Is Regulation Inevitable for Enterprise Security? - Page 3

By Larry Dignan  |  Posted 2004-06-02 Print this article Print

So what can you do today to get ahead of a cybersecurity regulation? For starters, track developments from Putnams subcommittee at . Under the drafts key provisions, companies would be required to:
  • Perform a security audit to assess the risk of unauthorized access, disruption, modification and destruction of information and information systems.
  • Investigate cyber-risk insurance. Putnam says the insurance industry should cut prices for companies that meet best practices.
  • Take an inventory of critical infrastructure assets such as stray routers, servers and areas where theres easy access to networks. Herron says inventory is the most underrated security chore.
  • Develop risk mitigation, incident response and business continuity plans, and test these procedures quarterly to annually, depending on best practices for each area.
  • Submit to an information security audit by an independent third party.
    Four of these five practices are considered by security experts to be no-brainers. The final one—an information security audit—could be stickier. For starters, its unclear whether a newly created or existing agency would oversee the audits. Putnams draft puts information security verification under the SEC, but analysts such as Forrester Researchs Michael Rasmussen say such monitoring is "out of scope" for the agency.
    According to David Peyton, director of technology policy for NAM, the biggest issue surrounding any cybersecurity legislation is the lack of generally accepted practices. "Computer security audits are 80 to 90 years behind financial audits," Peyton says. Some of the minimal best practices listed by ISSA include setting up a security policy with baseline expectations for security procedures and guidelines, establishing accountability for information access, cataloging types of information and correlating the level of risk with the value of the data. OUT OF THE LOOP?
    If executives dont get involved soon, they could find themselves adhering to standards set by Beltway regulators who operated without input from the technology executives and project managers who are responsible for and implement information security procedures, according to Herrod. "Whats scary about this is the people driving dont have business user input," she says. "I dont think its thoroughly thought out—not that Putnam isnt right." The lack of user input is not terribly surprising given the reaction from technology executives contacted by [itals]Baseline. Most executives had never heard of Putnam or his subsequent working group. However, executives dont doubt that cybersecurity regulation is on the way. David Womeldorf, chief technology officer of beverage equipment parts distributor Bevcore Solutions in Osseo, Minn., says he is comfortable with having security practices verified by a third party. Womeldorf doesnt want to disclose his security setup, but would be comfortable with an independent agent offering the public a "fairness statement, as in the accounting world, affirming that proper practices are in place. While its still early, security experts like John, now a principal at Blackwell Consulting, are convinced companies are going to face more information security regulation from legislators like Putnam: "This is a train going someplace, and its understandable that someone wants to lead it."

    Business Editor
    Larry formerly served as the East Coast news editor and Finance Editor at CNET Prior to that, he was editor of Ziff Davis Inter@ctive Investor, which was, according to Barron's, a Top-10 financial site in the late 1990s. Larry has covered the technology and financial services industry since 1995, publishing articles in, Inter@ctive Week, The New York Times, and Financial Planning magazine. He's a graduate of the Columbia School of Journalism.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel