Analysis of Jericho Forum Self-assessment Scheme

Following our tradition of analyze security documents that could apply to cloud computing, in this post it is the turn of Jericho Forum(R) "Self-Assessment Scheme" (PDF). We find this scheme interesting because it applies a rating system, in this case, with two levels.

This scheme is applicable for evaluating how a system meet Jericho Forum eleven commandments throuhg a self-assessment carried on by the own system provider, without validation for any third party (unlike leet security methodology that implies a validation from the rating agency).

But, conceptually, we applies the same way of evaluating rating levels:

• Providers could use it for answering RPFs and shows the security level they implement.
• Customers coudl evaluate the needs for every product, depending on the requirements.

And we, both, also agree in the way of assigning rating levels:

• To achieve level n, all the criteria for level n-1 should also be met.
• To achieve level n, this level should be achieve for all the security measures evaluated.

The major difference is the number of levels: While this scheme has three levels (inaceptable - aceptable - good), leet security system has five (besides our system also considers different security dimensions - confidentiality, integrity, and availability).

In summary, the scheme shows how self-assessment and rating levels are useful mechanisms to get better information in evaluating the security of ICT products and services.