Sunday, September 7, 2008

Certification & Accreditation - Does it really work?

Certification & Accreditation (C&A) is a well known myth used by organizations to prove that they are certified and accredited. Does this really certify that the organization is secure and that there is no data breach. DataLossDB lists several data loss incidents and many options for users to get their search results. This depends on the process used by a C&A group to certify a company. If a C&A personnel is going to carry a checklist asking questions such as "Does the company have rogue access points?" and if the C&A personnel is going to look around for stuff or ask the local manager such questions, then it might never be the real results. Is the company NOT going to keep itself clean when they know that they are to be audited this week or next week.

The best solution would be to perform vulnerability analysis without prior notice to the organization. That would really help the company to know how much they are really secure and if they are really worth a C&A. Though this is not practical in real life, we really wish that this would happen soon. This is performed by some of the organizations around the world and they have been protecting themselves against the real attackers. A real attacker would never give prior notice before any attack and so should the good ones do to really certify an organization.

- EF

No comments: