Are you ready to declare your company secure against attacks from cyberterrorists?
If youre not, get moving. The odds are increasing that in the not-so-distant future, legislators will make corporate America adhere to yet-to-be-defined best practices in cybersecurity.
Just as the Sarbanes-Oxley Act of 2002 is designed to assure investors that corporate financial records are properly prepared and accurate, and the Health Insurance Portability and Accountability Act mandates procedures for maintaining and exchanging medical information, the processes used to secure data and computing resources may face compliance legislation.
Rep. Adam Putnam (R-Fla.) last fall drafted the Corporate Information Security Accountability Act of 2003, which would require companies to secure their information systems. The bill has not gone before the House of Representatives, but the proposals in Putnams draft as well as other recommendations are being batted about in a working group created by the subcommittee Putnam chairs, the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
In the name of protecting national infrastructure, you may be asked to conduct annual security audits, produce an inventory of key assets and their vulnerabilities, carry cybersecurity insurance and have your security measures verified by independent third parties, if the core features of the proposed legislation make it to the floor of the House.