Group pushes for B2B security standards

Computerworld - A six-member group that includes Visa International Inc., AT&T Corp., the SANS Institute and NASA is banding together to promote common, auditable security standards for companies doing business with one another over the Internet.
The group, which is calling itself the Center for Internet Security, will focus on defining and pushing the minimum security procedures and technologies that companies must implement when dealing with others over the Web, said Alan Paller, director of the SANS Institute in Bethesda, Md.
Such standards are becoming important at a time when companies are increasingly linking up with their partners, distributors and suppliers over the Internet, Paller said.
The goal is to ensure that all participants in such business-to-business environments adhere to common standards for the safety of all others on the network, Paller added.
The Center for Internet Security will initially base its proposed standards on Visa's recently announced guidelines for online merchants for guarding cardholders' information, according to Paller.
Visa's 10 new requirements for its merchants stipulate that they must install a firewall, keep security patches up-to-date, encrypt stored and transmitted data, use and regularly update antivirus software and restrict employee access to sensitive data. Other requirements cover the assignment of IDs and passwords and the regular testing of security systems.
Organizations such as AT&T and NASA, which have accumulated considerable experience defending themselves against hacker attacks, will provide technology and operational recommendations to the center.
The Information Systems Audit and Control Association, a membership-based organization in Rolling Meadows, Ill., that focuses on information technology governance, control and assurance issues, will be responsible for providing the auditing recommendations.
In Need of a Quick Fix
In a similar initiative, the National Security Council (NSC) in Washington hosted another group of security executives from several companies, including Microsoft Corp., Oracle Corp., Exodus Communications Inc. and The Boeing Co., to discuss the need for quickly setting minimum security standards for Internet-connected companies.
That group will report back to the NSC in one month with recommendations on how to move forward with such a standard, said Bill Hancock, chief security officer at Exodus in Santa Clara, Calif.
"A committee has been put together to study what kind of standards we should use, what is available out there, what needs to be created . . . [and] to look at organizations implementing best practices and to find out what we should be doing and what we might be doing already," Hancock said.
Much of the impetus for standard-setting comes from the growing threat to business-to-business networks posedby malicious hackers, including political interest groups and foreign governments, Hancock said.

Read more about legislation/regulation in Computerworld's Legislation/Regulation Knowledge Center.