Because the private sector operates most of the countrys cyber-infrastructure, the government so far has refrained from imposing broad-based laws regulating network security. Only sector-specific privacy laws, such as those covering the financial and health-care industries, have been implemented.
But as network risks proliferate, policy-makers increasingly worry that the private sector is not doing enough to safeguard its own networks.
The recommendations issued Monday by the corporate governance task force of the National Cyber Security Partnership trace guidelines established previously. The task force set forth a security governance framework, including network-assessment tools, and recommended that companies adopting the guidelines state their intentions on their Web sites.
The task force says companies should conduct periodic risk assessments, assign explicit individual roles in security management structures and use best-practices guidance such as the ISO 17799 to measure their security performance. CEOs also should conduct annual security evaluations, it said.
"A lot of this is common sense. We didnt reinvent the wheel," said Arthur Coviello, CEO and president of RSA Security Inc., who co-chaired the task force with William Conner, chairman, CEO and president of Entrust Inc.
The task force also recommended that the Department of Homeland Security endorse the framework and encourage companies to make security a part of corporate governance.
But Amit Yoran, director of the National Cyber Security Division at DHS, would not say whether the agency plans to follow the recommendations.
Coviello said chief executives today have a duty to incorporate information security into their jobs.
"I am a CEO, and I do view this as my fiduciary responsibility," Coviello said. When asked whether defining network security as a fiduciary duty could leave companies liable in the event of a security breach, Coviello said plaintiffs attorneys would be the least of a companys problems in the event of a major network breach.