A government kitemark scheme to validate the claims made by suppliers of IT security products and services has been welcomed by experts, but users have been warned that it does not mean they can be complacent about security.
As reported in Computer Weekly last week, the Claims Tested Mark, from the Cabinet Office's Central Sponsor for Information Assurance, is designed to give businesses and public sector organisations assurances that equipment meets basic security standards.
The scheme is the first to offer a seal of approval to lower-cost equipment that is unsuitable for the testing processes run by the government's Computer Electronic Security Group.
However, security experts warned that organisations cannot rely on the kitemark alone and will need to ensure support and service levels are also high-quality.
"One of the things we are keen to encourage is that people do not think the problem is solved just because they have bought equipment," said security consultant Neil Barrett.
"You need to know you are buying quality support as well as a quality appliance. If you think about a high-end intrusion protection system, the support is critical through the tuning phase and for onward maintenance," he said.
The kitemark scheme will only assess quality of service and support if suppliers make specific claims about them, the Central Sponsor for Information Assurance said, putting the onus on buyers to make sure the support they receive is suitable.
The scheme was welcomed by Howard Schmidt, a US government adviser on security, who said it went further than the US government's National Information Assurance Programme (NIAP), which was only suitable for high-end security equipment.
"One of the major issues with NIAP is that it is very expensive to go through. If there is a way to maintain the quality, reduce the cost and make it available to smaller businesses, that is wonderful," he said.
Under the Claims Tested Mark scheme suppliers pay between £10,000 and £20,000 to have their equipment and services tested by an accredited laboratory.
"It allows a basic level of assurance for NHS, local authorities and criminal justice, where they do not have support from other accreditation schemes, either because they are too expensive or too time-consuming," a spokesman for the Central Sponsor for Information Assurance said.
The Information Assurance Advisory Council (IAAC), a security forum for businesses and government, said the scheme was an "excellent idea". But it said it would need careful promotion, if firms were to reap the benefits.
"The question is whether the average small to medium-sized business will know what the kitemark is and what its value is," said Neil Robinson, research co-ordinator at the IAAC.
What is the Claims Tested Mark?
The Claims Tested Mark scheme aims to provide a quick and efficient method of testing information assurance products and services for use within the public domain. Run by the Cabinet Office's Central Sponsor for Information Assurance, the scheme should give confidence to purchasers that the supplier's security claims have been tested.