Groups offer security guidance for critical infrastructure systems
Henrik G. de Gyor
Two groups this month put the onus on private-sector organizations to take steps to secure their systems if the country as a whole is to defend its critical infrastructures against cyberattack.
A task force formed by the National Cyber Security Partnership (NCSP) and supported by the Homeland Security Department called for voluntary adoption of its guidelines by companies, nonprofits and educational institutions.
The task force's recommendations followed closely on the heels of those from the congressionally created Corporate Information Security Working Group. The working group offered 25 recommendations the private-sector can take to improve IT security. The group released its report to Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
Putnam created the workgroup and has been working with it to identify alternative approaches to motivate companies to improve security.
'Information security was not a high-priority matter for much of corporate America,' Putnam said. 'Since approximately 85 percent of this nation's critical infrastructure is owned or controlled by the private sector, I have worked to identify strategies that will produce meaningful improvement in the computer security of corporate America.'
The NCSP document is based largely on existing standards and accepted best practices. The guidelines focus on process rather than technology, outlining steps for risk assessment, policy development, architecture development and ongoing review overseen at the highest levels of management. It incorporates tools such as standards from the International Standards Organization and the International Electrotechnical Commission, and practices set out in the Federal Information Security Management Act.
The U.S. Chamber of Commerce, the IT Association of America, TechNet and the Business Software Alliance created NCSP with DHS at a conference in December. The partnership established five task forces to come up with plans for implementing the National Strategy to Secure Cyberspace, released last year.
Amit Yoran, director of the DHS National Cyber Security Division, said it was too early to comment on specific recommendations in the guidelines and that DHS will not prescribe specific actions for organizations to secure systems.
'That's an organizational risk management decision' to be made by each organization, he said.
GCN senior editor Wilson P. Dizard III contributed to this story.