0 оценок0% нашли этот документ полезным (0 голосов)
88 просмотров4 страницы
The document discusses the ISO 27001 certification process for the electronic invoice authorization system of the Secretariat of Finance of the State of Minas Gerais in Brazil. The system authorizes electronic invoices to replace paper invoices for business transactions. Seeking ISO 27001 certification would demonstrate the state's commitment to information security. The certification process involved identifying security risks and controls to ensure availability, scalability, and elimination of single points of failure for the critical invoice authorization system. This would be the first ISO 27001 certification for an electronic invoice system in Brazil.
The document discusses the ISO 27001 certification process for the electronic invoice authorization system of the Secretariat of Finance of the State of Minas Gerais in Brazil. The system authorizes electronic invoices to replace paper invoices for business transactions. Seeking ISO 27001 certification would demonstrate the state's commitment to information security. The certification process involved identifying security risks and controls to ensure availability, scalability, and elimination of single points of failure for the critical invoice authorization system. This would be the first ISO 27001 certification for an electronic invoice system in Brazil.
The document discusses the ISO 27001 certification process for the electronic invoice authorization system of the Secretariat of Finance of the State of Minas Gerais in Brazil. The system authorizes electronic invoices to replace paper invoices for business transactions. Seeking ISO 27001 certification would demonstrate the state's commitment to information security. The certification process involved identifying security risks and controls to ensure availability, scalability, and elimination of single points of failure for the critical invoice authorization system. This would be the first ISO 27001 certification for an electronic invoice system in Brazil.
ISO 27001 certification process of electronic invoice
in the State of Minas Gerais
Lindemberg Naffah Ferreira Silvana Maria da Silva Constante, Alessandro
Information Systems Course Mrcio de Moraes Zebral, Rogrio Zupo Braga, Anhanguera College of Belo Horizonte Helenice Alvarenga, Soraya Naffah Ferreira Belo Horizonte, Brazil Department of Information Technology lindenberg@gmail.com Secretariat of Finance of the State of Minas Gerais Belo Horizonte, Brazil {silvana.constante,alessandro.zebral, rogerio.zupo, helenice.alvarenga, soraya.naffah}@fazenda.mg.gov.br
Abstract This paper presents the process by means of which
the Secretariat of Finance of the State Minas Gerais intends to I. INTRODUCTION get an ISO 27001 certification of the Electronic Invoice Asserting that information is an essential resource for the authorization. In 2007, the Secretariat of Finance of Minas modern organizations, whether public or private, is almost a Gerais started the project of Electronic Invoice - NF-e, which truism. In fact, nobody living in 21st century can deny the role involves replacing the conventional invoice, on paper, by a of information on everyday activities. Its importance is even document issued and stored electronically that exists only digitally. The purpose of the Electronic Invoice is documenting greater for organizations dealing with finance, such as banks, the movement of goods occurring between the seller and the insurance companies and Secretariats of Finance or buyer, which is subject to State taxes. The legal validity of the Departments of Treasury. Electronic Invoice is guaranteed by the issuer's digital signature In recent years, with the arrival of the Internet and and by the reception of the data by Secretariat of Finance of electronic transactions, the risks related to information security Minas Gerais before of the movement of the goods . The have increased exponentially. In fact, the Information Security information technology architecture of the Electronic Invoice Breaches Survey 2013, carried out during the conference authorization process of the Secretariat of Finance of the State of Infosecurity Europe, whose results were analyzed by Price Minas Gerais is intended to ensure three basic objectives: 1) availability;2) scalability and 3) elimination of single point of Waterhouse Consulting, commissioned by the Department for failure. So, the Secretariat of Finance of the State Minas Gerais Business Innovation and Skills from British government, states concluded that the ISO 27001 certification of the information that the average cost of a security breach during the year of technology production environment, undergoing evaluation by 2012, among the large organizations surveyed (i.e, those with external entities, namely, certification bodies, would demonstrate 250 employees or more), ranged from 450,000 to 850,000 explicitly the commitment of the State of Minas Gerais with the British pounds, with many incidents resulting in losses of more general public and entrepreneurs who are based in the Minas than 1,000,000 de British pounds. According to the same Gerais and with those who intend establish themselves in the report, in total, the cost to UK plc of security breaches is of State of Minas Gerais in near future. This work presents some of the order of billions of pounds per annum - its roughly tripled the difficulties faced by the Secretariat of Finance of the State over the last year.