Jericho Forum: Self-assessment guide

Jericho Forum: Self-assessment guide

Date: Apr 02, 2010

In part one of this interview, Jericho Forum board members Bob West and Paul Simmonds discuss the new self-assessment guide that the forum recently released, including how the guide can help enterprises keep security vendors in check by asking the right 'nasty' questions.

Watch part two: The Jericho Forum on cloud computing

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact   

Jericho Forum: Self-assessment guide

Eric Parizo: Hi I'm Eric Parizo. It's great to have you with us. We're
here with Bob West and Paul Simmonds, both members of the Jericho Forum
Board of Management. Gentlemen, thank you so much for being with us today.

Bob West: Thank you.

Paul Simmonds: Thank you.

Eric Parizo: For those who may not be familiar with the Jericho Forum, tell us a
little bit about the organization and its mission.

Bob West: So the Jericho Forum was formed - at least the idea was created in
2003 - and as background, most organizations at the time were thinking that computer
networks had very defined borders, and it was very easy to protect the
infrastructure within them. The reality is that most organizations well
before then had not only employees who needed to access computing assets,
but contractors, consultants, business partners, potentially competitors
and there's a lot of technical infrastructure, if you think of firewall
rules, that create a lot of holes and let a lot of traffic into computing

So the Jericho Forum basic mission is to educate not only corporate
organizations, but vendors; to say, "As this environment changes, you need
to look at things differently, and take a look at what information you have
and protect information more discreetly. And in particular start looking at
where are my crown jewels? Protect those, and then start moving away to
other applications."

Paul Simmonds: Absolutely. I think the key thing Jericho Forum did was to raise the
whole issue of deperimeterization, the disappearing perimeter. So not only
coining the term, but really raising the issue. And that's what we've been
doing since 2004 when it was formed.

Eric Parizo: Now, as of mid-March 2010, Jericho Forum is launching a new self
assessment scheme. What is that? Tell us about it.

Paul Simmonds: So how do you separate vendor A from vendor B from vendor C? That's
when we came up with the concept of what we're calling the Jericho Forum
Self Assessment Guide. It's based on the eleven commandments, and it's the
nasty questions that you need to ask your vendors. And it really is as
simple as that. Again, there's no technology in there, it's all about the
fundamentals of the questions you should be asking, and therefore it works
at all sorts of levels. It works at an individual application, a piece of
software. It works at an appliance, or a server, or a cloud computing
environment, or an entire SAP environment. You can use it at all those
various levels, because there isn't technology in here, it's just about

Eric Parizo: Can you give us a real-world scenario in which the scheme can be

Paul Simmonds: Actually, I'll give you three very quickly. We think it's primary
usage is going to be in three different scenarios. One is that a vendor who
thinks they have got a world beating product, can take this from a totally
independent organization, because Jericho is part of the Open Group, so the
open credentials are there and proven. The can take this, they can do their
self assessment, there are only 11 sections within it - very simple to do,
we reckon it takes about an hour to complete so it's not arduous - and they
fill in their self assessment summary which is on the back page.

This is the self assessment, and that's the self assessment summary. They
would fill it in, and as part of the sales call, they would walk in and we
would say, "Here is our Jericho Forum self assessment. If your other
vendors that we're competing against, and we don't know who they are,
haven't filled this in, then we'd urge you to do it because we think we're
the best, and we'd like you to compare apples with apples, and this is a
good way to do it." So that's the first way that it can happen.

The second way is actually the IT manager, or if they've got a security
manager, actually takes this and says, "As part of my RFI," or RFQ, or RFP,
or whatever process they're going through with their vendors, "we would
like you to complete this." And it's a standalone package, you can just
give it to them, and you just mandate it as part of your buying process.
And a variant of that is that actually, because everything that Jericho
does is open-source, this is licensed under creative commons, you can take
this, and you can actually go through it as an end user and say, "Actually
the things that are important to me are this bit, this bit, and this bit."
And you can just lift them out, and put them directly, cut-and-paste, into
your request book or proposal document. So, ultimately we don't care, as
long as it's used.

And then the third way we think that this can be used is that actually you
can take this against your internal systems that you're already running,
and you can self assess how good, actually, are our systems configured, are
we running them? Do we understand them properly? Are we documenting them
properly? One of the sections in here is about, are we running open and
secure protocols? Very simple question. So I've got this big system that's
doing whatever it does. Do I actually know what protocols it's using? Let
alone are they secure?

So in terms of maturity of your organization and how you run your systems,
this is a really good starting point for how mature is my run organization
within my business? My service management organization?

Eric Parizo: All right, let's take a step back for a minute. You touched on the
eleven commandments. Tell us about those, and about the other key elements
that make up the scheme.

Paul Simmonds: It was a challenge we set our members, as the board, to say, "Can we
actually get to a series of motherhood and apple pie statements the
encapsulate each of the key areas we're talking about, and are actually
really truly important from a security point of view, when you're trying to
architect the deperimeterization?" So this is what you should consider. And
the original challenge was to get it down to ten, for obvious reasons. And
the name stuck. We got it down to eleven, which slightly annoys me. As a
result, we got it down to eleven, and the name of commandments stuck, and
it's a bit of play on words, but it does function as that.

And the nice thing for me is, I look back and in six - we did them in...
trying to remember... 2005, 2004 or 5 we did them - they've stood the test
of time. We haven't had to revise them. No one has come back and said,
"Actually, this isn't relevant any more." And again, freely available. I
know one really large international organization who does support for over
2,000 companies, they have it - it's two sheets of paper, the commandments,
two sides of paper - they have them laminated in the cube of every one of
their developers. It's creative commons. Go and download it It's there. You can download it as a PDF.

More on IT Security Frameworks and Standards

  • canderson

    CISSP Essentials training: Domain 4, Security Models and Architecture

    VIDEO - In this CISSP Essentials Security School lesson, Domain 4, Security Models and Architecture, noted CISSP certification exam trainer Shon Harris investigates the framework and structures that make up typical computer systems.
  • canderson

    CISSP Essentials training: Domain 8, Law, Investigations and Ethics

    VIDEO - In this CISSP Essentials Security School video, Domain 8, Laws, Investigations and Ethics, expert CISSP exam trainer Shon Harris details the role of forensics and how to ensure that companies are compliant to applicable laws.
  • Royal Holloway 2012: An analysis of cloud security certifications

    Feature - In his Royal Holloway 2012 thesis, Robert Farrugia analyses cloud security certifications and suggests ways organisations can reduce cloud risks.
  • CESG Good Practice Guides (GPG)

    Definition - Good Practice Guides (GPG) are documents created by the CESG, which provides guidance on aspects of information assurance (IA) to help organisations manage risk effectively.
  • Jericho Forum

    Definition - The Jericho Forum is a global organization formed to help members deal the challenges of information security in an increasingly complex environment. (Continued)
  • Kitemark

    Definition - Kitemark is a registered trademark owned and awarded by the British Standards Institution for products that have demonstrated standards for quality and safety.
  • Web application vulnerability statistics show security losing ground

    News - New Web application vulnerability statistics show the number of vulnerabilities is rising, despite the use of Web application development frameworks.

    ( Feb 08, 2012 )