Certifying Penetration testing providers

By Anwer Yusoff, Head, Cyber Security Industry Engagement & Collaboration Department & Wan Shafiuddin Zainudin, Head, Information Security Certification Body

Penetration Test Service Provider Scheme (PTSP) is a process certification provided by CyberSecurity Malaysia through the Information Security Certification Body (ISCB).

Head of ISCB, Wan Shafiuddin Zainudin or Wan Shafi shared, “By providing this, we are contributing towards the national security and public safety obligations.

“By assisting the government to select penetration testing services, we are also fulfilling our role of contributing towards building resiliency for the industry.

Penetration testing is a simulated cyberattack on a computer system, which is authorised. It is conducted to evaluate the security of the system and to identify weaknesses and the organisation’s ability to respond to security incidents.

As such it is a very crucial component of an organisation’s steps and measures to protect its data and assets.

Besides developing and conducting PTSP to help build resiliency for the Critical National Information Infrastructure (CNNI) sector, ISCB is also developing the Business Continuity Management System scheme (BCMS) which is an initiative to assist the CNNI sector by providing resilient critical services.

BCMS establishes a strategic and operational framework to implement proactively, an organisation’s resilience to disruption.

“We are currently building our BCMS 22301 and it is currently in pilot phase.”

Since the ISO 22301 scheme started development in 2016, three organisations, Nuklear Malaysia, Institut Kanser Negara and KUB Malaysia, have been certified. The BCMS is expected to be fully ready with more organisations certified with it, by end of this year.

Penetration testing services

According to Wan Shafi this is a national scheme to ensure penetration testing services meet requirements of organisations that engage them.

“There have been feedback from the government and other sectors that penetration testers sent to them, can’t do the job or are not competent enough,” he shared.

In PTSP, CyberSecurity Malaysia would audit according to a defined criteria that is agreed upon by relevant parties, starting with competency of individual penetration testers themselves.

“At this phase, we will audit the individual to ensure they have the necessary relevant certifications, first.”

The second phase involves looking at the methodology of the service provider.

“In the penetration testing world, there are three phases – pre-engagement, engagement and post-engagement.

The engagement phase includes activities that are conducted on-site, while pre-engagement includes activities like observation, document reviews and interviews.

The structure of reports is also very important to adhere to. In the case of a dispute between client and service provider, how the report is written and recorded can make all the difference in how quickly disputes, if there are any, can be settled.

Deployment plans

The PTSP process certification will ensure the service provider companies have the leadership and employees with the right skill set to perform required services.

Documentation review and site inspection will be carried to ensure the service provider follows the methodology of penetration testing.

Via this scheme, CyberSecurity Malaysia is meant to help the government agencies and ministries, select penetration testing services.

But, this scheme is not mandatory at this point in time.

“We have met up with Bank Negara Malaysia (BNM), and in principle they agree to comply with the scheme. But, if CyberSecurity Malaysia is meant to develop the criteria, audit against it and issue the certificate, there is the issue of impartiality.

“I recommend for governance to be put in place, for example a tech committee comprising of academia, industry and even end users. They can decide the criteria that’s needed.

This is the main task for the organisation now, and the next would be to get buy-in from the Government CIO, MAMPU. As the CIO for the public sector, the onus would be on MAMPU to mandate the PTSP scheme.

“Many government agencies have many systems that need penetration testing before they can go live. Whoever who offers penetration testing services to them, will need to have the PTSP certification,” Wan Shafi emphasised.

The next 2 years

According to Wan Shafi, BNM has drafted the RMIT (Risk Management in IT for financial services) where the financial institution must establish standard operating procedures (SOP), for vulnerability assessment and penetration testing (VAPT) activities. The penetration testing provider must also submit a comprehensive report with remedial action to senior management.

The technical committee which Wan Shafi recommends to set up, is expected to determine the baseline scope of penetration testing services.

This will be second phase of the PTSP scheme, which Wan Shafi wants to include in time for the 12th Malaysia Plan policies.

“Phase 1 of PTSP is about competency of service providers’ individual talents. In 2 to 3 years, a baseline scope should be finalised.

“It is a lot of work to do, and there is a lot of resistance to this. But awareness has to be fostered in the industry that it is critical and we need to do it,” Wan Shafi emphasised, adding that after the public sector, the plan is to replicate it for the financial services industry.

Timely for financial services

In light of the RMIT exposure draft that BNM had issued earlier this year, this PTSP is aligned to its objectives and is timely.

The organisation has been working closely with financial institutions (FIs), especially BNM as the technical advisor in the Internet Banking Task Force (IBTF).

CyberSecurity Malaysia CEO, Dato’ Ts Dr. Amirudin bin Abdul Wahab said, “It is our role to assist any industry to be able to operate its function within the cyber space.

“The draft document stated that the FIs should adopt international standards and best practices on few things and one of it is the implementation of the security controls. The National Cyber Security Policy (NCSP) did mention that all 10 sectors are required to adopt the MS ISO/IEC 27001 Information Security Management System (ISMS) as a security baseline.”

CyberSecurity Malaysia is the accredited certification body for Information Security Management System (ISMS) certification. They operate under the CyberSecurity Malaysia Information Security Management System Audit and Certification (CSM27001) Scheme.