The goal for ICSA Labs Certification is to enhance and improve security implementations of network and Internet computing, which will improve commercial security and its use of appropriate security products, services, policies, techniques, and procedures. Certification enforces overall confidence in computing and drives enhanced security measures while at the same time, decreasing the intrusion of security measures in everyday life. Certification also promotes user acceptance of increased security while improving the ease of use, and the invisible, automatic, and seamless integration of security technology in everyday computing.
ICSA Labs' goal for certification cannot be to eliminate all risk or attain perfection, but rather to achieve major risk reduction within certified products, services and solutions (“products”). With evolutionary criteria and methodologies, which are internationally applicable and appropriate, ICSA Labs expects that appropriate applicants, such as vendors for product certification, will eventually meet certification criteria and will remain compliant.
ICSA Labs Certification criteria are public, objective, fair, credible criteria that yield a pass-fail result. To remain consistently results-oriented, certification criteria is based on resistance to threats and risks or on successful outcome, and not based on fundamental design or engineering principles or on an assessment of underlying technology. In most cases, this mirrors a "black-box approach".
The criteria are simply stated, understandable and reduce problems to the most appropriate common denominator threats and risks. Meeting the criteria is possible with current technology and average "know-how" so that the certified product may be truly effective within the community of end-users. Most importantly, the criteria is applicable to - and appropriate for the majority of similar products and is also applicable, useful to and appropriate for the majority of those individuals who might rely on certification for assurance to better understand, trust or judge a product.
A continuous process of updating criteria is the cornerstone of ICSA Labs Certification. To address constantly evolving threats, ICSA Labs Certification includes frequent iterative updates. This effectively "raises the bar" to drive evolutionary and progressive reduction of risk over time.
The digital world moves far too quickly to certify only a particular version of a product. Therefore, ICSA Labs Certification criteria and processes are designed so that once a product is certified, all future versions of the product (as applicable) are inherently certified. This is normally accomplished by three means.
First, ICSA Labs gains a contractual commitment from the product vendor, agreeing that the product will be maintained at the current or better, published ICSA Labs Certification standards. ICSA Labs expects that the organization's own quality assurance programs will incorporate current ICSA Labs Certification criteria as a part of their continuous product development processes. This means that a significant part of the ICSA Labs Certification process involves self-checking by the organization whose product is certified.
Secondly, ICSA Labs or its authorized agents perform random assessments of the current product against current ICSA Labs criteria for that certification category. If a product fails an assessment, the responsible party is given a short time (typically 2 to 4 weeks) to rectify the problem(s). If the shipping product still does not meet current certification criteria by the end of this grace period, then ICSA Labs Certification is explicitly and publicly revoked.
Thirdly, ICSA Labs Certification is renewed annually. The full certification process is repeated at least once per year for the current shipping product against the current criteria.
Collectively, these steps assure that ICSA Labs Certification is relatively independent of product updates and version changes and that a user can trust that the current version of the product meets the current ICSA Labs Certification criteria.
To develop and evolve appropriate and meaningful certification criteria, ICSA Labs uses a "notice of proposed certification criteria" system. ICSA Labs queries numerous specialists and organizations, potentially including affected vendors, developers, and users; the security expert community, the non-vendor specialists and experts, the Fortune-500 and vertical user consortia, unrelated or minimally related vendor consortia, academia, and other consumer and industry groups. A draft proposed criteria is then circulated within the appropriate people and groups before making the criteria final and publicly posted.
Certification testing is performed either by skilled ICSA Labs security analysts or by third-party lab analysts trained and authorized by ICSA Labs for this purpose.
As a design goal, testing is automated where possible, and is checklist oriented where not automated. The test procedures are reproducible, objective and not open to interpretation whatsoever.
The testing personnel or authorized labs must have access to the product's associated help-desk and or development personnel to resolve questions that may arise. And there is an escalation procedure to resolve any potential conflicts or judgment questions.
The entire certification process is built upon and managed according to "ICSA Labs Dynamic Certification Framework." The framework-defined process begins with a complete analysis of the risks surrounding the product for which certification is contemplated.
Next, risks that are exceedingly rare, merely theoretical, and of trivial impact are discarded and a set of "controls" or "safeguards" which might mitigate the remaining real, prevalent and costly risks are created. These are analyzed to bring-out those items with the least impact, lowest cost, those which utilize only current and widely available technologies, and to derive the fewest possible controls which can mitigate the great majority of the risk.
Next the controls are converted into practical, attainable, now-oriented trial certification criteria, which are "vetted" through vendor groups, end-user groups, and the public at large (“Stakeholders”). ICSA Labs begins performing certifications against the final criteria, which always have built-in, scheduled, iterative updates to account for the continuing pace of technological change as well as the rapidly changing risk landscape.
Finally, after a sufficient number of certifications have been performed to make measurement meaningful, ICSA Labs attempts to develop metrics to validate the actual risk-reduction attained through the certification process. These studies always shed new light on current impediments, which invariably leads to major update of the criteria, new public vetting and continuation of the certification framework cycle.
Accomplishing these goals requires ICSA Labs to be independent, credible, technically adept, fair, rapid responding, with a broad user-focused representation, and possess a motivation to benefit society.
The fundamental motivation for a product to be certified is to reduce both real and perceived risk. Users gain reassurance that the product meets industry-accepted standards and that the organization has taken due care, having addressed security issues, at least to the minimum level. Therefore, certification serves to reassure customers and other users.
Certification also decreases liability in the inevitable event of a security breach or failure. It allows the organization with a certified product to point to a recognized standard of care and show that they meet or exceed that standard. Certification makes insurance possible where it was not before, or makes it less expensive.
Other motivations for a company to have its product certified derive from commercial, market and competitive forces. A vendor will seek product certification partly because competitive products are certified.
The most important motive for certification is that certification will improve safety and security in computing, which adds confidence to computing and will inevitably lead to more constructive and pervasive use of computing and of the very products which are certified.