian Common Criteria Evaluation and Certification scheme has the overall mission of increasing Malaysian competitiveness in quality assurance of information security, based on Common Criteria standard, and to also build consumers’ confidence towards Malaysian information security products.
With this in mind, there is the Malaysia Trustmark for Private Sector (MTPS), a systematic process of assessing and validating a website security, legality and good e-commerce practices that is initiated by the Malaysian Government, based upon the WTA guidelines.
The CSM27001 scheme provides a model for certifying organisations against the internationally recognised MS ISO/IEC 27001 ISMS standard. As of December 2018, there are 29 organisations ceritified under this scheme.
The benefits of MyCC
Wan Shafi answered, “When you follow international standards there are a lot of clauses to conform with. Local industry organisations find it’s hard to fulfil them.
“A Common Criteria evaluation takes six months to get the level of assurance (evaluation assurance level or EAL) that we can get. So that level is EAL 2, and to get there it takes time and effort for the developers, for the evaluators and also the certifiers.”
“As an analogy, imagine an auditorium. You have to evaluate all the doors to the auditorium, but we can also focus on the two main doors, for example.
What ISCB proposes to do, is ensure that products and services that meet the minimum security requirements accepted within Malaysia.
“So, a locally recognised scheme is also being developed namely Technical Security Assurance (TSA) because it tests certain things, instead of all. And we ensure that the two doors are fit for local use.”
There are also other benefits of this being a local scheme. With oversight from a local body like ISCB, you have authority to implement certain new rules, requirements or methods.
Many companies come to introduce new technologies into Malaysia. Wan Shafi observed, “But for their technology to be used, it has to be evaluated and certified, first.” TSA scheme will be able to completed in 3 to 4 months as compared to Common Criteria EAL2 which took at least six months.
“Usually, things come to a full stop because the pricing is too high and/or the duration is taking too long.”
From Wan Shafi’s point of view, local developers can use the invaluable experience that their product and services get from the market, to improve their products.
“It’s about the learning curve for the developer. Documentation is important, but in the interest of time, let’s put it aside and test the product first,” Wan Shafi pointed out.
TSA or the Technology Security Assurance
The simplest way to describe the Technology Security Assurance or TSA is that it’s a fast track to MyCC certification.
Unlike MyCC, TSA will evaluate against the mandatory functions or mandatory security functional requirements (MSFR) that a specific class of cybersecurity product/service, needs to be evaluated on.
Wan Shafi pointed out that this way actually cuts out the documentation, but adds additional things to comply with in terms of the MSFR.
The MSFR could be determined by a working group of vested parties. For example, the working group of Jabatan Pendaftaran Negara (JPN), MDEC, Datasonic and Iris, had set out the security requirements for the MyKAD card reader.
Why is TSA known as the fast track option of MyCC?
Based upon the diagram above, Components number 1 till 4 are bypassed for the TSA certification.
According to Wan Shafi, these components are to do with documentation surround scope of protection, installation and manual, development, and lifecycle of the code.
“We want to put all these aside and start testing in terms of security functional tests and vulnerability assessment.”
The time saved from opting for TSA instead of MyCC certification is anywhere from 4 till 6 months.
Wan Shafi wanted to point out that with a TSA certification, there is potential to still go for a MyCC certification, and in fact, it may be even easier to be certified for MyCC scheme.
The head of ISCB opined that time-to-market becomes shorter with the MyCC scheme, and more Malaysian products and services that are certified as secure, can be made available in the market.