Group suggests 25 ways to improve IT security
Working group offers 25 ways to improve IT security
- By Jason Miller
- Apr 06, 2004
A combination of new legislation, public outreach and insurance changes would enhance government and corporate cybersecurity, according to an industry and academic workgroup.
The Corporate Information Security Working Group penned 25 recommendations on steps the private sector can take to improve IT security. It created the list for Rep. Adam Putnam, chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
The Florida Republican drafted legislation last fall that would require publicly traded companies to submit a status report on their IT security plans with filings to the Securities and Exchange Commission. Putnam has not sponsored the legislation, instead he created the workgroup and has been working with it to identify alternative approaches to motivate companies to improve security.
'Information security was not a high priority matter for much of corporate America,' Putnam said. 'Since approximately 85 percent of this nation's critical infrastructure is owned or controlled by the private sector, I have worked to identify strategies that will produce meaningful improvement in the computer security of corporate America.'
The working group has five subgroups with separate focuses: procurement practices, incentives and liability, best practices, education, and reporting, information sharing and performance metrics.
Other than the metric team, the four other subgroups completed their reports last month. Some of the recommendations include:
- Enforcing provisions of the Federal Information Security Management Act to require agencies to establish and enforce minimum security configuration standards for systems they deploy
- Proposing an amendment to the Clinger-Cohen Act to highlight the need for cybersecurity during the acquisition-planning process
- Providing an exemption from antitrust laws for critical infrastructure industry groups that agree to obligatory security specifications for software and hardware they purchase
- Establishing third-party designations that identify qualified, certified or compliant organizations
- Establishing programs that use market forces to motivate organizations to enhance cybersecurity programs
- Considering legislation that would set liability limits or create safe-harbor protections as incentives for adoption of IT security controls
- Considering economic incentives that would reward investments by companies in certified security products and services
- Creating tiered federal disaster reimbursement payments that would be based on the extent to which best practices had been executed
- Encouraging the availability and use of cyber insurance as a means to protect critical assets.
Putnam said he is evaluating the recommendations and already has begun drafting a Clinger-Cohen amendment.