TrustMark: Putting a Seal on Security Practices

There's an old saying in information security: "Security is a process, not a product." In other words, it's more about what you do than the equipment and technology that you use to protect IT infrastructure and digital assets. 

If security is about the process, how do you—as a solution provider—demonstrate your competency and value to an end-user customer? Sure, there are plenty of security certifications for individuals to demonstrate technical competencies: the GIAC (Global Information Assurance Certification) and the GIAC Security Expert, the MCSE (Microsoft Certified Systems Engineer), the CCSP (Cisco Certified Security Professional), and, of course, the granddaddy gold standard of them all, the CISSP—Certified Information Systems Security Professional.

Yet these are just individual certifications. Until now, nothing existed to show that a solution provider—as a business—has security competency and to reflect its value to end users. CompTIA (Computing Technology Industry Association), the industry trade association and accreditation body, the week of Oct. 20 took the wraps off its new security accreditation, TrustMark.

CompTIA Security TrustMark is unique in that it represents that an accredited solution provider follows security best practices for its own infrastructure and organization, reflecting the level of guidance and service it will provide to customers. It's a simple idea: If I keep a clean house, I will help keep your house clean, too.

It's also unique that it's a self-selecting accreditation, meaning that solution providers that apply must answer more than 130 questions in 11 security domains about their practices. Applicants are quizzed on everything from business continuity planning to personnel security to data protection to regulatory and standards compliance to data protection. 

The TrustMark designers built a two-tier process for ensuring reasonable accuracy of the self-guided applications process. First, applicants must take an initial assessment. If they fail that first step, CompTIA will recommend against completing the full accreditation questionnaire and provide rudimentary guidance for improving internal security awareness. 

While any self-selecting process can be gamed, CompTIA says it's taken great pains to include validation questions in the application. That means the answers to multiple, disparate questions must be in sync to achieve accreditation. CompTIA is auditing random applications as added assurance that only the right solution providers receive the TrustMark accreditation. 

The accreditation fee is also a pretty good filter: $2,595 for non-CompTIA members and $1,695 for member organizations. A steep price tag has a way of discouraging the tire-kickers from the serious professionals.