Task Force Recommends Security Compliance Or Regulation

A report, released Monday from a computer industry task force working on cybersecurity with the Federal Department of Homeland Security, recommended that corporate executives integrate information security control into their existing corporate governance efforts. The group, formally titled the National Corporate Governance Task Force, issued a five-step formula as a guideline for implementation of security measures.

That directive comes on the heels of another report, issued in late march from the National Cybersecurity Partnership Task Force, that calls for the government to have a role in supporting secure software products.

Solution Providers and vendors in the security industry reacted strongly to the recommendations, noting that any sort of increased government emphasis on corporate security ultimately will lead to more profits for them.

At endpoint security vendor Zone Labs, for instance, President and COO Irfan Salim said the task force recommendations only reinforced the message his San Francisco company has been promulgating for years.

"[We believe] that the foundation for Internet security can be found in educating users and in using the 'balanced breakfast' of Internet security -- updated anti-virus software and a good personal firewall," he said. "It is encouraging that...the task force recommends a partnership with the private sector to educate Internet users about practical protection methods while stressing the responsibility that each one of us has in protecting cyberspace."

Gordon Hunter, vice president of federal sales at iGov, a solution provider in McLean, Va., agreed.

"The fact that people are starting to pay some serious attention to securing their systems is great for us," said Hunter, whose company participates in more than a dozen major channel programs. "Now that [security] is becoming a priority on the federal policy level, it's becoming easier [for us] to notch sales at all levels."

Ron Moritz, who co-chairs the National Cybersecurity Partnership Task Force and is chief security strategist at vendor Computer Associates, Islandia, N.Y., said that his group's 123-page report was just the beginning of a long process of developing comprehensive recommendations for government, industry, and academia.

"[This] is the low-hanging fruit," he said. "This is a great opportunity, at the national level, to [get] government to motivate...to think about the problem."

Arthur Coviello, CEO and President of RSA Security, and co-chairman of the National Corporate Governance Task Force, agreed, noting that the "fundamental responsibility already exists" for firms to implement strong and effective security measures.

He added, "We believe the leaders of organizations today already have a fiduciary responsibility."

Specifically, the report by Corviello's group recommended five distinct measures:

• Enterprises should adopt an information security governance framework that follows security standards already established

• Enterprises should signal on their corporate Web sites that they intend to use the security tools developed by the task force

• Enterprises should note commitments toward improving cybersecurity by stating them online

• The Department of Homeland Security should endorse the task force report and its framework recommendations

• Everyone should upgrade the role of IT in the financial reporting process.

In the other report, task force members suggested widespread changes in four divisions: education, software process, patching and incentives.

To improve the software development process, for instance, the National Cybersecurity Partnership Task Force advised that software producers should adopt best practices to develop secure software code, measure the effect of their secure coding practices, and disclose the measurements results. The group also recommended that when patching software, companies should adhere to a "top ten" list of best practices, such as making patches small, easy to install and reversible; and eradicating patches that introduce require reboots.

Both the National Cybersecurity Partnership Task Force and the National Corporate Governance Task Force were formed last year as part of the federal National Strategy to Secure Cyberspace.