NCSA POLICY CONCERNING SECURITY PRODUCT REVIEWS February 17, 1990. Purpose: NCSA product reviews are intended to present complete, thorough, useful reviews of security products to the members of the NCSA. This document's purpose is to set forth the NCSA policy concerning such reviews. This policy is open for discussion. Reviewers: Reviewers may be single individuals or "review teams." Reviewers should have some knowlege of the application of the product, and should be capable of writing detailed reviews. In the case of review teams, the teams may consist of expert users, as well as novice users. The role of the novice user is to provide input on product ease-of-use and quality of documentation. Conflict of Interest: NCSA reviewers must have no interest in the product reviewed which would compromise the integrity or accuracy of the review. All reviews will be signed by their authors. Procurement of Products: Products may be solicited directly from manufacturers/software houses on behalf of the NCSA. In return for a free evaluation copy, the product review will become a permanent part of the NCSA BBS, available for viewing by all members. After completion of the review, the reviewer shall be granted the license to the product. Evaluation Copies: No review will be performed on a copy which is limited in function. No review will be performed on a "beta" version of a product, or any product which is not available to the product. Limit of Liability: The NCSA shall assume no liability for, or make claims of, the capabilities or fitness of any products. All reviews shall be carried out to the best ability of the reviewer/review team, and be edited if necessary by the NCSA staff. Comments/Clarifications/Rebuttals: After a product has been reviewed, the review shall be posted on the NCSA BBS, and the manufacturer be allowed to comment on the review for a period of 60 days. A copy of the review will also be sent to the manufacturer for their comment. After such time, the review will be edited if necessary, based upon the responses of both the manufacturer and any others who have commented. The review will then become part of the permanent library of the NCSA. A summary may be placed in the NCSA newsletter; the full review will be placed on the NCSA BBS for downloading by members. Classifications: A detailed system of classification shall be developed to assist both reviewers and readers in their respective efforts. For example, such categories might include PC Access Control, Data Encryption, Virus Detection, etc. Review Outline: The reviewer(s) shall follow the review outline presented at the end of this document. In this way, similar products can be compared directly. Comparative Reviews: Where possible, a single review will comprise a category of products. As each new product within that category is reviewed, the new review will be merged with the existing reviews. Where possible, tables will be created comparing products. This will be done to aid members in choosing a product. Product Classification Overviews: In cases where there are many products in a single category, a review team may be assigned to evaluate all the reviews and pick an "NCSA Choice". This would be the NCSA's official recommendation, and would be awarded to the product that best meets the criterion for its category. Quantitative Ratings: A system of ratings shall be developed, in order to more easily compare products. At the time of review, an NCSA security rating will be assigned. This will consist of a number from 0.0 to 10.0, with 0.0 providing the least security, and 10.0 the most. A scale shall be developed to aid both reviewers and readers compare scores (i.e. 6.0-8.0 Average 8.0-10.0 Recommended, etc.). The exact form of these ratings will be developed over time, as the first reviews are conducted. Access to Reviews: Reviews shall be placed in a restricted area of the NCSA BBS, to enable only dues- paying members to have access. Hard copies of the reports may be requested for a small fee. Review for Fee: At a manufacturer's or member's request, NCSA will review a specified product. A fee may be charged for such review, but this fee will in no way affect the nature of the review. Review Content: Each review will contain the following information: * Reviewer(s) name * Product name * Version of product reviewed (version number and/or date) * Product pricing information * Manufacturer name, address, phone. * Product category/function. * Product description. This description will have a heavy emphasis on the security offered by the product, even if security is not the main focus of the product. * Product capabilities. What specific features the product offers. Such information may be drawn from marketing materials, but must be verified by the reviewer. Such narrative might be presented in bullet or other narrative format. * Definition of categories used in the ratings, and general rating approach. This definition will be sufficiently explicit that other reviewers will be able to apply the method and obtain the same results on this product. Examples of categories likely to be included: ease of installation, ease of use, degree of protection offered, adequacy of documentation, support, accuracy of manufacturer's claims concerning the product, overall value. * Category ratings, with justification. * Summary of ratings, in tabular form. About this document: The first draft of this document was prepared by Charles Rutstein, co-sysop of the NCSA BBS. David Stang revised it. Comments are invited. Write NCSA, Suite 309, 4401-A Connecticut Ave. NW, Washington DC 20008. Or call NCSA voice 202-364-8252 or leave a comment to the SYSOP on the NCSA BBS: 202-364- 1304.