[1] Minas Gerais during the preparation for the ISO 27001 certification, which is a major step to ensure the security That is why, among other reasons, the Secretariat of requirements of information assets that are critical to the Finance of the State of Minas Gerais SEF/MG decided to business. To the best of our knowledge this is the first ISO 27001 pursue a security certification for the scope of its electronic certification process of the Electronic Invoice authorization in invoice (NF-e, for its acronym in Portuguese) authorization Brazil, and the first ISO 27001 certification process in the system, in the production environment. The electronic invoice executive branch of the direct administration in Brazil, in all (NF-e) system, which is part of the Public Digital Accounting three levels of government. System (SPED, for its acronym in Portuguese), is extremely important for the SEF/MG, as well as for all the state-level tax Keywords ISO/IEC 27001;Information security;Electronic authorities in Brazil and also for Secretariat of the Federal invoice Revenue. This system is critical, too, for companies based in the State of Minas Gerais, since it can affect its competitiveness. II. ELECTRONIC INVOICE Stallings [3] defines confidentiality as the property which The electronic invoice system (NF-e) intends to replace ensures that the information in a computer system and almost all hard-copy invoices issued in business-to-business transmitted information are accessible only for reading by transactions in Brazil with electronic documents whose authorized parties. The same author explains that integrity is existence is solely digital. These electronic documents must the property which ensures that only authorized parties are adhere to a format in XML approved by the Permanent able to modify computer system assets and transmitted Technical Commission of the National Finance Policy Council information. He explains further that availability is the (COTEPE/CONFAZ, for its acronym in Portuguese), and must property which requires that computer system assets be be digitally signed. The use of electronic invoices brings huge available to authorized parties when needed. benefits for the taxpayers, as well as for the tax authorities and Quoting Arnason and Willet [4], ISO 27001: 2005, to society in general, providing greater agility for businesses Information Security Management Systems Requirements, and improving the capacity of fighting tax evasion. In fact, provides, as stated by its name, requirements for an using an electronic invoice makes easier to accomplish Information Security Management Systems ISMS and integrated and coordinated tax oversight actions involving describes a process on achieving such. This standard has its authorities from different government levels. It simplifies, also, origins connected to the British standard BS 7799 Part 2. The the data exchange between those authorities and allows the ISO 27001 is part of a family of standards, known as the ISO cross-checking of information provided by taxpayers. From a 27000 family, which contains other important standards, such society's perspective, the use of electronic invoices reduces the as ISO 27002 (whose origin is related to BS 7799 Part 1), a paper consumption and the cost of commercial transactions. It Code of Practice for Information Security that contains 12 creates, also, new opportunities for businesses that intend to chapters addressing security controls. This standard provides develop invoicing software. knowledge about security controls to protect information, but It is worth to mention that electronic invoicing in Brazil has doesnt explain how to apply these controls. On the other hand, strict regulations for taxpayers, but also for the government. In ISO 27001 provides direction on how to establish a fact, the electronic invoice (NF-e) must be received and management system that helps to select controls and to validated by tax authorities before any transaction occurs. If establish good practices to apply the security controls[4]. The the transaction isnt authorized by the government, the ISO 27001 standard proposes a four-phase approach to transportation and/or the delivery of the goods is illegal and establishing the ISMS, namely, the Plan-Do-Check-Act can result in sanctions. For this reason, the authorization of (PDCA) cycle. In this cycle, the Plan phase (establishing the Brazilian electronic invoice (NF-e) has challenging service ISMS) consists of the definition of the information security levels, such as availability 24 hours a day, 365 days a year. policy and of the procedures related to risk management, as Besides, the invoices received must be processed in up to 3 well as the establishment of the ISMS objectives. The Do minutes in, at least, 95% of the total of the volume received in phase comprises the implementation of the ISMS, making the period of 24 hours. In the State of Minas Gerais, this effective use of the policy, controls, processes and procedures. volume may reach over 1.000.000 electronic invoices (NF-e) to The execution of the Check phase be processed during a regular day and more than 900.000 requires the assessment and measure, if applicable, of the electronic invoices (NF-e) authorized, since