Site security is much more than just “how many CCTV camera’s are put in place” or “how many doors one must pass to get to the design”. It is about physical and logical access control, configuration management, tools used during development and manufacturing, delivery to customers and much more. It is about the assurance that the developer knows exactly what s/he is building and has certainty that what is built is exactly what the developer has envisioned and what eventually is delivered to the customers. The main difference between a site security evaluation and a quality evaluation (e.g. ISO90001) is that not only all the processes have to be well defined, but they are also defined with sufficient security in mind and that they are effectively followed to maintain security.

It is thus not hard to imagine that site audit activity is required or is going to be required in the near future by almost all major security evaluation schemes (Common Criteria, MasterCard CAST, VISA VSCP and PCI, etc.). A product independent Common Criteria site certificate also exists to facilitate the certification of production sites. This certificate can then be used as a waiver during most security evaluation audits. We have performed a large number of site audits, performing security evaluations according to different schemes, and are experienced in preparing manufacturers to successfully pass a formal audit.