Information security isn't the only field dealing with safeguards and related compliance challenges. Restaurants are expected to implement measures for safely handling food. Yet, economic realities and other priorities may cause them to priorities other aspects of the business over food safety. Since customers rarely have the visibility into food-handling practices, municipalities often take it upon themselves to enforce compliance with sanitation requirements.
Might the less mature InfoSec industry learn from the practices of overseeing compliance with food safety rules? There is lots to explore here, but I'll limit myself to the recent practice of the New York City Health Department to issue public letter grades to restaurants as part of its sanitation inspections.
Grading Restaurants' Food Safety
Starting July 2010, the New York City began requiring "restaurants to post letter grades that correspond to scores received from sanitary inspections." In addition to seeing the grades when visiting the establishments, restaurant patrons can obtain inspection details on the department's website and mobile app.
When assessing compliance with NYC's food safety regulations, the inspectors assign points for the observed violations, as outlined in the scoring guide. The restaurant receives a letter grade based on the number of points. Passing the inspection requires grades A, B or C. Restaurants that earned a non-A grade can contest the sited violations; during this period, the restaurant can either post the initial grade or the "Grade Pending" sign.
According to the NYC Health Department, those who receive A will be inspected approximately once year, but those receiving lower marks will get more frequent visits. The resulting system pays the most attention to low-scoring businesses, which warrant the closest monitoring.
Food Safety Compliance Incentives for Restaurants
The public display of sanitation inspection grades is meant to provide the restaurants with the incentive to improve their food-handling practices. The assumption is that customers will prefer to eat in an "A" establishment, rather than the one that received the "C" grade.
To motivate restaurants to improve their sanitation posture, NYC only issues a non-A grade after a second inspection, which occurs announced about a month after the initial inspection. According to the initial data published by the NYC Health Department, the incentive to improve sanitation might actually work:
"Just 27% of restaurants received A grades (0 to 13 violation points) on initial inspection… But among those scoring in the B range (14 to 27 violation points) on initial inspection, nearly 44% improved to earn an A grade on second inspection. Of restaurants that scored in the C range (28 or more violation points) on their first inspection, 72% improved enough to earn an A or B on the second."
Letter Grades for Information Security
Like restaurants, consumer-oriented services on the web have a customer base that lacks the the visibility and skills to assess the risks of patronizing the website. As the result, the users have to rely on some third-party signal that the desired service may be "secure."
Presently, the security signals are weak and rarely adequate, as they merely include the presence of SSL/TLS or a security seal indicating that the site was scanned for vulnerabilities. PCI Data Security Standard (DSS) offers some help in this regard, yet it only applies to card payment-processing sites and lacks the awareness among non-technical consumers. Moreover, PCI DSS is binary—the site either passed or failed—which encourages some business to fudge facts to achieve compliance, diluting the value of the PCI DSS effort.
We would benefit from having a clear set of bare minimum security requirements that systems processing information need to abide by. In fact, the CIS Controls project comes pretty close to defining such measures. I'd love to see a program that assigns letter grades to consumer sites on the Internet based on the number of such controls that were lacking. Yet, who would assess and enforce compliance? And who would pay for the cost of such a program? It's not going to happen on the Internet any time soon.
For a tactical example of the use of the letter grade to assess specific security controls of system, take a look at the free Qualys SSL Labs tool, which examines SSL/TLS aspects of the server's configuration and assigns a letter grade accordingly. Another example of using letter grades to signal the company's security posture comes from companies such as BitSight and SecurityScorecard, who provide their customers with security ratings reports about companies; such reports are generally not suited for consumption by individual consumers.
I know I'm asking more questions than I'm answering, yet I think there is something to the approach of motivating businesses to improve safety through a public display of grades.