A business opportunity for somebody...

[jducoeur]

I wonder if there are any companies with the security and publicity smarts to offer a "Safe to Shop Here" logo for big stores? Given the TJX debacle (and the new news that people who shopped at TJX stores are having their identities stolen), I expect the public to start at least fractionally noticing information security as a concern. That would seem to create a business opportunity for someone to come out with a "Certified Secure" label for stores, the same way they're trying to build a "Guaranteed Organic" label that consumers recognize. Like that, only a fraction of the public would notice, but that fraction is likely to be passionate about it.

Not an easy task: the company would have to have the security chops to conduct really good security audits, and have the marketing machine to convince the public that they really are holding these companies to account. But it would seem like a way to print money if they could pull it off: it could become a significant competitive advantage to have your store certified by them (assuming they managed to get the public to pay attention to the label), and the space is pretty big.

(Devil's advocate: doing this without major legal exposure would be tricky -- the company couldn't afford to *guarantee* the security, just establish that their customers are following good enterprise-grade practices...)

Comments

[talvinamarich.livejournal.com]

(Devil's advocate: doing this without major legal exposure would be tricky -- the company couldn't afford to *guarantee* the security, just establish that their customers are following good enterprise-grade practices...)

This is why you don't use the word "Certified", and most definitely not the word "Guaranteed".

"Tested."

"Reviewed."

Etc.

That tells them that when your Secret Shopper, or your Security Expert, or what have you, conducted a live-fire test, things went well.

What happens the rest of the time, you don't know.

[zachkessin.livejournal.com]

Well I think it would have to be more like ISO 9000, in that you do things according to a set of rules, and that this gets audited on a regular basis. And probably a bit like Kosher certification, which is to say that the certifying agency can show up at any time and if they don't like what they see they can pull your certificate.

[talvinamarich.livejournal.com]

Oh, my. Interesting image.

"This software certified 100% Kosher by Rabbi Ben Geek."

;)

[dsrtao]

Since the review of procedures would necessarily involve many of the same steps, it makes sense for this to be an extension of the SAS-70 Type II audit -- a CPA standard for reviewing the operational controls of a corporation. It also requires some programming skills to spot-check that critical programs do what they claim to do.

The SAS-70 standard is published by the American Institute of CPAs, and lots of independent contractors implement it. This would mean that the Data Handling Standard (or whatever) would be defined by a major organization, and folks would be trained to implement it and stand behind it themselves.

Now if only the big accounting firms were capable of not colluding with their clients...

[dsrtao]

Sudden thought: suppose you paid a fee based on your complexity and size into an insurance fund, and the insurers randomly picked which firm was going to do the review this year?