Testing Criteria Should Match Business Requirements: ICSA Labs

Finding the right security products to protect an organisation’s computer systems is often a difficult, time-consuming task. With so many offerings on the market, how does an organisation know which product best meets its needs and delivers on its claims?

One way companies can accomplish this more easily – and save time and resources – is to rely on third parties to provide independent product assurance as part of the request-for-proposal (RFP) process.

ICSA Labs, a testing and certification organisation, offers enterprises and government agencies the following six tips on how using products certified by a third party can help during the product-selection process:

1. Reduce Your Due Diligence Burden: Carefully document product-selection requirements and then formally compare them with either published testing results or certification requirements from a third-party assurance program. Requiring potential products to be tested or externally certified significantly reduces time spent analysing products.

2. Rely on Independent Third-Party Assurance: Several entities – including independent testing and certification labs, government assurance programs, trade magazines, analyst firms and commercial labs – offer varying levels of product assurance. Independent testing and certification labs offer a cost-effective choice. Additionally, the best third-party test labs strive to be unbiased and vendor- and product-neutral.

3. Choose Wisely: Not all testing organisations are the same. Pay close attention to the organisation’s public criteria (testing/ certification criteria should be publicly available); relevance (how much overlap exists between the third party’s published criteria and the enterprise’s business requirements); and frequency (how often is testing done and at what intervals). Also, ensure that the testing organisation relies on a scientific, repeatable testing methodology.

4. Require Completeness: Choose a third-party organisation that requires its certified products to pass all - not just some - of its tests and verifies that fixes are incorporated into the product. Product assurance testing should not be a static, once-and-done process. Rather, look for ongoing testing.

5. Ask Questions: A third-party testing organisation should incorporate a product-evaluation program that helps decision makers determine which products to purchase and deploy. Be sure to ask specific questions about the evaluation program and how it works.

6. Demand Proven Quality: Chose an accredited third-party organisation. In choosing a lab, look for one that has earned ISO/IEC 17025 accreditation, which assesses a laboratory’s management and technical capabilities, including the operational effectiveness of its quality management system, processes and procedures.

“Third-party assurance and independent due diligence should be a critical component of the enterprise-product selection process,” said George Japak, Managing Director, ICSA Labs, an independent division of Verizon Business. “Business and government customers can gain significant advantages by leveraging independent third-party testing results to balance skills, time and budget with product needs. Third-party testing is an excellent supplement to an overall product-selection process and in the long run can save an enterprise a lot of time, resources and headaches.”