Testing Services

Goals:

The goal of ICSA Labs certification testing is to provide enterprises and government organizations with increasingly secure products and solutions. The result of ICSA Labs security testing and certification is improved conditions for conducting Internet commerce.  Certification, once attained following testing, raises overall confidence in computing while decreasing the susceptibility of all to vulnerabilities and attacks. 

While ICSA Labs security certification doen not eliminate all risk or ensure perfect security it does significantly reduce an organization's risk.  With its appropriate sets of evolving security criteria requirements and testing methodologies that are applicable internationally, ICSA Labs security testing provides assurance that is sorely needed in times when so much of what we do online is at risk.

Criteria:

ICSA Labs security certification testing criteria documents are public, objective, credible and internationally vetted, yielding a pass-fail result from testing. Security certification criteria requirements are aimed at minimizing malicious threats and risks. Testing against these criteria requirements for the various security technology areas in which ICSA Labs tests reflects a "black-box" style approach to testing.

Each criteria is simply stated and understandable.  Meeting the criteria is possible with current technology and average "know-how" so that the certified security product may be truly effective within enterprises and government organizations. Most importantly, the criteria is applicable to - and appropriate for the majority of similar products and is also applicable, useful to and appropriate for the majority of those individuals who might rely on certification for assurance to better understand, trust or judge a product.

A continuous process of updating criteria is the cornerstone of ICSA Labs Certification. To address constantly evolving threats, ICSA Labs Certification includes frequent iterative updates. This effectively "raises the bar" to drive evolutionary and progressive reduction of risk over time.

The digital world moves far too quickly to certify only a particular version of a product. Therefore, ICSA Labs Certification criteria and processes are designed so that once a product is certified, all future versions of the product (as applicable) are inherently certified. This is normally accomplished by three means.

First, ICSA Labs gains a contractual commitment from the product vendor, agreeing that the product will be maintained at the current or better, published ICSA Labs Certification standards. ICSA Labs expects that the organization's own quality assurance programs will incorporate current ICSA Labs Certification criteria as a part of their continuous product development processes. This means that a significant part of the ICSA Labs Certification process involves self-checking by the organization whose product is certified.

Secondly, ICSA Labs or its authorized agents perform random assessments of the current product against current ICSA Labs criteria for that certification category. If a product fails an assessment, the responsible party is given a short time (typically 2 to 4 weeks) to rectify the problem(s). If the shipping product still does not meet current certification criteria by the end of this grace period, then ICSA Labs Certification is explicitly and publicly revoked.

Thirdly, ICSA Labs Certification is renewed annually. The full certification process is repeated at least once per year for the current shipping product against the current criteria.

Collectively, these steps assure that ICSA Labs Certification is relatively independent of product updates and version changes and that a user can trust that the current version of the product meets the current ICSA Labs Certification criteria.

Input:

To develop and evolve appropriate and meaningful certification criteria, ICSA Labs uses a "notice of proposed certification criteria" system. ICSA Labs queries numerous specialists and organizations, potentially including affected vendors, developers, and users; the security expert community, the non-vendor specialists and experts, the Fortune-500 and vertical user consortia, unrelated or minimally related vendor consortia, academia, and other consumer and industry groups. A draft proposed criteria is then circulated within the appropriate people and groups before making the criteria final and publicly posted.

Testing:

Certification testing is performed either by skilled ICSA Labs security analysts or by third-party lab analysts trained and authorized by ICSA Labs for this purpose.

As a design goal, testing is automated where possible, and is checklist oriented where not automated. The test procedures are reproducible, objective and not open to interpretation whatsoever.

The testing personnel or authorized labs must have access to the product's associated help-desk and or development personnel to resolve questions that may arise. And there is an escalation procedure to resolve any potential conflicts or judgment questions.

ICSA Labs Dynamic Certification Framework:

The entire certification process is built upon and managed according to "ICSA Labs Dynamic Certification Framework." The framework-defined process begins with a complete analysis of the risks surrounding the product for which certification is contemplated.

Next, risks that are exceedingly rare, merely theoretical, and of trivial impact are discarded and a set of "controls" or "safeguards" which might mitigate the remaining real, prevalent and costly risks are created. These are analyzed to bring-out those items with the least impact, lowest cost, those which utilize only current and widely available technologies, and to derive the fewest possible controls which can mitigate the great majority of the risk.

Next the controls are converted into practical, attainable, now-oriented trial certification criteria, which are "vetted" through vendor groups, end-user groups, and the public at large (“Stakeholders”).  ICSA Labs begins performing certifications against the final criteria, which always have built-in, scheduled, iterative updates to account for the continuing pace of technological change as well as the rapidly changing risk landscape.

Finally, after a sufficient number of certifications have been performed to make measurement meaningful, ICSA Labs attempts to develop metrics to validate the actual risk-reduction attained through the certification process. These studies always shed new light on current impediments, which invariably leads to major update of the criteria, new public vetting and continuation of the certification framework cycle.

Requirements of a Testing & Certification Organization:

Accomplishing these goals requires ICSA Labs to be independent, credible, technically adept, fair, rapid responding, with a broad user-focused representation, and possess a motivation to benefit society.

Motivation:

The fundamental motivation for a product to be certified is to reduce both real and perceived risk. Users gain reassurance that the product meets industry-accepted standards and that the organization has taken due care, having addressed security issues, at least to the minimum level. Therefore, certification serves to reassure customers and other users.

Certification also decreases liability in the inevitable event of a security breach or failure. It allows the organization with a certified product to point to a recognized standard of care and show that they meet or exceed that standard. Certification makes insurance possible where it was not before, or makes it less expensive.

Other motivations for a company to have its product certified derive from commercial, market and competitive forces. A vendor will seek product certification partly because competitive products are certified.

The most important motive for certification is that certification will improve safety and security in computing, which adds confidence to computing and will inevitably lead to more constructive and pervasive use of computing and of the very products which are certified.