ISO 27001 certification process of electronic invoice
in the State of Minas Gerais
Lindemberg Naffah Ferreira
Information Systems Course
Anhanguera College of Belo Horizonte
Belo Horizonte, Brazil
lindenberg@gmail.com
Abstract This paper presents the process by means of which
the Secretariat of Finance of the State Minas Gerais intends to
get an ISO 27001 certification of the Electronic Invoice
authorization. In 2007, the Secretariat of Finance of Minas
Gerais started the project of Electronic Invoice - NF-e, which
involves replacing the conventional invoice, on paper, by a
document issued and stored electronically that exists only
digitally. The purpose of the Electronic Invoice is documenting
the movement of goods occurring between the seller and the
buyer, which is subject to State taxes. The legal validity of the
Electronic Invoice is guaranteed by the issuer's digital signature
and by the reception of the data by Secretariat of Finance of
Minas Gerais before of the movement of the goods . The
information technology architecture of the Electronic Invoice
authorization process of the Secretariat of Finance of the State of
Minas Gerais is intended to ensure three basic objectives: 1)
availability;2) scalability and 3) elimination of single point of
failure. So, the Secretariat of Finance of the State Minas Gerais
concluded that the ISO 27001 certification of the information
technology production environment, undergoing evaluation by
external entities, namely, certification bodies, would demonstrate
explicitly the commitment of the State of Minas Gerais with the
general public and entrepreneurs who are based in the Minas
Gerais and with those who intend establish themselves in the
State of Minas Gerais in near future. This work presents some of
the difficulties faced by the Secretariat of Finance of the State
Minas Gerais during the preparation for the ISO 27001
certification, which is a major step to ensure the security
requirements of information assets that are critical to the
business. To the best of our knowledge this is the first ISO 27001
certification process of the Electronic Invoice authorization in
Brazil, and the first ISO 27001 certification process in the
executive branch of the direct administration in Brazil, in all
three levels of government.
Keywords ISO/IEC 27001;Information security;Electronic
invoice
Silvana Maria da Silva Constante, Alessandro
Mrcio de Moraes Zebral, Rogrio Zupo Braga,
Helenice Alvarenga, Soraya Naffah Ferreira
Department of Information Technology
Secretariat of Finance of the State of Minas Gerais
Belo Horizonte, Brazil
{silvana.constante,alessandro.zebral, rogerio.zupo,
helenice.alvarenga, soraya.naffah}@fazenda.mg.gov.br
I. INTRODUCTION
Asserting that information is an essential resource for the
modern organizations, whether public or private, is almost a
truism. In fact, nobody living in 21st century can deny the role
of information on everyday activities. Its importance is even
greater for organizations dealing with finance, such as banks,
insurance companies and Secretariats of Finance or
Departments of Treasury.
In recent years, with the arrival of the Internet and
electronic transactions, the risks related to information security
have increased exponentially. In fact, the Information Security
Breaches Survey 2013, carried out during the conference
Infosecurity Europe, whose results were analyzed by Price
Waterhouse Consulting, commissioned by the Department for
Business Innovation and Skills from British government, states
that the average cost of a security breach during the year of
2012, among the large organizations surveyed (i.e, those with
250 employees or more), ranged from 450,000 to 850,000
British pounds, with many incidents resulting in losses of more
than 1,000,000 de British pounds. According to the same
report, in total, the cost to UK plc of security breaches is of
the order of billions of pounds per annum - its roughly tripled
over the last year.[1]
That is why, among other reasons, the Secretariat of
Finance of the State of Minas Gerais SEF/MG decided to
pursue a security certification for the scope of its electronic
invoice (NF-e, for its acronym in Portuguese) authorization
system, in the production environment. The electronic invoice
(NF-e) system, which is part of the Public Digital Accounting
System (SPED, for its acronym in Portuguese), is extremely
important for the SEF/MG, as well as for all the state-level tax
authorities in Brazil and also for Secretariat of the Federal
Revenue. This system is critical, too, for companies based in
the State of Minas Gerais, since it can affect its
competitiveness.
 II. ELECTRONIC INVOICE
The electronic invoice system (NF-e) intends to replace
almost all hard-copy invoices issued in business-to-business
transactions in Brazil with electronic documents whose
existence is solely digital. These electronic documents must
adhere to a format in XML approved by the Permanent
Technical Commission of the National Finance Policy Council
(COTEPE/CONFAZ, for its acronym in Portuguese), and must
be digitally signed. The use of electronic invoices brings huge
benefits for the taxpayers, as well as for the tax authorities and
to society in general, providing greater agility for businesses
and improving the capacity of fighting tax evasion. In fact,
using an electronic invoice makes easier to accomplish
integrated and coordinated tax oversight actions involving
authorities from different government levels. It simplifies, also,
the data exchange between those authorities and allows the
cross-checking of information provided by taxpayers. From a
society's perspective, the use of electronic invoices reduces the
paper consumption and the cost of commercial transactions. It
creates, also, new opportunities for businesses that intend to
develop invoicing software.
