Security accreditation on trial

Link: Hack attacks and spam set to increase

The accreditation scheme – similar to the familiar kitemark – may allay fears over the increasing amount of spam that clogs email inboxes and malicious attacks against IT systems.

Accountancy Age’s sister publication, Computing, has been calling for such a programme for the past two years as part of its Trust campaign. The Cabinet Office’s central sponsor for information assurance (CSIA) group, which coordinates information security projects across government, will trail the ‘Claims Test Mark’ scheme before the end of the year.

‘What we are trying to replicate is the Ronseal test, where a product does exactly what it says on the tin,’ said Harvey Mattinson, head of accreditation at the CSIA.

The accreditation scheme will primarily be focused on helping government departments, agencies and local authorities select information security products such as anti-virus software, firewalls and disk encryption.

‘The accreditation process will take weeks, rather than months or years,’ CSIA director Dr Stephen Marsh said.

‘With certain products and services, you need to have this kind of pace, as threats can change so rapidly.’ Vendor products submitted for review will be measured for security, integrity and ease of use, with the CSIA hoping to measure against BS and ISO 7799 standards in the future.

The CSIA-led General Information Assurance Products and Services Initiative will run the scheme and hopes it will provide private sector businesses with a way of gauging the quality of the product they are buying.

The CSIA is working with the United Kingdom Accreditation Service and CESG, the GCHQ-run national technical authority for information assurance, to establish a number of independent test centres and assessment criteria.

‘In principle this is a good idea, as it gives people standards they can understand and suppliers something they can strive towards,’ said Beatrice Rogers, head of private sector at IT industry body Intellect. ‘But the government needs to make it clear what accreditation means.’

‘With the ABTA stamp, consumers know if an airline collapses they’re likely to be protected. ‘Likewise, the government needs to make clear what accreditation means for both the client and the vendor adopting it,’ she said.

Just last month, an Ernst & Young survey highlighted concerns about the level of awareness about information security among businesses across the globe.

Nearly three-quarters of the 1,200 organisations questioned failed to list training and raising employee awareness of information security issues a top priority.

One in three respondents that had outsourced their IT operations said that they had not conducted a regular check on their IT providers to monitor compliance with information security policies.

Related reading

Life Belt with Computer Folders
HMRC banknotes