TrustMark: Putting a Seal on Security Practices (
Page 1 of 2 )
CompTIA's new TrustMark security accreditation aims to provide solution providers with a marketing differentiator. It's a good idea, but is it ready for prime time?There's an old saying in information security: "Security is a process,
not a product." In other words, it's more about what you do than the
equipment and technology that you use to protect IT infrastructure and digital
assets.
If security is about the process, how do you—as a solution
provider—demonstrate your competency and value to an end-user customer? Sure,
there are plenty of security certifications for individuals to demonstrate
technical competencies: the GIAC (Global Information Assurance Certification)
and the GIAC Security Expert, the MCSE (Microsoft Certified Systems Engineer),
the CCSP (Cisco Certified Security Professional), and, of course, the
granddaddy gold standard of them all, the CISSP—Certified Information Systems
Security Professional.
Yet these are just individual certifications. Until now, nothing existed to
show that a solution provider—as a business—has security competency and to reflect
its value to end users. CompTIA (Computing Technology Industry Association), the
industry trade association and accreditation body, the week of Oct. 20 took the
wraps off its new security accreditation, TrustMark.
CompTIA Security TrustMark is unique in that it represents that an
accredited solution provider follows security best practices for its own
infrastructure and organization, reflecting the level of guidance and service
it will provide to customers. It's a simple idea: If I keep a clean house, I
will help keep your house clean, too.
It's also unique that it's a self-selecting accreditation, meaning that
solution providers that apply must answer more than 130 questions in 11
security domains about their practices. Applicants are quizzed on everything
from business continuity planning to personnel security to data protection to
regulatory and standards compliance to data protection.
The TrustMark designers built a two-tier process for ensuring reasonable
accuracy of the self-guided applications process. First, applicants must take
an initial assessment. If they fail that first step, CompTIA will recommend
against completing the full accreditation questionnaire and provide rudimentary
guidance for improving internal security awareness.
While any self-selecting process can be gamed, CompTIA says it's taken great
pains to include validation questions in the application. That means the
answers to multiple, disparate questions must be in sync to achieve
accreditation. CompTIA is auditing random applications as added assurance that
only the right solution providers receive the TrustMark accreditation.
The accreditation fee is also a pretty good filter: $2,595 for non-CompTIA
members and $1,695 for member organizations. A steep price tag has a way of discouraging
the tire-kickers from the serious professionals.
Commentary 
