Forwarded From: David Kennedy CISSP <dmkennedy@csi.com>
-----BEGIN PGP SIGNED MESSAGE-----
At 07:36 PM 4/28/98 -0400, Vin McLellan wrote: <<header snipped> >
> I think the cynicism is a little overdone in this case. The money
>is a real issue. Beyond that, it is also true that the vendors define a
>standard they can make -- not necessarily the best one, or the one which
>will best or most effectively protect the corporate or government user.
Hi Vin!
You almost got it right, but missed on some important details. ICSA
(nee-NCSA) sets the standards for our certifications. For products,
we discuss them with the consortium members and want to reach
consensus, but when push comes to shove, we set the standards. In
this particular consortium, Biometrics, we had help from a independent
industry consultant in Europe, our own Mich Kabay who has a PhD in
Applied Statistics--Zoology followed by almost 20 years now in the IT
and IS fields, and you'll recall our president, Peter Tippet also has
an M.D. We sought input from two other groups, the technical experts
in the consortium member companies, and their corporate customers,
some of which were two-digit Fortune companies. I'll add that these
are just the sources I know about and there are probably others that I
am unaware of. My responsbilities do not include supporting this
consortium so I'm "talking out of school" a bit here.
I do not know if any part of our Biometric standard was forced on any
or all of the member companies. I do know that in at least two of our
other consortia we have imposed standards that we did not have
consensus on. One consortium, not Biometrics, every product failed
our initial test and all had to be tweaked, patched or re-engineerd
before certification. We have revoked certification on at least one
product, again, not biometics, that had passed but was later found to
be sub-standard.
We created our Certification Oversight Board last year with experts
from the Information Security industry, outside of ICSA. As the
board's title suggests, they provide oversight of our certification
efforts and serve as another integrity check on the process. Members
of the board include senior technical managers from Financial
Services, Accounting, Cryptography and Hardware/Software corporations.
This doesn't stop us from being accused of rubber-stamp or "drive-by"
certifications, but we have confidence in our methods, the vendors
must find value as they keep joining and coming back, and we'd like to
think that the user community finds value too. The users are, after
all, why we're doing this. Really. Sure we do it for money; we're a
for-profit, but if the users don't find value, the vendors won't pay
for the testing and we'll be at Kinko's making copies of our resumes.
8-)
>
> On the other hand, the ICSA standards set by the other consorita
>have historically gotten higher and higher as the technology (and the
>certification process) evolves, raising the minimal technical
standard.
<<snip>>
Correct. Two valuable sources of feedback on the certification
criteria are our own testing and from product buyers. All criteria
are "living documents," that is, they are constantly under revision
internally and are reviewed no less than semi-annually with the
consortia members. Every time we've revised our criteria at least
some of the products have failed to meet the higher standard and their
producer had to make adjustments before we'd pass them.
<<snip again>>
Comment on the para I snipped: As far as I know, there has been no
government involvement in the Biometric consortium or our standards.
> In short, this ICSA biometric certification is probably held ot a
>higher standard than is typically the case with a wholly vendor-dominated
>ICSA certification group. It remains to be seen, however, how well ICSA
>(or the Biometric Consortium, for that matter) has or will address the
>multitude of unsettled privacy, security-design, and public policy issues
>that surround specific and/or widespread implementations of biometrics
>for either identification or authentication.
I agree. Time will tell. A comment from our experience with more
mature product certifications: good products installed or maintained
badly perform badly. A well designed Biometric system badly
implemented may well be vulnerable. We include installation and
environmental criteria in our all certifications, but users ignoring
good system hygiene put themselves at risk.
The criteria can be found from sufing here:
http://www.icsa.net/services/consortia/cbdc/
We think we're on track and will listen to constructive criticism, but
are not obliged to act on it.
SET ASBESTOS SHORTS = ON
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
iQCVAwUBNUog0PGfiIQsciJtAQHx+AP/csxF7BcpgNAV0d4a8/NvDGaNvoATA8Ka
ZJ8DhU9p+8A987ipuqqGvbXB6CEIr3Wzkx/wWA100os0nqDkB3Rq4vSuhd2IS1Tm
dEbAsTuhkflHj0DwddNjdXdLRHWdED34SBCz3mXJrIxd495j2Z1BYwThJF7aDCrU
tyyUjwUXwwg=
=kxkm
-----END PGP SIGNATURE-----
Dave Kennedy CISSP
International Computer Security Assoc http://www.ncsa.com
Protect what you connect.
Look both ways before crossing the Net.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon May 4 11:26:36 1998