some of them performances of the processes, comparing them against the arent approved. This poses many demands in processing and policy. Therefore, this phase requires the permanent storing an enormous amount of data, without sacrificing the monitoring and review of the ISMS. Finally, the Act phase availability and the response times required. An eventual consists in carrying out corrective and preventive actions unavailability or poor performance in the authorization of related to ISMS, as result of internal audit and management electronic invoice (NF-e) can compromise the capacity of review. It intends to provide continuous improving of the doing business of many companies based in Minas Gerais, ISMS. particularly of those that rely in production strategies like just So, the certification process requires the definition of an in time. In other words, any problem with the electronic information security policy; the definition of the scope of the invoice (NF-e) authorization system of the State of Minas ISMS; performing a risk analysis for the scope of ISMS; the Gerais can harm beyond the governments revenue, impacting decision about how to manage the risks identified; selecting the the economy and even leading to reduction of the gross objectives and controls to be implemented, as expressed in a domestic product (GDP) of this State (about 9% of Brazilian Statement of Applicability. After this, the controls selected GDP). must be implemented and it is possible to undertake a certification. III. INFORMATION SECURITY AND SECURITY CERTIFICATION IV. SECURITY CERTIFICATION IN THE SECRETARIAT OF According to the NIST [2], information security is the FINANCE OF THE STATE OF MINAS GERAIS protection of information and information systems from Secretariat of Finance of the State of Minas Gerais unauthorized access, use, disclosure, disruption, modification, SEF/MG hired a consulting firm in 2005 for the purpose of or destruction in order to provide confidentiality, integrity, and assessing information security issues. This firm was also availability. responsible for recommending remedies for the detected flaws and for supporting the implementation of measures intended to reduce risks. As a part of this work, a risk analysis of the assets of SEF namely, people, processes, equipments and software, to be modified. Successive changes in scope more than 30 in especially for those equipments and for software installed in all - have resulted in rework. SEF Data Center - was executed. After that, SEF/MG decided Even the SEFs information security team who participated how to manage the risks identified (i.e., accept some of them and mitigate the others) and how to fix them. in the work carried out in 2009 have changed. The new team members of SEFs information security sector had no contact As a consequence of this work, SEF/MG officially defined with the consulting team that started the job. Even the and implemented an Information Security Policy in December consulting team experienced many changes. This problem was 2006. At same time, an information security educational compounded by the fact that not all decisions made in 2009 campaign was carried out among the workforce of SEF/MG. were sufficiently documented. At this point, however, an information security management system was not defined. This was done in 2007, but not with In addition, the new members of the information security team have not been trained in the risk management tool used the goal of attaining a security certification. by SEF and learned to use it in practice, which consumed more In 2009, however, taking account of the importance of the time than would be desirable. process of authorization of electronic invoices (NF-e) to the Another problem that plague many processes of State of Minas Gerais, it was decided to implement the information security management system within the scope of certification and with SEF/MG was by no means different - is the difficulty in assigning higher priority to activities related to the electronic invoices authorization system, in the production information security, even with the blessing of the board of the environment. Thereafter, the information security management system was defined on this scope, but this time with the company. Typically, professionals working in the scope of purpose of getting the security certification. certification spend too much time ensuring the functioning of the infrastructure of information systems, leaving little time to A risk analysis was performed in the scope defined for focus on the process of certification. Thus, changes in the certification, and decisions were made to address the risks scope of certification processes, which should be reported identified. Some objectives and controls were selected from the promptly to the security team, take time to be communicated, ISO 27002 to be implemented. Of course, controls from other which slows the update of the corresponding documents. In sources beyond the ISO 27002 could have been selected to be most organizations - and SEF/MG is an example - it is implemented, but SEF/MG considered it more appropriate to understood that information security is a responsibility of a implement only the controls described in the standard sector and not, as would be correct, of all employees. Change mentioned above. However, there are controls in