Is Regulation Inevitable for Enterprise Security?

You may have to vouch for your information security in the not-too-distant future as regulators get restless over cyber-attacks. (Baseline)

Are you ready to declare your company secure against attacks from cyberterrorists?

If youre not, get moving. The odds are increasing that in the not-so-distant future, legislators will make corporate America adhere to yet-to-be-defined best practices in cybersecurity.

Just as the Sarbanes-Oxley Act of 2002 is designed to assure investors that financial records of a corporation are properly prepared and accurate, and the Health Insurance Portability and Accountability Act mandates better procedures for maintaining and exchanging information on medical patients, the processes by which you secure your data and computing resources may be the next facet of your operations to face compliance legislation.

Rep. Adam Putnam (R-Fla.) last fall drafted the Corporate Information Security Accountability Act of 2003, which would require companies to button down their information systems. The bill has not yet gone before the House of Representatives, but many of the proposals in Putnams draft as well as other recommendations are being batted about in a working group created by the subcommittee Putnam chairs, the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

In the name of protecting national infrastructure, you may be asked to conduct annual security audits, produce an inventory of key assets and their vulnerabilities, carry cybersecurity insurance and even have your security measures verified by independent third parties, if the core features of the proposed legislation make it to the floor of the House.

The work is proceeding. In April, the working group submitted 23 suggestions to the subcommittee, including a provision that would shield companies from large, punitive lawsuits over security breaches.

Whats at stake, in Putnams view, is domestic security. Not only could terrorists take down your systems, they could also use your computing resources to attack federal, state and local computer networks.

Putnams subcommittee resides under the Committee on Government Reform, headed by Rep. Tom Davis (R-Va.), who sponsored the Federal Information Security Management Act of 2002 (FISMA), which requires federal agencies to identify information security risks and fix problem areas.

Putnams staff is evaluating the proposals and will kick them back to the working group, which includes representatives of 22 trade associations, ranging from the National Association of Manufacturers (NAM) to the Business Software Alliance to the U.S. Chamber of Commerce. Few of the members have actually implemented technology systems and security controls.

No timeline has been set on when legislation could reach the House floor, but Chrisan Herrod, a professor at the National Defense University, a joint military-educational facility, says she doesnt expect Putnam to push a bill before the November election. Putnam says his timeline is "short," but doesnt define it. Meanwhile, groups such as the Information System Security Association (ISSA) are working to identify best-practices guidelines for corporations, and hope companies will adopt them out of self-interest.

But, if they dont, "we reserve our right to legislate," says Bob Dix, staff director of Putnams subcommittee. "What did it take to get corporate America motivated about Y2K? It took a Securities and Exchange Commission requirement to include a readiness statement in the annual report."


Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page

Next Page: Is more regulation inevitable?