Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/7/2010
01:51 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

ICSA: How To Save Time And Resources When Selecting Security Products In 2010

Six tips on how using products certified by a third party can help during the product-selection process

MECHANICSBURG, Pa., Jan. 6 /PRNewswire/ -- Finding the right security products to protect an organization's computer systems is often a difficult, time-consuming task. With so many offerings on the market, how does an organization know which product best meets its needs and delivers on its claims?

One way companies can accomplish this more easily - and save time and resources - is to rely on third parties to provide independent product assurance as part of the request-for-proposal (RFP) process.

ICSA Labs, one of the most trusted testing and certification organizations in the world, offers enterprises and government agencies the following six tips on how using products certified by a third party can help during the product-selection process:

1. Reduce Your Due Diligence Burden: Carefully document product-selection requirements and then formally compare them with either published testing results or certification requirements from a third-party assurance program. Requiring potential products to be tested or externally certified significantly reduces time spent analyzing products.

2. Rely on Independent Third-Party Assurance: Several entities - including independent testing and certification labs, government assurance programs, trade magazines, analyst firms and commercial labs - offer varying levels of product assurance. Independent testing and certification labs offer a cost-effective choice. Additionally, the best third-party test labs strive to be unbiased and vendor- and product-neutral.

3. Choose Wisely: Not all testing organizations are the same. Pay close attention to the organization's public criteria (testing/certification criteria should be publicly available); relevance (how much overlap exists between the third party's published criteria and the enterprise's business requirements); and frequency (how often is testing done and at what intervals). Also, ensure that the testing organization relies on a scientific, repeatable testing methodology.

4. Require Completeness: Choose a third-party organization that requires its certified products to pass all - not just some - of its tests and verifies that fixes are incorporated into the product. Product assurance testing should not be a static, once-and-done process. Rather, look for ongoing testing.

5. Ask Questions: A third-party testing organization should incorporate a product-evaluation program that helps decision makers determine which products to purchase and deploy. Be sure to ask specific questions about the evaluation program and how it works.

6. Demand Proven Quality: Chose an accredited third-party organization. In choosing a lab, look for one that has earned ISO/IEC 17025 accreditation, which assesses a laboratory's management and technical capabilities, including the operational effectiveness of its quality management system, processes and procedures.

"Third-party assurance and independent due diligence should be a critical component of the enterprise-product selection process," said George Japak, managing director, ICSA Labs, an independent division of Verizon Business. "Business and government customers can gain significant advantages by leveraging independent third-party testing results to balance skills, time and budget with product needs. Third-party testing is an excellent supplement to an overall product-selection process and in the long run can save an enterprise a lot of time, resources and headaches."

For sample language requiring the use of certified products in RFPs or to ask specific questions about building this requirement into an RFP, visit ICSA Labs blog at http://www.icsalabs.com/blog.

About ICSA Labs

ICSA Labs, an independent division of Verizon Business, offers vendor-neutral testing and certification of security products. Many of the world's top security vendors submit their products for testing and certification at ICSA Labs. Businesses rely on ICSA Labs to authoritatively set and apply objective testing and certification criteria for measuring product compliance and reliability. ICSA Labs was the first security-product testing organization to earn ISO/IEC 17025 accreditation, validating the laboratory's world-class capabilities. For more information about ICSA Labs, visit: http://www.icsalabs.com.

About Verizon Business

Verizon Business, a unit of Verizon Communications (NYSE: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the world's most connected IP networks to deliver award-winning communications, IT, information security and network solutions. We securely connect today's extended enterprises of widespread and mobile customers, partners, suppliers and employees -- enabling them to increase productivity and efficiency and help preserve the environment. Many of the world's largest businesses and governments -- including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions -- rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25329
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
CVE-2021-25122
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.