It is worth to mention that electronic invoicing in Brazil has
strict regulations for taxpayers, but also for the government. In
fact, the electronic invoice (NF-e) must be received and
validated by tax authorities before any transaction occurs. If
the transaction isnt authorized by the government, the
transportation and/or the delivery of the goods is illegal and
can result in sanctions. For this reason, the authorization of
Brazilian electronic invoice (NF-e) has challenging service
levels, such as availability 24 hours a day, 365 days a year.
Besides, the invoices received must be processed in up to 3
minutes in, at least, 95% of the total of the volume received in
the period of 24 hours. In the State of Minas Gerais, this
volume may reach over 1.000.000 electronic invoices (NF-e) to
be processed during a regular day and more than 900.000
electronic invoices (NF-e) authorized, since some of them
arent approved. This poses many demands in processing and
storing an enormous amount of data, without sacrificing the
availability and the response times required. An eventual
unavailability or poor performance in the authorization of
electronic invoice (NF-e) can compromise the capacity of
doing business of many companies based in Minas Gerais,
particularly of those that rely in production strategies like just
in time. In other words, any problem with the electronic
invoice (NF-e) authorization system of the State of Minas
Gerais can harm beyond the governments revenue, impacting
the economy and even leading to reduction of the gross
domestic product (GDP) of this State (about 9% of Brazilian
GDP).
III. INFORMATION SECURITY AND SECURITY
CERTIFICATION
According to the NIST [2], information security is the
protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification,
or destruction in order to provide confidentiality, integrity, and
availability.
Stallings [3] defines confidentiality as the property which
ensures that the information in a computer system and
transmitted information are accessible only for reading by
authorized parties. The same author explains that integrity is
the property which ensures that only authorized parties are
able to modify computer system assets and transmitted
information. He explains further that availability is the
property which requires that computer system assets be
available to authorized parties when needed.
Quoting Arnason and Willet [4], ISO 27001: 2005,
Information Security Management Systems Requirements,
provides, as stated by its name, requirements for an
Information Security Management Systems ISMS and
describes a process on achieving such. This standard has its
origins connected to the British standard BS 7799 Part 2. The
ISO 27001 is part of a family of standards, known as the ISO
27000 family, which contains other important standards, such
as ISO 27002 (whose origin is related to BS 7799 Part 1), a
Code of Practice for Information Security that contains 12
chapters addressing security controls. This standard provides
knowledge about security controls to protect information, but
doesnt explain how to apply these controls. On the other hand,
ISO 27001 provides direction on how to establish a
management system that helps to select controls and to
establish good practices to apply the security controls[4]. The
ISO 27001 standard proposes a four-phase approach to
establishing the ISMS, namely, the Plan-Do-Check-Act
(PDCA) cycle. In this cycle, the Plan phase (establishing the
ISMS) consists of the definition of the information security
policy and of the procedures related to risk management, as
well as the establishment of the ISMS objectives. The Do
phase comprises the implementation of the ISMS, making
effective use of the policy, controls, processes and procedures.
The execution of the Check phase
requires the assessment and measure, if applicable, of the
performances of the processes, comparing them against the
policy. Therefore, this phase requires the permanent
monitoring and review of the ISMS. Finally, the Act phase
consists in carrying out corrective and preventive actions
related to ISMS, as result of internal audit and management
review. It intends to provide continuous improving of the
ISMS.
So, the certification process requires the definition of an
information security policy; the definition of the scope of the
ISMS; performing a risk analysis for the scope of ISMS; the
decision about how to manage the risks identified; selecting the
objectives and controls to be implemented, as expressed in a
Statement of Applicability. After this, the controls selected
must be implemented and it is possible to undertake a
certification.
IV. SECURITY CERTIFICATION IN THE SECRETARIAT OF
FINANCE OF THE STATE OF MINAS GERAIS
Secretariat of Finance of the State of Minas Gerais
SEF/MG hired a consulting firm in 2005 for the purpose of
assessing information security issues. This firm was also
responsible for recommending remedies for the detected flaws
and for supporting the implementation of measures intended to
reduce risks. As a part of this work, a risk analysis of the assets
of SEF namely, people, processes, equipments and software,
especially for those equipments and for software installed in
SEF Data Center - was executed. After that, SEF/MG decided
how to manage the risks identified (i.e., accept some of them
and mitigate the others) and how to fix them.
As a consequence of this work, SEF/MG officially defined
and implemented an Information Security Policy in December
2006. At same time, an information security educational
campaign was carried out among the workforce of SEF/MG.
At this point, however, an information security management
system was not defined. This was done in 2007, but not with
the goal of attaining a security certification.
In 2009, however, taking account of the importance of the
process of authorization of electronic invoices (NF-e) to the
State of Minas Gerais, it was decided to implement the
information security management system within the scope of
the electronic invoices authorization system, in the production
environment. Thereafter, the information security management
system was defined on this scope, but this time with the
purpose of getting the security certification.
A risk analysis was performed in the scope defined for
certification, and decisions were made to address the risks
identified. Some objectives and controls were selected from the
ISO 27002 to be implemented. Of course, controls from other
sources beyond the ISO 27002 could have been selected to be
implemented, but SEF/MG considered it more appropriate to
implement only the controls described in the standard
mentioned above. However, there are controls in ISO 27002
that were not applicable to the scope of the certification in SEF.
