New law would require computer security audits, status reports
If passed, it would force companies to comply with third-party benchmarks
Computerworld - WASHINGTON -- New legislation being drafted in the U.S. House of Representatives, which could be introduced as early as next week, would require all publicly traded companies to conduct independent computer security assessments and report the results yearly in their annual reports.
Computerworld obtained a copy of the bill in draft form today. Just this week, Richard Clarke, the former chairman of the President's Critical Infrastructure Protection Board, called for congressional action on a specific standard that the U.S. Securities and Exchange Commission could use to measure and enforce corporate cybersecurity efforts (see story).
Known as the Corporate Information Security Accountability Act of 2003, the bill is being sponsored by Rep. Adam Putnam, (R-Fla.), chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. It would require companies to hire an independent auditor to assess existing information security controls and ensure that they meet basic standards that the SEC has yet to be determine. The agency would have 60 days after passage of the bill to come up with specific standards for the audits.
According to the draft legislation, companies would be required "to assess the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems," and "determine the levels of information security appropriate to protect such information and information systems."
To determine the appropriate security for various IT systems, companies would also be required to inventory their critical IT assets; provide an annual risk assessment; spell out their risk mitigation, incident response and business continuity plans; lay out company policies and procedures for reducing security risks to an acceptable level; and detail tests of the company's security controls and techniques to ensure their effectiveness.
Despite the move to require security assessments, some experts have pointed out that SEC involvement and the absence of specific metrics that can be used to measure compliance with a still-undefined set of security standards could be stumbling blocks for the proposal. That is exactly the situation Clarke criticized earlier this week.
"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke said Oct. 20 at the Gartner Symposium ITxpo 2003 in Lake Buena Vista, Fla.
Dan Burton, vice president of government affairs at Entrust Inc. in Addison, Texas, said there is broad agreement throughout industry that risk assessment and reporting are the "silver bullets" forcybersecurity. "But industry is wary of SEC involvement," he said. "Anybody who's done SEC compliance before knows that it can be extremely costly and contain all sorts of liabilities."
When asked if the Putnam bill would make a difference -- even without specific metrics having been identified -- Burton said, "Absolutely.
"This would force information security out of the closet," he said. "And it would make security part of the overall fabric of management and business operations."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts