Alliance takes security call to boardroom

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1009-996997.html

By Robert Lemos 
Staff Writer, CNET News.com
April 15, 2003

Two information technology groups have teamed with the four largest
accounting firms to hash out guidelines and best practices that they
say executives need in order to secure their companies.

TechNet, a lobbying group of more than 150 information technology
companies, said Tuesday that it would work with the Internet Security
Alliance to create the guidelines in the next six months.

"We are really trying to answer the challenge that the government gave
us," said Rick White, president and CEO of the technology-industry
lobby TechNet. "We think that with these three groups--the government,
the industry and the tech community--bringing their efforts to bear,
we can really make this work."

President George W. Bush in February 2003 said the United States
government would not regulate technology companies, but rather would
promote cooperation between the industry and the government to secure
infrastructure.

The two technology groups will use the expertise of the four large
accounting firms--KPMG, PricewaterhouseCoopers (whose consulting arm
is now part of IBM), Deloitte & Touche and Earnst & Young--to help
create the guidelines. The starting point will be a top-10 list of
security steps for executives that the Internet Security Alliance has
already created.

"We wanted to aim at the top because we believe that at the top, with
boardroom involvement and (policy) trickling down, we can get the best
results," said John Shaughnessy, vice chairman of the Internet
Security Alliance and senior vice president for security and fraud
protection at Visa International.

The groups plan to release the guidelines and then to set a date by
which its membership should comply with the security steps.

"The question kept being asked: 'Is anyone really going to do
something?'" said Howard Schmidt, the White House cybersecurity
advisor. He pointed out that hardware and software makers have already
started to tighten up their products' security and that infrastructure
companies are identifying their weaknesses.

More needs to be done, he stressed. "Time is of the essence. We have
not been able to get people on board quickly."

The United States government continues to eschew regulations as a
solution to the security problem, said Schmidt. Companies that don't
follow best security practices will answer to the markets, not the
government, he said.

"There will not be sanctions," he said. "The sanctions will be that
consumers won't buy their products or services."

TechNet's White said he thinks the approach will work.

"Our hope here is to shame the industry into creating a higher level
of security," he said. He added that "shame" might be a bit strong of
a word, but that security groups' efforts have paid off.

"I think there is a certain sense of urgency here."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.