Reader ROI\nSee why more companiesare seeking security seals of approval\nUnderstand what value you can and can\u2019t place on them\nLearn how to cover all of your security basesSecurity is the biggest concern for anyone engaged in e-business, no doubt about it. However, it\u2019s no longer a matter of whether companies have security?if they don\u2019t, they won\u2019t be in business long?but just how effective that security is. n This concern for security quality has spawned a rapidly growing industry for third-party certification. Hundreds of companies?including brick-and-mortar types such as the Miller Brewing Co., financial services companies like Mellon Shareholder Services, and even ASPs such as Digital Insights?are bringing in accounting organizations and security vendors to audit their security posture. The goal is to win a "Good Housekeeping" type of security seal that tells a company\u2019s partners they can have confidence doing e-business with it. But is this reassurance more valuable as a marketing tool or is it a true benchmark of a company\u2019s security stance? n Companies that have been through the certification process say it works. Take the case of New York City-based PartMiner, and its e-marketplace, the Free Trade Zone, that went live last year. Before it did, CTO Mark Schenecker assembled a focus group to determine how folks on both sides of the electronics components supply chain felt about security. He got an earful. "Your website promises that you won\u2019t share our data," the group\u2019s participants told him. "We trust you personally, but how do we know you\u2019re really taking all the right steps to keep our information out of the wrong hands?"So Schenecker brought in the Big Five accounting firm Ernst & Young to evaluate PartMiner\u2019s security practices. After combing through the company\u2019s firewalls, intrusion-detection technology, hosting center, physical plant, internal procedures and other systems, Ernst & Young bestowed its seal of approval on PartMiner, which the company displays prominently on its website. PartMiner pays Ernst & Young five figures each quarter for it to continue that testing and monitoring.Schenecker insists his company has gotten value for its money. "Our market is a very tight community," he says. "The level of trust has increased, and we believe this has translated directly into the level of transactions performed on the site."Who Tests the Testers?The security community is split as to the real value of certification. Sure, it works well as part of an advertising campaign, but what does certification really prove?Security certification vendors like TruSecure in Reston, Va., and Axent Technologies in Cupertino, Calif., insist that people can trust any company that is awarded their seals, because it means they\u2019ve passed rigorous testing against all threats. But that\u2019s exactly the problem. A seal suggests absolute security, but nothing is 100 percent secure. While there may be complete protection against known threats, enterprising hackers are constantly coming up with new methods of attack. Meanwhile, there are no universally recognized standards for testing an organization\u2019s security. Nor is there any universally accepted body that will approve or oversee those who do the testing. No one is even in the process of formulating specific testing standards. So, unless you\u2019re an expert yourself, it\u2019s tough to ferret out the fly-by-night opportunists looking to make a buck. And if you are an expert, why would you need any of these guys in the first place?That being said, it would be a mistake to label certification a waste of time and money. After all, if you\u2019re investing the resources, you are at least demonstrating that you have security on your radar screen and that you are taking it seriously."We know our [certification] has been successful based on the amount of inquiry from potential business partners and new customers about the nature of certification," says Mike Lapelosa, director of internal audits for Group Health Inc. (GHI), a New York City-based health-care network. "And we see a lot of organizations beginning to use the same process."A typical certification is much like a physical exam. Just as a good doctor will do more than simply ask you to open up and say "aah," the good security examiner performs every conceivable test. Lapelosa went through this when he and his colleagues hired TruSecure to test GHI\u2019s information security two years ago. At the time, the health-care network was just beginning to assert its Internet presence and needed to maximize doctor and hospital access while guaranteeing the patients\u2019 right to privacy. TruSecure, a security solutions company formerly known as ISCA.net, began with an onsite evaluation of every aspect of GHI\u2019s security practices. Consultants reviewed all written policies and procedures, interviewed