• 07/22/2003
    3:00 AM
  • Network Computing
  • News
  • Connect Directly
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Certification Security Blanket

Instead of relying on a brief product demo or trial, check out the product's security certifications.
Not all product certifications are equal, however. Their usefulness depends on the purpose of the certification. You need to understand whether the testing was for functional or implementation purposes, the context of the test and the scope of the results. Most product certifications focus on functional testing--not a feature-by-feature comparison scoring one product over another. The functional tests determine whether a product meets the certification criteria.

The main certifications for security products are the Common Criteria, Federal Information Processing Standard 140-2 (FIPS-140-2) Security Requirements for Cryptographic Modules, and ICSA Labs. Security consultancy Neohapsis--and a Network Computing lab partner--sponsors the Open Security Evaluation Criteria (OSEC), which takes a community-peer-review approach to certification with input from vendors and users.

These certifications complement one another, but if you're a government agency or contractor, you should use the CC and FIPS-140-2 certifications.

Know Your Needs

To get the most out of certifications, you must know your organization's security requirements. These should be stated in a security policy or request for proposal. With such a document in hand, you can easily compare the certification's functionality tests against your needs. It also helps to understand the certification terminology. Common Criteria provides language for building a protection profile (PP), which states your requirements.


We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments