Tips for Getting Familiar with Your Security Products Provider

Asking these questions will help you vet your security products vendor.

7. Can the product maintain a provable root of trust?
Does the architecture enable the definition of a root of trust that can protect the firmware and software from data manipulation or exfiltration from an adversary? Can physical control structures (e.g. sensors) rely on these secure processes to maintain integrity?

Does the product precisely define how the individual components maintain a specific cybersecurity state when interfaced with other systems?

Without a root of trust, infected or attacked systems can be staged to attack other systems within an IT-connected environment.

Manufacturers that have cyber-secure products can describe and define how their system manages a provable root of trust, and can maintain functions and processes within their system and be resilient against attack.

8. Has the manufacturer established security configuration control baseline standards?
Can the manufacturer describe the internal process and configuration standards for specific environments where the product is deployed? These security configuration control baselines extend far beyond just the technical design, engineering and patches made to systems developed by manufacturers. They include establishing consistent technical approaches, consistent terminology and a consistent security framework through all security-related functions and processes.

Manufacturers that demonstrate they effectively maintain a security configuration control baseline can prove where common and shared controls interface with external data sources, and how change control processes are managed.

9. Does the manufacturer share vulnerability data?
How does the manufacturer share vulnerability information about its products? Most vendors would prefer to either not release information or not provide sufficient technical detail about their vulnerabilities that is beneficial to help users protect themselves by patching, modifying the environment, tweaking firewall and intrusion detection rules, disabling the component altogether or performing other security processes.

A best practice commonly adopted by leading physical security manufacturers is compliance evaluation with the National Institute for Standards and Technology National Vulnerability Database. Manufacturers can find out information and remediation processes for vulnerabilities that have been validated by the U.S. Computer Emergency Response Team (US-CERT).

Manufacturers that are willing to share information can publish details about their product using a system known as Common Platform Enumeration (CPE) where they can uniquely define configuration elements that comprise their products.

In the event cybersecurity vulnerability is discovered within a particular vendor product, this information can be quickly identified and shared among affected parties. Physical security manufacturers that publish information available for industry consumption and analysis should be considered cyber aware.

10. Does the manufacturer use third-party independent verification and validation (IV&V)?
Manufacturers routinely report that they conduct internal reviews and product testing at regular intervals to demonstrate their IT-connected solution is secure. During these internal evaluations, do the manufacturers claim to use external third-party testing and evaluation? Do they describe the test plan and what environment their product is deployed?

Manufacturers that publish testing and evaluation data derived from third-party IV&V demonstrate their ability to be cyber aware by recognizing that all systems present some form of risk. If weaknesses are discovered and remediated, a cyber-aware product manufacturer should be more willing to share relevant data.

Coordinated Team Effort Is Required
Because the context is so diverse and the technology space so dynamic, physical security manufacturers and systems integrators will need to work together at levels previously unimagined to deploy cyber-secure solutions to schools, universities and hospitals. Education, training and knowledge transfer as we move into the world of hyper-connectivity and interdependency of the modern computing environment is essential.

Systems integrators and their campus clients must demand more from manufacturers with assurances that they have met and maintain internal cybersecurity best practices and sell secure products to end users.

Moving forward, campuses must ensure their systems integrators are internally prepared and skilled in using various types of verification tools, design checking software, and other quality assurance tools that can identify possible security vulnerabilities before deployment into the campus environments.

Darnell Washington is President and CEO of information security technology and consulting firm SecureXperts. He can be reached at dwashington@securexperts.com.

Read Next: How Hospital Security Officers Differ from School and University Officers

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo