New law would require computer security audits, status reports
If passed, it would force companies to comply with third-party benchmarks
Computerworld - WASHINGTON -- New legislation being drafted in the U.S. House of Representatives, which could be introduced as early as next week, would require all publicly traded companies to conduct independent computer security assessments and report the results yearly in their annual reports.
Computerworld obtained a copy of the bill in draft form today. Just this week, Richard Clarke, the former chairman of the President's Critical Infrastructure Protection Board, called for congressional action on a specific standard that the U.S. Securities and Exchange Commission could use to measure and enforce corporate cybersecurity efforts (see story).
Known as the Corporate Information Security Accountability Act of 2003, the bill is being sponsored by Rep. Adam Putnam, (R-Fla.), chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. It would require companies to hire an independent auditor to assess existing information security controls and ensure that they meet basic standards that the SEC has yet to be determine. The agency would have 60 days after passage of the bill to come up with specific standards for the audits.
According to the draft legislation, companies would be required "to assess the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems," and "determine the levels of information security appropriate to protect such information and information systems."
To determine the appropriate security for various IT systems, companies would also be required to inventory their critical IT assets; provide an annual risk assessment; spell out their risk mitigation, incident response and business continuity plans; lay out company policies and procedures for reducing security risks to an acceptable level; and detail tests of the company's security controls and techniques to ensure their effectiveness.
Despite the move to require security assessments, some experts have pointed out that SEC involvement and the absence of specific metrics that can be used to measure compliance with a still-undefined set of security standards could be stumbling blocks for the proposal. That is exactly the situation Clarke criticized earlier this week.
"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke said Oct. 20 at the Gartner Symposium ITxpo 2003 in Lake Buena Vista, Fla.
Dan Burton, vice president of government affairs at Entrust Inc. in Addison, Texas, said there is broad agreement throughout industry that risk assessment and reporting are the "silver bullets" forcybersecurity. "But industry is wary of SEC involvement," he said. "Anybody who's done SEC compliance before knows that it can be extremely costly and contain all sorts of liabilities."
When asked if the Putnam bill would make a difference -- even without specific metrics having been identified -- Burton said, "Absolutely.
"This would force information security out of the closet," he said. "And it would make security part of the overall fabric of management and business operations."
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!