Letter to the editor
Following are responses to an FCW.com poll question that asked:
"Should security services vendors be certified before they can sell to the
Presently, there are no universal standards for certification of security
service products, as you have the Federal Information Processing Standards,
Common Criteria and International Organization for Standardization standards
for which security products must be certified.
Until there are agreed-upon standards that companies can use to certify
their products at reasonable prices and in reasonable timeframes, I vote
no as it would, in my view, stifle security product development tailored
toward government threats and vulnerabilities.
Computer software and hardware should absolutely be required to be certified.
My fear is that the U.S. government will create a massive, time-consuming,
Byzantine review process when there are plenty of respectable third-party
review processes already in effect for most security-related products, such
as TruSecure Corp.'s certification described in a CIO magazine article,
"Stamps of Approval."
Computer Associates Inc.