[ISN] Re: <fyi> Me among the Kids re ICSA BioCertification

From: mea culpa (jerichoat_private)
Date: Sat May 02 1998 - 13:37:48 PDT

  • Next message: mea culpa: "[ISN] IDS Papers/Info"

    Forwarded From: David Kennedy CISSP <dmkennedyat_private>
    At 07:36 PM 4/28/98 -0400, Vin McLellan wrote:  <<header snipped> > 
    > I think the cynicism is a little overdone in this case.  The money 
    >is a real issue. Beyond that, it is also true that the vendors define a
    >standard they can make -- not necessarily the best one, or the one which
    >will best or most effectively protect the corporate or government user.
    Hi Vin! 
    You almost got it right, but missed on some important details.  ICSA
    (nee-NCSA) sets the standards for our certifications.  For products,
    we discuss them with the consortium members and want to reach
    consensus, but when push comes to shove, we set the standards.  In
    this particular consortium, Biometrics, we had help from a independent
    industry consultant in Europe, our own Mich Kabay who has a PhD in
    Applied Statistics--Zoology followed by almost 20 years now in the IT
    and IS fields, and you'll recall our president, Peter Tippet also has
    an M.D.  We sought input from two other groups, the technical experts
    in the consortium member companies, and their corporate customers,
    some of which were two-digit Fortune companies.  I'll add that these
    are just the sources I know about and there are probably others that I
    am unaware of.  My responsbilities do not include supporting this
    consortium so I'm "talking out of school" a bit here.
    I do not know if any part of our Biometric standard was forced on any
    or all of the member companies.  I do know that in at least two of our
    other consortia we have imposed standards that we did not have
    consensus on.  One consortium, not Biometrics, every product failed
    our initial test and all had to be tweaked, patched or re-engineerd
    before certification.  We have revoked certification on at least one
    product, again, not biometics, that had passed but was later found to
    be sub-standard.
    We created our Certification Oversight Board last year with experts
    from the Information Security industry, outside of ICSA.  As the
    board's title suggests, they provide oversight of our certification
    efforts and serve as another integrity check on the process.  Members
    of the board include senior technical managers from Financial
    Services, Accounting, Cryptography and Hardware/Software corporations.
    This doesn't stop us from being accused of rubber-stamp or "drive-by"
    certifications, but we have confidence in our methods, the vendors
    must find value as they keep joining and coming back, and we'd like to
    think that the user community finds value too.  The users are, after
    all, why we're doing this.  Really.  Sure we do it for money; we're a
    for-profit, but if the users don't find value, the vendors won't pay
    for the testing and we'll be at Kinko's making copies of our resumes.
    >	On the other hand, the ICSA standards set by the other consorita
    >have historically gotten higher and higher as the technology (and the
    >certification process) evolves, raising the minimal technical
    Correct.  Two valuable sources of feedback on the certification
    criteria are our own testing and from product buyers.  All criteria
    are "living documents," that is, they are constantly under revision
    internally and are reviewed no less than semi-annually with the
    consortia members.  Every time we've revised our criteria at least
    some of the products have failed to meet the higher standard and their
    producer had to make adjustments before we'd pass them.
    <<snip again>>
    Comment on the para I snipped: As far as I know, there has been no
    government involvement in the Biometric consortium or our standards.
    > In short, this ICSA biometric certification is probably held ot a
    >higher standard than is typically the case with a wholly vendor-dominated
    >ICSA certification group.  It remains to be seen, however, how well ICSA
    >(or the Biometric Consortium, for that matter) has or will address the
    >multitude of unsettled privacy, security-design, and public policy issues
    >that surround specific and/or widespread implementations of biometrics
    >for either identification or authentication.  
    I agree.  Time will tell.  A comment from our experience with more
    mature product certifications: good products installed or maintained
    badly perform badly.  A well designed Biometric system badly
    implemented may well be vulnerable.  We include installation and
    environmental criteria in our all certifications, but users ignoring
    good system hygiene put themselves at risk.
    The criteria can be found from sufing here: 
    We think we're on track and will listen to constructive criticism, but
    are not obliged to act on it.
    Version: PGP for Personal Privacy 5.5.3
    -----END PGP SIGNATURE-----
    Dave Kennedy CISSP
    International Computer Security Assoc http://www.ncsa.com
    Protect what you connect.
    Look both ways before crossing the Net.
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:24 PDT