Industry groups release security tools

SANTA CLARA, Calif. -- A pair of information technology industry groups unveiled security assessment tools at this week's National Cyber Security Summit.

Officials from the Homeland Security Department want proof that the companies are improving their cybersecurity posture, and industry is rushing to provide it, starting with new tools and practices, officials said. Homeland Security Department officials must be able to show specifically how companies are strengthening the nation's cybersecurity, said Robert Liscouski, assistant secretary for infrastructure protection in the department's Information Analysis and Infrastructure Protection Directorate.

"If we can't tell that story, I can tell you there are a lot of people out there willing to legislate compliance," he said.

Groups released two tools designed to help companies become more aware of their security progress.

TechNet, an association of chief executive officers and other senior executives, unveiled its Corporate Information Security Evaluation tool, which takes CEOs, chief information officers and chief security officers through 88 points on risk management, people, processes and technology. The evaluation will help define where questions should be asked and improvements made, said Art Coviello, CEO of RSA Security Inc. and co-chairman of TechNet's Cyber Security CEO Task Force.

The Information Technology Association of America, in partnership with the Marshall School of Business at the University of Southern California, announced its Cyber Security Assessment, which will build on information provided by the TechNet evaluation. The key is performing both assessments regularly and measuring progress at every step, said Harris Miller, president of ITAA.

Both tools drew from the government's recent experience with self-assessments under the Government Information Security Reform Act (GISRA) of 2000 and the Federal Information Security Management Act (FISMA) of 2002, Coviello said. There, the focus also was on repeated measurements to identify shortcomings and demonstrate improvement or regression, he said.

The industry groups developed the tools with input from Homeland Security officials, but they are only part of the solution, Liscouski emphasized, saying that many other tools and measurements must to come into play before anyone can determine that the private sector is on top of the security problem. The entire process will take time, and the government has not ruled out stepping in with some sort of regulation or legislation, he said.

"This is a long-term journey -- you should not be mistaken and think that this is going to happen overnight," he said.

Industry leaders and experts at the event said they are working with federal agencies to set specific tasks, practices and timelines to meet the goals of the Bush administration's National Strategy to Secure Cyberspace. The work includes details of identifying alerts and warnings that communities need to receive and providing a simple, effective and reliable software patch process. The initial steps are to be outlined at the end of the summit.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.