Accounting for Security

An evaluated product meets the needs of the highest-security customers, such as the U.S. Department of Defense, whose parameters for product requirements, known as National Security Telecommunications Information Systems Security Policy (NSTISSP) No. 11, include a ISO 15408 evaluation. The evaluated Red Hat Enterprise Linux complies with all of the requirements outlined in NSTISSP No. 11, strengthening Linux’s ability to reach into the government sector.

Patch Management

Organizations should be convinced the vendor has an aggressive plan to handle problems that may arise and the vendor should have a strictly-followed incident response policy to determine the severity level of a security vulnerability.

Subsequently, the vendor should build and issue a patch before announcing a security alert. Information distributed randomly to a handful of customers will exasperate rather than calm the situation. All customers should receive the same level of notice because all customers have sensitive or critical business information they want to protect.

Although these questions add a step to the product evaluation process, they raise the bar on security. If the industry fails to follow these guidelines, it risks government agencies regulating the process.

Laws governing the way the healthcare and financial industries guard their data have already been instituted. If the rest of the market responsibly polices itself, such regulations will not be necessary.

“IT” now stands for “infrastructure technology,” and needs to be as robust, secure, and reliable as physical infrastructure. We never worry about bridges failing, nor should we worry about critical IT systems going down because of design defects.

Adhering to these guidelines and choosing more robust, secure software is a sound business move that will cut costs and improve business in the short and near term.

Mary Ann Davidson is Oracle Corp.’s chief security officer.