programmers and computer staff to ascertain their level of technical expertise, and studied GHI\u2019s Web infrastructure to spot areas where hackers might break in undetected.TruSecure also conducted a vulnerability analysis in which it actually tried to break in to the network from the outside and examined GHI\u2019s backup and disaster-recovery procedures in case the network went down. TruSecure eventually gave GHI its seal of approval, which the company now sports on its website. Lapelosa says the process took "two weeks from soup to nuts," with TruSecure workers onsite working full time with both him and GHI\u2019s IT staff.The company continues to scan GHI\u2019s network for vulnerabilities on a quarterly basis, and once a year it comes in to do a follow-up of all its reviews. If GHI fails to implement its recommendations, it can lose its seal. That\u2019s something TruSecure has not yet done with any of its clients, though a spokesman said that at least once a month someone will fall into a "danger zone" where they are given up to 30 days to fix a security hole before the seal is revoked.Lapelosa wouldn\u2019t reveal how much money was spent in GHI\u2019s certification, but TruSecure CEO Adam Joseph says the process typically costs around $90,000 per site. "It obviously varies with the size of the company," he says.Lapelosa says the process has given his company the assurance that it has the proper approach to security, which?with the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) looming on the horizon?has become even more important for players in the health-care industry. The seal also gives people confidence in the GHI brand, he adds.Meanwhile, experts agree that for a CIO, certification can be a useful way to cover your behind. "It validates what you say you\u2019ve done," says Charlie Johnson, vice president of business development and sales at Symantec Security Services, the consulting arm of Axent Technologies. "If the company is spending the money for security services and equipment, you want someone to come in and say the money you\u2019ve spent made sense and provided the level of security you thought you had."Terry Milholland, CIO and CTO of EDS, the Texas-based computer services giant, agrees. "[Certification] lets you tell your senior management and board of directors that you\u2019re practicing good security hygiene," he says. "Of course," he adds, "that isn\u2019t to say you don\u2019t have exposures, because anyone who says otherwise is a fool."An additional benefit is relative peace of mind. If your vendor or Big Five company conducts ongoing monitoring, you\u2019ll know that your security practices are relatively up-to-date. Like Milholland, Johnson points out that nobody can guarantee 100 percent security. You still have to maintain whatever security would be expected of a company in your shoes. "[The certification process] gives you a warm fuzzy feeling that you\u2019ve done everything a reasonable person would expect you to do," he says.Finally, you shouldn\u2019t underestimate the significance of a company\u2019s willingness to stake its reputation on its assessment of your security, says John Alsop, president and CEO of Borderware Technologies, a Toronto-based firewall vendor. "That\u2019s the real value," he says.As happy as certified companies may be, certification has obvious limitations. Critics like John Thomas would say that the seal in and of itself does nothing more than influence naive customers and business partners. "Those of us who know the business realize that there are no absolutes when it comes to security," says Thomas, president of Vienna, Va.-based Titan Vigil, a company that performs security monitoring for commercial and government organizations. "If someone came to me and said, \u2019Please do business with me because I\u2019ve got X, Y and Z\u2019s approval,\u2019 I\u2019d chuckle to myself before laying right into them."Just When You Think You\u2019re Secure...The very act of stamping a seal on your website can be risky. It\u2019s a lot like the old Eveready commercials, where actor Robert Conrad would put an alkaline battery on his shoulder and dare you to knock it off. The minute you start bragging about how secure you are, hackers will line up to try to prove you wrong. In fact, many in the hacker community actually believe they\u2019re doing a public service by exposing insecurities, says Thomas. "They\u2019re very cynical people," he says. "As soon as someone comes along and says, \u2019Do business with me because I\u2019m secure,\u2019 I can promise you some hacker will get in and plant some kind of logic bomb."Meanwhile, how can you be so sure the tests proved anything in the first place? While there may be recognized standards for testing the security of a product, there\u2019s no commonly accepted methodology for testing the security of an organization. Standards are important for any kind