A statement of applicability (SoA) was prepared to record the
decisions made about what controls should be implemented.
V. DIFFICULTIES EXPERIENCED
Unfortunately, it was not possible to finish the process of
certification by the end of 2009 or in early 2010, as planned. At
that time, it was not possible to hire a company that would
make the external audit required in the process of certification,
because of some difficulties related to the procurement process.
In fact, this company was hired only in 2012. It is worth to
mention, however, that the members of workforce involved in
the scope of certification didnt have enough maturity in 2009
to implement all applicable controls. So, even if the audit firm
had been hired, the certification would probably not be
achieved then.
In early 2012, after the procurement of the company
responsible for external auditing in the process of certification,
it was necessary to arrange the hiring of a consulting firm to
monitor the certification process, which only occurred in late
2012. Because the work started in 2009 had not been
completed, the same company that had begun the work
(monitoring and supporting the certification process) then was
hired.
As result of this delay, the documentation built in 2009
became outdated. In addition, there were major changes to the
scope of certification, including the teams that performed
activities in this scope. The statement of applicability also had
to be modified. Successive changes in scope more than 30 in
all - have resulted in rework.
Even the SEFs information security team who participated
in the work carried out in 2009 have changed. The new team
members of SEFs information security sector had no contact
with the consulting team that started the job. Even the
consulting team experienced many changes. This problem was
compounded by the fact that not all decisions made in 2009
were sufficiently documented.
In addition, the new members of the information security
team have not been trained in the risk management tool used
by SEF and learned to use it in practice, which consumed more
time than would be desirable.
Another problem that plague many processes of
certification and with SEF/MG was by no means different - is
the difficulty in assigning higher priority to activities related to
information security, even with the blessing of the board of the
company. Typically, professionals working in the scope of
certification spend too much time ensuring the functioning of
the infrastructure of information systems, leaving little time to
focus on the process of certification. Thus, changes in the
scope of certification processes, which should be reported
promptly to the security team, take time to be communicated,
which slows the update of the corresponding documents. In
most organizations - and SEF/MG is an example - it is
understood that information security is a responsibility of a
sector and not, as would be correct, of all employees. Change
this picture requires relentless work. It is already possible to
see positive changes in the behavior of the group of employees
of SEF due to past efforts.
VI. POSITIVE ASPECTS
Professionals who are part of the scope are more aware of
information security risks and are more concerned about
adopting and following processes in their activities.
As a result of the implementation of a formal process for
changes, modifications in the production environment of
electronic invoice authorization system are being carried out in
a more organized and professional manner, which contributes
to the stability of that system.
The involvement of the audit sector of SEF in the
certification process will bring benefits to other audit
procedures related to information technology.
VII. CURRENT STATUS
As a result of an internal audit conducted by the consulting
firm hired, with the participation of the audit sector of the
SEF/MG, some non-conformities were identified. As a
consequence, the top management became more involved in
the process of certification, trying to address the problems
identified during the auditing.
In July 1st, a new Information Security Policy was
approved by the Governance Body. The new Policy was a
result of a six months revision work. It contains many
necessary changes to the certification process.
 Weekly meetings are being held to track the progress of the
solution of pending issues identified in the internal audit. A
new internal audit will be held in late July 2013. The team
involved in this audit will be composed of two auditors from
audit sector of SEF trained in late June 2013 as Lead Auditors
for ISO 27001.
The external pre-audit for certification is scheduled for the
end of September 2013. The external audit shall be scheduled
within 90 days of the pre-audit.
VIII. CONCLUSION
Getting a security certification in a public organization
involves additional challenges related to the procurement of
services and the need to meet legal regulations.
It is important to review the information security policy
periodically. The SEF has not reviewed its information security
policy for over six years, which was harmful. From now on, it
will be reviewed every 18 months.
It is important to pursue the certification process, without
interrupting it, if possible. During interruptions the
documentation can become outdated. Moreover, there may be
changes in the team and in the remainder of the scope,
resulting in much rework.
Even when and if the SEF get its certification in
information security, this will not be the end of the process, but
just its beginning. In fact, new audits will be performed in the
scope of certification every 6 or 12 months, during the period
of the validity of the certification, which is 3 years. In
addition, many changes will occur in scope in the next months,
such as the moving to a new data center and the deployment of
new ITIL processes using a Service Desk tool.
REFERENCES
[1] Department for Business, Innovation and Skills, Information Security
Breaches Survey 2013. London. 2013. p. 2.
[2] R. Kissel (editor), Glossary of Key Information Security Terms, 2nd rev.
Gaithersburg:National Institute of Standards and Technology. 2013.
p.94.
[3] W. Stallings, Cryptography and Network Security: Principles and
Practice, 5th ed. Prentice Hall: Boston. 2011. pp. 10-11.
[4] S.T. Arnason and K.D. Willet, How to Achieve 27001 Certification: An
Example of Applied Compliance Management. Boca Raton:
Auerbach.2007. pp. 9-18.