Smaller Firms Demand More From Bush Plan

Cyber-security strategy will need more detailed, voluntary guidelines for small and midsize businesses.

Most of the recommendations spelled out in the National Strategy to Secure Cyberspace, recently released for comment, reflect best practices already in place at most large enterprises. But to induce the countrys growing number of small and midsize businesses to adopt similar security precautions, the strategy will need more detailed, voluntary guidelines, industry sources say.

Forty-nine percent of all manufacturers in the United States do not have full-time IT professionals on staff, according to the National Association of Manufacturers. For those companies, the NAM will encourage the Presidents Critical Infrastructure Protection Board to include checklists and clear examples to support their recommendations, said Tom Orlowski, vice president of IS at the NAM, in Washington.

While manufacturers will likely seek more specific tools for SMBs, Orlowski lauded the voluntary nature of the recommendations drafted by the PCIPB. Despite criticism from the IT security sector for the strategys lack of enforcement mechanisms and strict mandates, most industry sectors expressed relief the board did not back costly regulations.

A similar IT security split exists between small and large institutions of higher learning. The greatest challenge in complying with the plans calls for standard IT security practices and increased data monitoring and reporting will be for small colleges, said Rodney Petersen, director of policy and planning for the Office of Information Technology at the University of Maryland, in College Park. To help smaller institutions, the academic community is trying to develop more partnerships and collectively document effective practices, Petersen said. "We need time to build consensus on these issues. Its going to require significant organizational change," he said.

As drafted, the strategy does include detailed guidelines that smaller companies can use now, said Shannon Kellogg, vice president of information security programs at the Information Technology Association of America, in Washington. "One of the things that the strategy does right away is highlight the campaign," Kellogg said. "You can learn how to harden your data for free. That is a useful vehicle for change."

But the strategy contains recommendations that the industry plans to resist. The Bush administrations bid to push corporations to publicly disclose their security audit companies and activities is chief among them. While regular security audits represent good practice and should be encouraged, disclosing the identity of audit companies and their findings could be detrimental, the NAMs Orlowski said. "Sometimes, revealing what is tested and who is testing reveals some of the weaknesses and strength of a system," he said. "[Audit] results should be for internal use only."

In seven recommendations spelled out for large enterprises, the national strategy suggests that CEOs should consider regular independent IT security audits. However, under a separate chapter on national priorities, the strategy is more specific and more stringent with regard to security audits.

Most industries have reached consensus on publicly disclosing security audit details. "We havent taken a formal position on that yet, but the general industry reaction is that it wouldnt be a good idea," the ITAAs Kellogg said. PCIPB officials did not respond to requests for comment.

Related Stories:

  • Critics Take on New Fed Plan
  • Feds Delay Release of Cyber-Security Plan
  • Cyber Plan Delay Invites Much-Needed Public Comment
  • Special Report: Bushs Cyber-Security Plan