ISO 27002 this picture requires relentless work. It is already possible to that were not applicable to the scope of the certification in SEF. see positive changes in the behavior of the group of employees A statement of applicability (SoA) was prepared to record the of SEF due to past efforts. decisions made about what controls should be implemented. VI. POSITIVE ASPECTS V. DIFFICULTIES EXPERIENCED Professionals who are part of the scope are more aware of Unfortunately, it was not possible to finish the process of information security risks and are more concerned about certification by the end of 2009 or in early 2010, as planned. At adopting and following processes in their activities. that time, it was not possible to hire a company that would make the external audit required in the process of certification, As a result of the implementation of a formal process for because of some difficulties related to the procurement process. changes, modifications in the production environment of In fact, this company was hired only in 2012. It is worth to electronic invoice authorization system are being carried out in mention, however, that the members of workforce involved in a more organized and professional manner, which contributes the scope of certification didnt have enough maturity in 2009 to the stability of that system. to implement all applicable controls. So, even if the audit firm The involvement of the audit sector of SEF in the had been hired, the certification would probably not be certification process will bring benefits to other audit achieved then. procedures related to information technology. In early 2012, after the procurement of the company responsible for external auditing in the process of certification, VII. CURRENT STATUS it was necessary to arrange the hiring of a consulting firm to As a result of an internal audit conducted by the consulting monitor the certification process, which only occurred in late firm hired, with the participation of the audit sector of the 2012. Because the work started in 2009 had not been SEF/MG, some non-conformities were identified. As a completed, the same company that had begun the work consequence, the top management became more involved in (monitoring and supporting the certification process) then was the process of certification, trying to address the problems hired. identified during the auditing. As result of this delay, the documentation built in 2009 In July 1st, a new Information Security Policy was became outdated. In addition, there were major changes to the approved by the Governance Body. The new Policy was a scope of certification, including the teams that performed result of a six months revision work. It contains many activities in this scope. The statement of applicability also had necessary changes to the certification process. Weekly meetings are being held to track the progress of the changes in the team and in the remainder of the scope, solution of pending issues identified in the internal audit. A resulting in much rework. new internal audit will be held in late July 2013. The team Even when and if the SEF get its certification in involved in this audit will be composed of two auditors from audit sector of SEF trained in late June 2013 as Lead Auditors information security, this will not be the end of the process, but just its beginning. In fact, new audits will be performed in the for ISO 27001. scope of certification every 6 or 12 months, during the period The external pre-audit for certification is scheduled for the of the validity of the certification, which is 3 years. In end of September 2013. The external audit shall be scheduled addition, many changes will occur in scope in the next months, within 90 days of the pre-audit. such as the moving to a new data center and the deployment of new ITIL processes using a Service Desk tool. VIII. CONCLUSION Getting a security certification in a public organization REFERENCES involves additional challenges related to the procurement of services and the need to meet legal regulations. [1] Department for Business, Innovation and Skills, Information Security Breaches Survey 2013. London. 2013. p. 2. It is important to review the information security policy [2] R. Kissel (editor), Glossary of Key Information Security Terms, 2nd rev. periodically. The SEF has not reviewed its information security Gaithersburg:National Institute of Standards and Technology. 2013. policy for over six years, which was harmful. From now on, it p.94. will be reviewed every 18 months. [3] W. Stallings, Cryptography and Network Security: Principles and Practice, 5th ed. Prentice Hall: Boston. 2011. pp. 10-11. It is important to pursue the certification process, without [4] S.T. Arnason and K.D. Willet, How to Achieve 27001 Certification: An interrupting it, if possible. During interruptions the Example of Applied Compliance Management. Boca Raton: documentation can become outdated. Moreover, there may be Auerbach.2007. pp. 9-18.
Tax and MSMEs in the Digital Age: Why Do We Need To Pay Taxes And What Are The Benefits For Us As MSME Entrepreneurs And How To Build Regulations That Are Empathetic And Proven To Encourage Tax Revenue In The Informal Sector
Scrum Certification: All In One, The Ultimate Guide To Prepare For Scrum Exams And Get Certified. Real Practice Test With Detailed Screenshots, Answers And Explanations