Software group has security framework
- By Diane Frank
- Oct 08, 2003
Information Security Governance: Toward a Framework for Action
The Business Software Alliance's Information Security Governance Task Force released its security management framework today.
The document, titled "Information Security Governance: Toward a Framework for Action," is meant to help companies comply with federal laws and alleviate increased consumer security concerns. It is modeled after the structure outlined for government agencies in the Federal Information Security Management Act of 2002. The framework breaks down business drivers, roles and responsibilities and metrics for chief executives, business unit heads, program managers and other managerial personnel.
"Information security is not just a technical issue that can be addressed by the CIO," said Bill Conner, chief executive officer, chairman and president of Entrust Inc., and cochairman of the task force. "It is a corporate governance issue that must be addressed by CEOs and boards of directors."
Companies' need for a governance structure is particularly strong right now with a number of federal regulations and laws in place requiring security and privacy measures, according to BSA. These include the Health Insurance Privacy and Accountability Act and the Graham-Leach-Bliley Act, which respectively focus on the health care and financial services industries.
The Bush administration, through the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate, has launched a major push encouraging the private sector to increase its security capabilities. The National Infrastructure Advisory Council will meet next week to discuss industrywide efforts, including guidelines for disclosing vulnerabilities and best practices for sharing and analyzing incident information.