Recently, ENISA has published version 1.0 of a document that seems highly interesting, title "Indispensable baseline security requirements for the procurement of secure ICT products and services" (link).

It is a document elaborated by a group of experts named by different Member States (in particualr, by Austria, France, Germany, Czech Republic, Spain, The Netherlands and Finalnd) that is applicalbe to service providers.

Before mapping security requirements listed in the ENISA document with LEET Security methodology, let us introduce some reflections about it:

  1. We completely agree that some minimum security requirements should exist for every kind of component or device, to assure that there is no weakest link.
    Nevetheless it seems to us a bit dared to say that those elements that meet these requirements can be considered "secure" and those that do not, should be considered "insecure", because we will all agree that altough the minimum requirements are met, we cannot say that they are invulnerables (being in agreement that no device shoudl be allowed if do not meet the minimum security baseline).
  2. Following that phylosophy, authors recognize that could be use cases where those minimum requirements are enough, but there could be others (most, in our opinion) in which additional requirements are going to be needed and the customer will have to assure that those additional requirements are met.
    In those cases, is where rating plays a key role because, once the minimum requirements are met, rating levels show how, over the minimum requirements, are security controls assessed during rating (something that is not achivable using management system certification according to ISO27001 - in fact, we could say that it is a necessarty but not enough condition).
  3. Altough document is for products and services, in fact, 7 of 10 principles listed are for products, and only 3 are focused on services (quality management, UE jurisdiction and data usage restriction).
    For that reason, we wonder if could make sense to publish another document, as the one commented here, but mainly focused on services (more than on products).

Finally, and as promised, in the following table we have mapped minimum requirements of ENISA document with sections in LEET Security rating methodology, identifying also, what are the requirements in this methodolody for the minimum rating level (aka 'D D D'). Still considering that LEET Security is focused in services, not on products, we can see an overlap of more that 50% between both documents. 

Req. ENISA LEET Security Level DDD requirements
Security by Design [SO.05] Security requirements of Information Systems  
[MO.01] Audit logging x
[SD.05] Control of technical vulnerabilities x
Least Privilege [AC.03] User identification and authentication  
[AC.01] Business requirements for access control x
[AC.04] Password management system x
Strong Authentication [AC.02] Secure log-on procedures  
Asset Protection [CR.01] Key management x
[FS.05] Physical media in transit protection  
[NC.05] Safeguard confidentiality over public networks  
Supply Chain Security [MO.02] Monitoring system use  
Documentation Transparency [SO.04] Security of system documentation  
[SO.01] Change Management x
Quality Management [TP.02] Supply-chain assurance x
Service Continuity [SD.05] Control of technical vulnerabilities x
EU Jurisdiction [CO.01] Compliance with legal requirements x
Data Usage Restriction [TP.01] Shared processing x
N/A [SO.03] Information Management and Handling Procedures x
[PS.02] Training and Awareness x
[FS.01] Physical Security Perimeter x
[FS.03] Equipment location and protection x
[RE.04] Information backups x
[RE.06] Information security aspects of BCM x
[CO.02] Compliance with security policies and standards, and technical pro. x
[NC.02] Network routing controls x
[IH.01] Reporting infosec events and weaknesses x
[IH.02] Management of infosec incidents and improvements x

You can follow us on twitter.com/leet_security

6 de marzo de 2017