Information security isn’t the only field dealing with safeguards and related compliance challenges. Restaurants are expected to implement measures for safely handling food. Yet, economic realities and other priorities may cause them to priorities other aspects of the business over food safety. Since customers rarely have the visibility into food-handling practices, municipalities often take it upon themselves to enforce compliance with sanitation requirements.
Might the less mature InfoSec industry learn from the practices of overseeing compliance with food safety rules? There’s lots to explore here, but I’ll limit myself to the recent practice of the New York City Health Department to issue public letter grades to restaurants as part of its sanitation inspections.
Grading Restaurants’ Food Safety
Starting July 2010, the New York City began requiring “certain types of food service establishments to prominently post letter grades that correspond to their sanitary inspection scores.” In addition to seeing the grades, restaurant patrons can obtain inspection details on the department’s website.
When assessing compliance with NYC’s food safety regulations, the inspectors assign points for the observed violations, as outlined in the scoring guide. The restaurant receives a letter grade based on the number of points. Passing the inspection requires grades A, B or C. Restaurants that earned a non-A grade can contest the sited violations; during this period, the restaurant can either post the initial grade or the “Grade Pending” sign.
According to the NYC Health Department, those who receive A “will be inspected annually, but those receiving lower marks will get more frequent visits.” The resulting system pays the most attention to low-scoring businesses, which warrant the closest monitoring.
Food Safety Compliance Incentives for Restaurants
The public display of sanitation inspection grades is meant to provide the restaurants with the incentive to improve their food-handling practices. The assumption is that customers will prefer to eat in an “A” establishment, rather than the one that received the “C” grade.
To motivate restaurants to improve their sanitation posture, NYC only issues a non-A grade after a second inspection, which occurs announced about a month after the initial inspection. According to the initial data published by the NYC Health Department, the incentive to improve sanitation might actually work:
“Just 27% of restaurants received A grades (0 to 13 violation points) on initial inspection… But among those scoring in the B range (14 to 27 violation points) on initial inspection, nearly 44% improved to earn an A grade on second inspection. Of restaurants that scored in the C range (28 or more violation points) on their first inspection, 72% improved enough to earn an A or B on the second.”
Letter Grades for Information Security
Like restaurants, consumer-oriented services on the web have a customer base that lacks the the visibility and skills to assess the risks of patronizing the website. As the result, the users have to rely on some third-party signal that the desired service may be “secure.”
Presently, the security signals are weak and rarely adequate, as they merely include the presence of SSL or a security seal indicating that the site was scanned for vulnerabilities. PCI Data Security Standard (DSS) offers some help in this regard, yet it only applies to card payment-processing sites and lacks the awareness among non-technical consumers. Moreover, PCI DSS is binary—the site either passed or failed—which encourages some business to fudge facts to achieve compliance, diluting the value of the PCI DSS effort.
We would benefit from having a clear set of bare minimum security requirements that systems processing information need to abide by. In fact, the Twenty Critical Security Controls project comes pretty close to defining such measures. I’d love to see a program that assigns letter grades to consumer sites on the Internet based on the number of such controls that were lacking. Yet, who would assess and enforce compliance? And who would pay for the cost of such a program? It’s not going to happen on the Internet any time soon.
I know I’m asking more questions than I’m answering, yet I think there’s something to the approach of motivating businesses to improve safety through a public display of grades. What do you think?
Update: For more on this topic, take a look at Mike Rothman’s post Incomplete Thought: The Scarlet (Security) Letter.