of security testing, says Ron Ross, director of the National Information Assurance Partnership in Gaithersburg, Md., a government group that validates lab testing of IT products. "I\u2019m not saying a seal has no value, but if everyone is doing something different, it\u2019s hard to compare what kind of service you\u2019re really getting," he says.Plus, not every evaluator will necessarily be on the up-and-up. There are plenty of reputable vendors out there, but there are also a lot of guys who see that this is a hot area and hang up a shingle, hoping to get some action. "You especially see this in areas where security is becoming federally mandated, [like banking and health care]," says Rob Dodson, director of business development at Symantec Security Services central region. "People with no medical background are all of a sudden becoming HIPAA experts. And people with no incidence-response background are jumping all over the FDIC incidence-response requirements." Perhaps the biggest concern of all is the fact that when you\u2019re certified, it reflects a mere snapshot in time. Basically, it tells people that according to a particular testing methodology, you were secure as of 10:24 a.m. last Tuesday?the last time you were monitored. The problem is, that doesn\u2019t guarantee that you were secure at 10:25 a.m. That\u2019s a major reason why Thomas takes these seals with many grains of salt. "A lot of people think it\u2019s like the UL [Underwriters Laboratory] stamps they see on their TVs," he says. "But their TVs don\u2019t change a lot from when they bought them."Johnson takes the timing metaphor a step further. It\u2019s like checking a guy before he walks into a bar to see if he\u2019s been drinking, he says. "Four hours later, he\u2019s blind drunk, but he stumbles into a cop and hands him a piece of paper saying he\u2019s fine."Red Flags and Best PracticesIf you do decide to have your security certified, there are steps you can take to maximize the value of the process. First, choose the right vendor. Like anything else, it\u2019s a combination of name recognition, references, reputation and experience. You want someone you can trust, because you\u2019re giving that company the most intimate access possible. Schenecker felt most comfortable with Ernst & Young. Lapelosa went with TruSecure, because he wanted a company that dedicates 100 percent of its business to security assessments. Johnson recommends having two companies certify you. That\u2019s one way of dealing with the lack of standards, and it also gives you an extra layer of confidence, he says. "It\u2019s important. Because if you\u2019re not secure, you\u2019ll be on the front of The Wall Street Journal explaining why your stock shouldn\u2019t drop down to $10."When it comes to doing business with a company that already boasts a seal on its site, don\u2019t take that as the only thing you need to know. Meet with the people handling its security and ask intelligent questions. Better yet, have your own third-party expert look into its processes and technology. "Look at how it was assessed," says Thomas. "Look at things like ongoing monitoring. Check to see if the security officer is principal to the CIO or four echelons below."If the CIO has sole responsibility for security, with no input from the CFO or in-house auditor, that\u2019s a big red flag, says Thomas. "I love CIOs," he says. "I was the CIO of many organizations when I was in the military. But I know the stresses CIOs come up against. And if the CFO isn\u2019t engaged in the information security business of the company, I\u2019d question whether there aren\u2019t some holes in the sieve." Make sure your partner adheres to the same standards you do. For example, credit card behemoth Visa USA has come out with a list of requirements that member banks, merchants and third-party service providers will eventually have to satisfy (see "Visa USA\u2019s Security Requirements," at left). These requirements already apply to ISPs and gateways, and Visa insists on the right to have its chosen security experts conduct onsite reviews and Web server monitoring. "With the Internet, there\u2019s all sorts of new ways to obtain customer information," says John Shaughnessy, Visa USA\u2019s senior vice president of risk management. "It\u2019s no longer the old dumpster-diving type thing. It\u2019s almost like electronic dumpster-diving, and we need to make sure we\u2019re up to speed as an industry."What it comes down to is that, where security is concerned, there\u2019s no such thing as complete trust. Thomas is an advocate of any process that improves security, for example, but believes that putting faith solely in seals is a mug\u2019s game. "I\u2019d encourage anyone to go through the process of having his security reviewed," he says. "But don\u2019t think for a minute that the endgame is to have the process performed and then you walk away."