Security software companies embrace standards

Three companies that make Internet security software announced March 20 they have submitted their products for certification against user-established standards and benchmarks for security readiness at the operational level.


BindView Corp. of Houston, NetIQ of San Jose, Calif., and Symantec Corp. of Cuppertino, Calif., said at the FOSE 2002 trade show that their Internet security software will be tested by the Center for Internet Security of Bethesda, Md.


BindView has initiated the CIS certification process for its enterprise security solution, NetIQ for its security analyzer and security manager products, and Symantec for its enterprise security manager tools, the companies said. The testing will take place at Virginia Tech in Blacksburg, Va.


Although government and private-sector organizations ordinarily have their own internal practices and requirements for testing and configuring hardware and software, there is a lack of consensus among organizations about the configuration settings, said Clint Kreitner, CIS' president and chief executive officer.


The certification initiative will help development of a global consensus on what constitutes best practices, he said. The initiative also will provide a quantitative analysis by scoring products.


"We're certifying that their software accurately reports the presence or absence of every single setting in our benchmark," Kreitner said.


Internet security software examines operating systems for settings and tries to identify vulnerabilities. The certified tools will help end users define and achieve measurable goals for improvement in their information security practices. They will create a new framework for accountability for use by governing bodies, auditors, security managers, security professionals systems administrators, consultants and software vendors, according to the companies.


"The creation of these standards is good for industry and good for the public, in general," said Scott Blake, BindView's vice president for information security.


The Center for Internet Security is a nonprofit enterprise of 180 large and small user organizations, security professionals and auditors. The three companies involved are CIS members and helped develop the benchmarks.