RE: Homeland Security chief mulls SEC cybersecurity filings

[InfoSec News <isn () c4i org>]

Forwarded from: Gary Hinson <Gary () isect com>

Disclosing information on cybersecurity to stakeholders might sound like A
Good Thing, but in practice what will this actually achieve?  It seems to me
that companies are increasingly supposed to disclose information about
corporate governance, but what typically appears in the annual reports is
generalities dotted with occasional references to specific
governance-related regulations.  Covering information security or IT
governance in the same bland way seems pretty pointless to me.

If instead organizations are somehow forced to disclose meaty details about
their security controls, they will inevitably use carefully-chosen words to
satisfy their PR and legal people, revealing as little potentially damaging
information as possible.  There is of course a very strong argument that
disclosing security vulnerabilities will encourage their exploitation and
thus damage the organization.  "We have some security problems but we won't
explain" is not very helpful!

Standards such as BS7799 provide a real alternative.  Organizations get
assessed and certified by independent accredited bodies, against broad
information security criteria that are interpreted rigorously but sensibly
in the local context.  BS7799 certificates in effect guarantee that there is
a reasonably well structured framework of appropriate security controls in
place.  Now we are starting to get somewhere!  Not only is it possible to
demonstrate publicly that a certain internationally-accepted baseline level
of security has been achieved, but this can be done without revealing
details of the actual security controls (and possibly control gaps) in the
process.

In my experience, ISO17799/BS7799 goes considerably further by introducing
an ongoing process for improving information security.  Organizations don't
stop improving their controls just to meet the standard but continue adding
value with the structured framework it typically introduces.  There are
strong parallels with the quality management standard ISO9000.

What would you rather see in the Annual Report: "We have implemented certain
controls to limit our cybersecurity risks as far as is reasonably
practicable" or "We continuously monitor and improve our information
security management controls in accordance with ISO17799 and hold BS7799
certificate number XXXX"?

Kind regards,
Gary Hinson, CEO, IsecT Ltd.


-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
Of InfoSec News
Sent: 14 October 2003 13:21
To: isn () attrition org
Subject: [ISN] Homeland Security chief mulls SEC cybersecurity filings


Forwarded from: Anne & Lynn Wheeler <lynn () garlic com>

http://www.garlic.com/~lynn/aepay3.htm#riskm
Thread Between Risk Management and Information Security


http://www.computerworld.com/securitytopics/security/story/0,10801,85888,00.
html

Homeland Security chief mulls SEC cybersecurity filings
Companies could be required to detail cybersecurity efforts

Story by Andy Sullivan
OCTOBER 09, 2003
REUTERS

Publicly traded companies could be required to disclose whether they
are doing anything to secure information on their computer systems,
U.S. Department of Homeland Security Secretary Tom Ridge said today.

Ridge said he had met with William Donaldson, chairman of the U.S.
Securities and Exchange Commission, to discuss whether companies
should be required to disclose cybersecurity efforts in their SEC
filings.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.