If you read my column regularly, you probably already know that Im not a big proponent of legislative solutions to technological problems. From copyright protections to anti-spam enforcement, I tend to think that bills from governments will cause more harm than good.
However, there is a forthcoming bill of which I am in favor. U.S. Rep. Adam Putnam, R-Fla., will introduce a bill in the near future called the Corporate Information Security Accountability Act of 2003 (see a draft of the bill).
The bills main focus is to require publicly traded companies to have their IT security audited and to have the results of these audits submitted with the companies annual reports and Sarbanes-Oxley submissions. Also, the bill requires that companies security infrastructures meet certain minimum standards of accepted corporate security.
Why would I be in favor of this bill, which places extra burdens on businesses? Because most companies have shirked their responsibility to ensure their information systems are secure. Not only is their data not protected, but their systems could be turned into zombies to launch attacks on other businesses.
With 2003 already one of the worst years ever for viruses, worms and security problems, it is clear that the situation has been getting worse, not better. And while part of the blame goes to crackers, virus authors and software companies that write buggy code, the corporate world must take a large share of the blame.
In recent years, security workers too often have been among the first to feel the ax when budgets were cut. This has left IT security as one more job for overworked IT departments that havent been properly trained to protect and maintain security on complex information systems. Too many companies see IT security as simply a cost center with no tangible return, and many take the attitude that they will deal with a security problem when it happens, rather than try to prevent it.
The Corporate Information Security Accountability Act of 2003 could go a long way toward changing this. What a company does to secure its IT infrastructure would become part of its annual reports. Stockholders and the government would know if a company were failing to meet minimum IT security standards. This awareness would spur many companies to pay more attention to security than they have been.
Is this law perfect? No, its not. There are a lot of things I dont particularly like about it in its current form. For one, it mandates audits by outside security companies. While this will be great for business at these companies, Im not sure that is a complete necessity. Sarbanes-Oxley compliance can be accomplished through internal auditing methods, and companies should be able to use auditing and vulnerability assessment systems to test their own infrastructures.
In addition, the bill states that the Securities and Exchange Commission will set the minimum standards that need to be met. Im not very comfortable with this. I wouldnt be surprised to see a standard set by the SEC that would be too weak on technology security while being too complex in documentation and submission requirements.
In fact, a minimum standard in itself could be a problem. Does it make sense that an e-commerce company with massive exposure to Internet-borne attacks be required to meet the same standards as a manufacturing company with few systems facing the public Internet? Such a minimum standard will almost inevitably be very weak. Nonetheless, any increased level of corporate security vigilance will be an improvement.
Thats the key reason I support this bill. Right now, too many companies are doing little or nothing for IT security. This act would force these companies to pay attention to security or be prepared to face uncomfortable questions from investors and analysts about their lack of IT security readiness. If these companies were to have a security breakdown, it would be abundantly apparent if their own lack of preparedness were the cause of the problem.
Its hard to imagine IT security getting any worse. Anything that might make it better is a good thing in my book.
eWEEK Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.