I have expressed the view below in the past and have received a great deal of
ridicule for it. However, I'll present it again.
Health care organizations are periodically subjected to audits by the JCAHO (Joint
Commission on Acredidation of Health care Organizations). This is a body that has
developed (in conjunction with the medical community) baseline standards of
operation and procedure. If a hospital fails a Joint Commission audit (and also
fails to correct those deficiencies within the proscribed time allowed), the
facility may risk being shut down.
Since the competition between security companies is now intense, it is unlikely
that any company could objectively administer such a program. (For example, we
could hardly trust Microsoft to manage such an enterprise). So, instead, I believe
that an independent organization should be established that has baseline
guidelines for security personnel. Any corporation claiming to be capable of
securing a network should submit to a yearly audit from this organization. The
results of such an audit should then be made publicly available on the Internet.
In this way, quality assurance (and particularly continuing quality assurance
would) ultimately prevail in the industry.
The obvious problem is this: who should establish and run such an organization?
(Fees are NOT the issue, because security companies would bear the cost of their
certification and audit. That seems a small price to pay, even if it were several
thousand dollars a year.) However, there are other problems. One is the question
of whether such a "seal of approval" blocks access to the market for those who
fail to request an audit. That is, there are some antitrust issues regarding the
value of that seal of approval in the eyes of the general public. If the public
comes to rely upon the seal, the auditing organization may effectively (though
unwittingly) block non-clients from enaging in interstate commerce. Therefore, uch
an organization would have to request limitd immunity from antitrust statutes in
this regard. (The railroads, for example, petitioned for such limited immunity at
one stage. Also, many peer review bodies have protection from antitrust statutes
unless it can be clearly shown that their indirect baring of the victim from the
market occured as result of a conspiracy or other malicious actions.)
However, it seems clear that network security has become sufficiently important
(and will continue to) that such an organization ought to exist. The obvious way
to perform the actul audits would be to use "blind" peer reviewers. That is, the
reviewers wouldn't know the identity of the company being audited and equally, the
peer reviewer's identity would not be publicly revealed. This is also done in many
medical peer review situations whre these are done on a large scale. This is to
ensure against situations where competitors in a given field and/or geographic
area do not adversely rview their competitors. (This is done often in PRO reviews
of Medicare providers).
Lastly, such an audit would not focus on the actual security of any given network.
Instead, it would focus on the security knowledge of staffs actively providing
security services to the public, corporate, and other sectors. Therefore, the
audit is a test of their knowledge, which could be administered by a third-party
organization. This test data would then be forwarded to the review body and
assigned randomly to any number of reviewers qualified to assess the test data.
Unless some program like this is established, things will get more grim. Such a
system would freeze unscrupulous or dubious "security consultants" and teams in
their tracks. And, since the Net is going to be used more and more for EDI, EC,
on-line banking, and other commerce-related activities, the need will only grow
Lastly, and perhaps most importanty, after several years of operation, such an
organization could effectively answer many commonly-asked questions in security
that have not been adequately addressed in any book or even on-line papers.
Example: security policy.
Such a system, I think, would engender much more confidence in claims of
"certification," which is good for all of us.
Yet another .02.