The tool – a downloadable Adobe PDF file on the Jericho Forum's website – forms a central plank of the forum self-assessment scheme (SAS), which is designed to allow vendors and their customers to check the effectiveness of an IT security product when it comes to meeting their requirements and ensure its secure implementation/deployment.
Adrian Seccombe, an ex-CSO with Eli Lilly – and a Jericho Forum board member – told Infosecurity that the online tool builds on the eleven principles of security commandments that the forum laid down in 2006.
"These were designed to act as beacons of information and have been very successful in helping people implement their in-house security", he said.
The online tool, he explained, is a natural evolution of that move and has taken around 18 months to develop.
"There are basically three levels that the tool will produce – that your IT security systems is not acceptable, is adequate, or is good. It's simple approach that tells you a lot", he said.
Interestingly, Seccombe went on to say that when the decision was taken to develop the SAS tool, it was decided at the start not to develop an online interactive utility, since – ironically – this would have meant the tool itself would fail the test and generate a response of being "not acceptable."
According to the forum, the ultimate goal of the self-assessment scheme is to influence IT product innovation and market forces to be security-driven instead of purely feature-driven.
Paul Simmonds, a fellow Jericho board member, said that the eleven Jericho Forum commandments have been adopted by many IT architects and designers throughout the industry as valuable benchmarks for measuring design concepts and solutions.
In addition, a number of end-user organisations are known to include them as part of their RFPs, he said.
"This new self assessment programme extends to all security vendors and customer organisations the benefits of clear measurement criteria with the goal of establishing a more secure marketplace where products are inherently secure right out of the box", he said.
"This is an open invitation to the IT industry to improve security design standards", he added.
The Jericho Forum says it expects that IT security vendors will welcome being able to use this tool as it enables product differentiation and drives further innovation through an objective, independent, low-cost assessment that is unlike many other more formal and costly accreditation processes.
In addition, the forum notes, whilst many vendors may keep their initial self-assessment summary scores private, they can revisit the SAS to validate and distinguish their accomplishments as their product security improves over time.