Forwarded From: David Kennedy CISSP <dmkennedyat_private> -----BEGIN PGP SIGNED MESSAGE----- At 07:36 PM 4/28/98 -0400, Vin McLellan wrote: <<header snipped> > > I think the cynicism is a little overdone in this case. The money >is a real issue. Beyond that, it is also true that the vendors define a >standard they can make -- not necessarily the best one, or the one which >will best or most effectively protect the corporate or government user. Hi Vin! You almost got it right, but missed on some important details. ICSA (nee-NCSA) sets the standards for our certifications. For products, we discuss them with the consortium members and want to reach consensus, but when push comes to shove, we set the standards. In this particular consortium, Biometrics, we had help from a independent industry consultant in Europe, our own Mich Kabay who has a PhD in Applied Statistics--Zoology followed by almost 20 years now in the IT and IS fields, and you'll recall our president, Peter Tippet also has an M.D. We sought input from two other groups, the technical experts in the consortium member companies, and their corporate customers, some of which were two-digit Fortune companies. I'll add that these are just the sources I know about and there are probably others that I am unaware of. My responsbilities do not include supporting this consortium so I'm "talking out of school" a bit here. I do not know if any part of our Biometric standard was forced on any or all of the member companies. I do know that in at least two of our other consortia we have imposed standards that we did not have consensus on. One consortium, not Biometrics, every product failed our initial test and all had to be tweaked, patched or re-engineerd before certification. We have revoked certification on at least one product, again, not biometics, that had passed but was later found to be sub-standard. We created our Certification Oversight Board last year with experts from the Information Security industry, outside of ICSA. As the board's title suggests, they provide oversight of our certification efforts and serve as another integrity check on the process. Members of the board include senior technical managers from Financial Services, Accounting, Cryptography and Hardware/Software corporations. This doesn't stop us from being accused of rubber-stamp or "drive-by" certifications, but we have confidence in our methods, the vendors must find value as they keep joining and coming back, and we'd like to think that the user community finds value too. The users are, after all, why we're doing this. Really. Sure we do it for money; we're a for-profit, but if the users don't find value, the vendors won't pay for the testing and we'll be at Kinko's making copies of our resumes. 8-) > > On the other hand, the ICSA standards set by the other consorita >have historically gotten higher and higher as the technology (and the >certification process) evolves, raising the minimal technical standard. <<snip>> Correct. Two valuable sources of feedback on the certification criteria are our own testing and from product buyers. All criteria are "living documents," that is, they are constantly under revision internally and are reviewed no less than semi-annually with the consortia members. Every time we've revised our criteria at least some of the products have failed to meet the higher standard and their producer had to make adjustments before we'd pass them. <<snip again>> Comment on the para I snipped: As far as I know, there has been no government involvement in the Biometric consortium or our standards. > In short, this ICSA biometric certification is probably held ot a >higher standard than is typically the case with a wholly vendor-dominated >ICSA certification group. It remains to be seen, however, how well ICSA >(or the Biometric Consortium, for that matter) has or will address the >multitude of unsettled privacy, security-design, and public policy issues >that surround specific and/or widespread implementations of biometrics >for either identification or authentication. I agree. Time will tell. A comment from our experience with more mature product certifications: good products installed or maintained badly perform badly. A well designed Biometric system badly implemented may well be vulnerable. We include installation and environmental criteria in our all certifications, but users ignoring good system hygiene put themselves at risk. The criteria can be found from sufing here: http://www.icsa.net/services/consortia/cbdc/ We think we're on track and will listen to constructive criticism, but are not obliged to act on it. SET ASBESTOS SHORTS = ON -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.3 iQCVAwUBNUog0PGfiIQsciJtAQHx+AP/csxF7BcpgNAV0d4a8/NvDGaNvoATA8Ka ZJ8DhU9p+8A987ipuqqGvbXB6CEIr3Wzkx/wWA100os0nqDkB3Rq4vSuhd2IS1Tm dEbAsTuhkflHj0DwddNjdXdLRHWdED34SBCz3mXJrIxd495j2Z1BYwThJF7aDCrU tyyUjwUXwwg= =kxkm -----END PGP SIGNATURE----- Dave Kennedy CISSP International Computer Security Assoc http://www.ncsa.com Protect what you connect. Look both ways before crossing the Net. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:24 PDT