Are you worthy of a Trustmark?

New CompTIA program certifies security-conscious service providers
 - 
Thursday, September 3, 2009

OAKBROOK TERRACE, Ill.—How does a security director know your techs will be sensitive with human resources information they have access to thanks to your access control system’s integration with her Microsoft active directory? How does she know you’ve got a privacy policy, and a password policy, and that you lock your own doors at night?

Of course, you could answer all those questions and show various documentation. Or you could attain a Security Trustmark from the Computing Technology Industry Association, known as CompTIA. This new accreditation certifies service providers of all stripes—from physical security and IT integrators all the way to housekeeping companies—in the fundamentals of asset protection.

“The idea is that any service provider—a dealer, an installer, integrator, service provider in the cloud—who touches, manages or influences their customers’ data needs to have good security themselves,” said Steve Hunt, developer of the program and now senior director, Security Trustmark, with CompTIA. Hunt is also head of Hunt Business Intelligence and has been banging the drum for a holistic approach to security for a long time. With this program, he said, companies now have a third-party validation process for fundamental security steps they should be taking anyway, but often are not.

“It breaks my heart,” he said, “when I get called by COOs and CSOs and they’ll invite me into meetings with people selling access or video, and whenever a question comes up about the security of the customer’s assets, the vendor and the dealer are dumb-founded, they have thick tongues about securing the kernel of their own system, securing transmissions, or securing any of their customer’s information that they need in order to get the systems up and running.” Hunt feels this is hurting the security industry as a whole, and giving the IT industry a leg up in the race for public acceptance. “Why is IT getting all the good press,” Hunt wondered aloud.

Patrick Wilson, president of Vital Signs Technology, heads one of the first 17 companies who’ve gone through the process. Why? “It just verified that, as a small business, we were running our organization with the same credibility and preparedness as a larger organization,” he said. “For our customers, generally medical practices and start-ups, it shows them that we’ve been independently certified, without having to go through the costs of an ISO audit. It’s very beneficial.” Vital Signs has the Trustmark displayed on its Web site, and it will be on all business cards and marketing literature going forward.

Wilson said he realizes that as one of the first to acquire the Trustmark he’ll need to be an evangelist for it as well. “A lot of people know about CompTIA,” he said, “they see it in certain press, or they’ve run across something at Best Buy that’s CompTIA A+ or whatever, but the security Trustmark does have to be better marketed.”

Hunt said he understands this and “one of the reasons CompTIA approached me about this, I think, is because they thought that I could get the word out and get people buzzed about it.” Hunt has an industry blog, www.securitydreamer.com, and is often a speaker at industry events. 

Hunt is confident the Trustmark will be quickly accepted by the security industry because of CompTIA’s non-profit status, respected reputation, and the ease with which companies should be able to attain the mark. The fee for the Trustmark starts around $2,000 for small companies, and the process involves supplying some documentation, filling out a 120-question survey, and conversing with a CompTIA assessor for an hour or two.

“It’s cheap, it’s easy, and I want to make it as intuitive as possible,” Hunt said. “If your company doesn’t have a privacy policy, just let me know. I’ll send you an example and you can just declare it as your privacy policy, get your employees to read and sign it, and put it on your web page, and you’re compliant.”

Wilson called the process and the fee “absolutely reasonable ... all CompTIA is asking is for stuff that we should already be doing to protect ourselves and our customers.”