Internaut: Why not a nationwide security standard?
- By Shawn McCarthy
- Jul 18, 2002
Shawn P. McCarthy
The time has come to certify information security processes in much the same way that the International Standards Organization grants ISO 9000 certificates to manufacturers with consistent quality-control processes.
Such a certification would go a long way toward making federal, state and local IT infrastructures more bulletproof. It could corral the many networks used by government information systems and force them to follow consistent rules for data exchange, backup and encryption.
Last month, the House Committee on Energy and Commerce sent a letter to the Office of Homeland Security outlining ways to protect the nation's infrastructures.
'Rather than having individual agencies and critical sectors develop differing assessment models and security programs, the new [Homeland Security] Department should develop and promote a single framework for conducting vulnerability assessments across the critical infrastructure,' the committee's letter said.
Meanwhile, a National Academy of Sciences report on countering terrorism said in-house expertise is inadequate to protect agency and local-level IT infrastructures. The report suggested the government develop a set of best practices for agencies to follow; see books.nap.edu/books/0309084814/html/124.html#pagetop
Potential sources for finding best practices include:
- NIST's Critical Infrastructure Grants program for security solutions, at csrc.nist.gov/grants/regnotice.html, could fund the development of a certification process.
Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at [email protected].
Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.