Monday, October 20, 2008

Quis custodiet ipsos custodes?

A fundamental problem was described by Plato in the Republic, his work on government and morality. In the Republic, the perfect society which relies on laborers, slaves and tradesmen is described by Socrates, the main character of the work. The guardian class is to protect the city.

A question is put to Socrates, “Who will guard the guardians?” Plato's answer to this is that they will guard themselves against themselves. We must tell the guardians a "noble lie." The noble lie will inform them that they are better than those they serve and it is therefore their responsibility to guard and protect those lesser than themselves. We will instill in them distaste for power or privilege; they will rule because they believe it right, not because they desire it.

In our work as custodian, or protector atsec has an important role in evaluating or security assurance, or testing the conformance of a product or service related to information security. In our world the developers and sponsors are the laborer’s and trades people described by Plato. Plato’s answer to the question "Who will guard us against the guardians" holds true to atsec’s business model. We do place a lot of effort and expense in guarding ourselves. We culture the belief in our version of the noble lie that we are better than those we serve and through this lie we develop the responsibility to guard and protect our customers.

As we seek to serve our customers we are governed first and foremost by our business principles, and it is no accident that these reflect Plato’s thinking!

We are independent
atsec is an employee-owned company. We are not affiliated with any hardware or software vendor, and we never will be. Our credibility as consultants hinges on that independence. Our customers can rely on us to be objective. We have no interest in selling anything other than our security expertise.

atsec is financially independent — bound to no bank loan commitment, no outside investors, no vendor partners, and we don’t use credit. We are free to follow the path we set for ourselves, competently and steadily pursuing our work on behalf of our clients, prudently growing our company as solid opportunities emerge. The measured path the company has chosen to pursue might even look a little boring … but “boring” is right when it insulates us against the hard consequences of widespread financial credit difficulties. Our stubborn insistence on maintaining independent excellence might be seen as arrogant … but “arrogance” is justified if it comes from well-founded self-confidence.

In the last few weeks this principle has protected atsec well from the short term effects of the credit crunch. We have no worries about the security of atsec’s securities.

We know the business
atsec knows the worldwide information security consulting business very well. With a multinational staff, it is only natural that we feel comfortable operating internationally. We are a company with global reach.

The information security problem is global and borderless. We see clearly in the current financial crisis the inevitability of global interconnectedness and the folly of not recognizing and planning to manage that dependency. atsec operates in every region, understanding the legislation and regulation differences and support our clients as they address issues with global connotations too.

We stay focused
atsec consultants are information security consultants. As such atsec focuses solely on information security consulting. We do not consult in any other areas, and we do not sell hardware, software, or any other ware.

We are the best! You can rely on us to ensure that your security assessment is the best. We demonstrate continual excellence in information security. We do not dilute our skills by trying to make money through selling products or accepting work that is outside our field.

We act with integrity
Information security consulting and evaluation is a high-integrity business, and very much a matter of trust. All of our employees are committed to sustaining the highest degree of integrity in our client relationships. We are devoted to delivering highest quality in a timely manner.

This principle too is very close to our hearts. There are many ways in which we demonstrate integrity but consider that in a single year atsec undergoes audits and assessments from the following bodies:

  • NIAP, CSEC (Sweden), and BSI (Germany) who run the national Common Criteria schemes with which we are accredited and regularly independently assess our technical proficiency.
  • The CMVP (NIST and CSEC (Canada)) who assess our proficiency with the cryptographic module validation program, the cryptographic algorithm Validation Scheme, The NPIVP (NIST PIV Program), the Information Security Automation Program.
  • The General Services Administration (GSA).
  • NVLAP (and the corresponding responsible bodies in Germany and Sweden) who assess our laboratories for conformance with ISO 17025.
  • The PCI council who regularly assess the quality and standards of performance as we perform our work in PCI QSA and ASV.
  • Not content with that we voluntarily, at a not insignificant expense, added oversight from our ISO 9001 and ISO/IEC 27001 conformance certifiers.
  • We invite independent management consultants on an annual basis to help us review our business strategies, not just in the short term but on a medium and long term basis too.
  • Our financial auditor’s who also play an important role in establishing atsec’s intergrity.
Why do we do all of this? To develop and demonstrate competence, adherence to ethical principles and not least to develop and maintain the trust afforded to us by our customers.

You may point out that in some sense these organizations are our guardians. It is true, but atsec is not content to accept that these organizations could guard us without our assistance and so we take an active role in defining the various schemes of operation, developing the standards to which we conform, and even in training and supporting the assessment of our guardians! Why on earth would anyone spend precious resources in a small company on such activities?

Why?

Simply because we believe it is right.

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.