So does ICSA certification mean simply that a company has met its own requirements? (As opposed to some set of objectively validated or ICSA-imposed requirements?) DS > Participants in our site certification program (TruSecure) are > required to meet in excess 200 criteria elements; covering such issues > as physical security, business continuity, personnel management, > network architecture, patches and updates, privacy, and sensitive > information handling. Nearly all of the criteria elements are > driven by the customer's security and operational policy-- which is > derived from their business objectives and risk management approach. [snip] > In this context _is_ possible for a customer to mandate (via their > own policy) use of whatever levels of cryptography they view as being > appropriate to their business model and customer requirements. For > example, if a customer policy specifies 128-bit TLS, > client-certificates, and token-based auth-- they will be validated at > that level. And if validating the server's identity to the end-user, > or no-hassle compatibility with zillions of consumers' bargain-club-PC > 40-bit browsers is a goal-- a different policy might well result. [snip]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:27 PDT