As explained in the first post of this series dedicated to the C4V model, the cyber security level of outsourced services is key to assess the cyber security capabilities of any organisation: It is no use increasing the cyber security levels of an organisation if their suppliers’ levels are not as high, because -it goes without saying that- "security is as strong as its weakest link".
In this sense, the C4V model is based on the same idea as the other ENSI elements: providing INCIBE-CERT users with tools to improve the protection level of critical infrastructures.
So, how is C4V used to protect the value chain? As the model itself shows, C4V is expected to be used as part of the risk-supplier management model that the operator has to implement. For those not familiar with this term, this type of management consists of implementing processes to:
- Classify services according to their level of criticality
- Establish security and supervision requirements according to said level of criticality
- Assess and monitor the compliance with said requirements
In order to classify services, we need to choose those parameters that help us to identify the most critical services for the operation of the service. Some examples include: access to production environments, access to large amounts of information or sensitive information, access from outside, type of service, etc. It’s important to carry out this classification for every service, because the same type of service, used for other purposes, may have a different level of criticality.
The objective is having as few objective criteria as possible to help to determine the level of criticality of a specific service –thus, this process can be performed by the service manager itself or a corporate purchasing department. Ideally, we should be capable of representing graphically these criteria in a decision tree that fits on one page.
Establishing security and supervision requirements
This is the activity where the C4V model proves to be most helpful, because it allows associating certain security requirements with each level of criticality. Therefore, a service that deals with public information would be associated, for example, with confidentiality level D, but, if it handles critical information, an A, or even A+ –the highest level– would be required. The 5 levels of capabilities –organised from D to A+– arranged in 3 security dimensions –confidentiality, integrity and availability– allow great flexibility in establishing said criteria.
As regards to the supervision degree, there are several options that are usually related to the level of criticality of the service –the higher the level of criticality of the service, the more demanding supervision mechanisms tend to be:
- Questionnaires: Consists of developing questionnaires –according to applicable security measures extracted from C4V– that are sent to the respective suppliers of services so that they can confirm whether said measures have been implemented or not. This is the mechanism offering fewer guarantees, since answers are provided by the supplier itself without any kind of validation. Therefore, it is not advisable for the most critical services.
- Review of first or second part: Consists of the review of compliance with necessary measures according to the type of service by the operator itself or a company hired by it. This is the mechanism offering the highest level of assurance, but, on the contrary, it is the most expensive one to implement, not only because of the cost of the audit but also because results can't be reused.
- Review by independent third parties: These reviews can take different forms: audit, certification or qualification. In short, it consists of commissioning the review to an independent third party, both of the operator and the supplier. The advantage of using the C4V model is that it allows reusing the results, avoiding the cost of the unnecessary repetition of assessment processes. The key aspect of this approach is that it ensures the independence and technical qualification of the assessor, and, in exchange, it allows a high level of assurance at a more reasonable cost, because the supplier can distribute the cost among all of its clients.
Typically, these supervision requirements and mechanisms are incorporated into purchasing processes of the operator so that they become part of the usual process and ensure that all of the contracted services have a protection level according to their level of criticality.
Assessing and monitoring
Once this process is implemented, the "only" thing remaining is setting it in motion so that all services are assessed according to the C4V model and thus we can know at all times the protection level provided by said services and assess our risk level to take decisions on whether the protection level needs to be increased, maintained or reduced, according to the threat scenario we face.
In conclusion, the C4V model jointly developed by INCIBE and LEET Security is a tool that allows us to know in an objective and efficient way the security level of our value chain with an homogeneous scale, simplifying our risk management of suppliers. In addition, the qualifications issued by LEET also comply with the C4V requirements, which simplifies even more knowing the security level of services and suppliers involved.
Antonio Ramos, Founding Partner of LEET Security