Users mold security benchmark

Computerworld - The problem with IT security benchmarks is that the reference point is a constantly shifting target as new technologies and threats emerge.

Benchmark Overview The Center for Internet Security (www.cisecurity.org) will release its Solaris systems benchmark next month. What will be available: The CIS will offer public access to the benchmark ruler, which will define security settings for Solaris systems, depending on level of security sought. The full benchmark, which will include supporting information and references, will be available to members. The CIS is considering becoming a subscription-based service rather than a membership-based organization. What’s up next: It’s next benchmarks include Windows 2000 and NT; Unix variants, including IBM’s AIX; and Linux.

And that's an especially difficult problem to overcome, said corporate security systems managers. They are examining the fruits of a relatively new cooperative effort that this week will yield the near-final version of a systems security benchmark for Sun Microsystems Inc.'s Solaris.

But despite concern about the benchmark's continued usefulness, end-user members of the Center for Internet Security said the organization's technical benchmark for securing Solaris systems will be key to their security efforts.

"To me, this is a great economic package for us," said Iris Patton, who heads security for the Americas at Houston-based Shell Services International Inc., the IT unit of Royal Dutch/ Shell Group. In return for the $5,000 membership fee the company paid to the CIS, it's receiving technical information that's good enough to serve as a substitute for high-priced consultants, she said.

The CIS is a nonprofit, cooperative group in Bethesda, Md., that was formed last October. Its members include more than 140 companies, government agencies and consulting firms.

The benchmark outlines a list of specific operational actions and settings for securing systems at different levels of protection. It was developed through a collaborative effort that involved ongoing feedback on the benchmark's drafts from technicians at some of the member companies, such as Shell's Unix gurus.

Donna Francis, who manages compliance security and policy for the IT group at Subaru of America Inc. in Cherry Hill, N.J., said the benchmark's collaborative approach will help fill security knowledge gaps.

"A [single] company can't always experience all the things that go wrong," she said. "It's just impossible."

But the true test of the benchmark will be its usefulness over time, said Francis. "How are they going to keep it updated?" she said.

"How are people going to add their experience next year or in the coming months as things change?"

Clint Kreitner, the CIS's president and CEO, said