When organisations are faced with choosing from a series of seemingly similar products the choice often comes down to vendor preference or the lowest price. But all products are not created equal. Security products that have been built without a structured development and testing methodology often cause more security and maintenance problems than they solve. The false sense of security they can provide has time and time again led unwary customers into more vulnerable situations than they would have been without the product. Another common complaint is that security product vendors promise the world while delivering something significantly less.
Striving to use products that have completed formal product evaluation - in the form of Orange Book, Common Criteria for IT Security Evaluation (Common Criteria), IT Security Evaluation Criteria (ITSEC) or ICSA certification - is a significant step in the right direction. But just because a product has been independently evaluated does not mean the protection it provides is appropriate for a specific situation. The selection process should also look at its 'fit for purpose' and how it integrates into the overall security architecture. For best results this process is often integrated into the countermeasure selection phase of a risk assessment.
High Ground's Experience
We have been working in the areas of product evaluation and product selection for government for over ten years. We do not represent any vendors, so can provide completely independent research and assessment of your IT product and solution needs.
Copyright © 2005 High Ground Security Ltd.