Security group preps IT shops to ask vendors 'nasty questions'

The Jericho Forum, which advocates improving e-commerce security through knowledge that network perimeters are fading, says organizations need to ask themselves and their vendors tougher questions.

To assist, the 60-member forum Monday issued its "Self Assessment Scheme".

"We took our best practices and turned them into generic examples," says Paul Simmonds, CISO at pharmaceutical firm AstraZeneca, a Jericho Forum member.

The self-assessment, though touted as a "set of nasty questions to ask your security vendors," is more a set of strong security preferences and attributes that vendors would have to acknowledge whether their products support.

For example, according to Jericho Forum's principle No. 4, "Devices and applications must communicate using open, secure protocols."

Under the assessment guideline, a vendor product must first earn a baseline "acceptable" rating by being able to claim a positive response to several statements posed as a question, such as whether the protocols are "built-in" or "added-on," and whether they’re "appropriate to the task." If the product gets that far, it has a chance to earn a higher "Good [Best Practices] rating by passing a review that asks whether there are "cost implications (licensing, royalty, or other) for using any of the protocols," among other questions.

The Jericho Forum, operated under the aegis of the Open Group, was founded in 2004 mainly by large international companies that were finding their online efforts hampered more than helped by traditional firewalls and so sought to draw attention to the need for innovations in security approaches.

The goal of the Self Assessment Scheme is to "expose shortcomings in the features" that vendors "may be claiming their offerings provide," the Jericho Forum states, adding vendors may want to review it to be able to provide responses to customers.