Following our tradition of analyze security documents that could apply to cloud computing, in this post it is the turn of Jericho Forum(R) "Self-Assessment Scheme" (PDF). We find this scheme interesting because it applies a rating system, in this case, with two levels.
This scheme is applicable for evaluating how a system meet Jericho Forum eleven commandments throuhg a self-assessment carried on by the own system provider, without validation for any third party (unlike leet security methodology that implies a validation from the rating agency).
But, conceptually, we applies the same way of evaluating rating levels:
- Providers could use it for answering RPFs and shows the security level they implement.
- Customers coudl evaluate the needs for every product, depending on the requirements.
And we, both, also agree in the way of assigning rating levels:
- To achieve level n, all the criteria for level n-1 should also be met.
- To achieve level n, this level should be achieve for all the security measures evaluated.
The major difference is the number of levels: While this scheme has three levels (inaceptable - aceptable - good), leet security system has five (besides our system also considers different security dimensions - confidentiality, integrity, and availability).
In summary, the scheme shows how self-assessment and rating levels are useful mechanisms to get better information in evaluating the security of ICT products and services.
You can follow us on twitter.com/leet_security