New law would require computer security audits, status reports
If passed, it would force companies to comply with third-party benchmarks
Computerworld - WASHINGTON -- New legislation being drafted in the U.S. House of Representatives, which could be introduced as early as next week, would require all publicly traded companies to conduct independent computer security assessments and report the results yearly in their annual reports.
Computerworld obtained a copy of the bill in draft form today. Just this week, Richard Clarke, the former chairman of the President's Critical Infrastructure Protection Board, called for congressional action on a specific standard that the U.S. Securities and Exchange Commission could use to measure and enforce corporate cybersecurity efforts (see story).
Known as the Corporate Information Security Accountability Act of 2003, the bill is being sponsored by Rep. Adam Putnam, (R-Fla.), chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. It would require companies to hire an independent auditor to assess existing information security controls and ensure that they meet basic standards that the SEC has yet to be determine. The agency would have 60 days after passage of the bill to come up with specific standards for the audits.
According to the draft legislation, companies would be required "to assess the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems," and "determine the levels of information security appropriate to protect such information and information systems."
To determine the appropriate security for various IT systems, companies would also be required to inventory their critical IT assets; provide an annual risk assessment; spell out their risk mitigation, incident response and business continuity plans; lay out company policies and procedures for reducing security risks to an acceptable level; and detail tests of the company's security controls and techniques to ensure their effectiveness.
Despite the move to require security assessments, some experts have pointed out that SEC involvement and the absence of specific metrics that can be used to measure compliance with a still-undefined set of security standards could be stumbling blocks for the proposal. That is exactly the situation Clarke criticized earlier this week.
"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke said Oct. 20 at the Gartner Symposium ITxpo 2003 in Lake Buena Vista, Fla.
Dan Burton, vice president of government affairs at Entrust Inc. in Addison, Texas, said there is broad agreement throughout industry that risk assessment and reporting are the "silver bullets" forcybersecurity. "But industry is wary of SEC involvement," he said. "Anybody who's done SEC compliance before knows that it can be extremely costly and contain all sorts of liabilities."
When asked if the Putnam bill would make a difference -- even without specific metrics having been identified -- Burton said, "Absolutely.
"This would force information security out of the closet," he said. "And it would make security part of the overall fabric of management and business operations."
Read more about Security in Computerworld's Security Topic Center.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!