Industry groups release security tools

SANTA CLARA, Calif. -- A pair of information technology industry groups unveiled security assessment tools at this week's National Cyber Security Summit.

Officials from the Homeland Security Department want proof that the companies are improving their cybersecurity posture, and industry is rushing to provide it, starting with new tools and practices, officials said. Homeland Security Department officials must be able to show specifically how companies are strengthening the nation's cybersecurity, said Robert Liscouski, assistant secretary for infrastructure protection in the department's Information Analysis and Infrastructure Protection Directorate.

"If we can't tell that story, I can tell you there are a lot of people out there willing to legislate compliance," he said.

Groups released two tools designed to help companies become more aware of their security progress.

TechNet, an association of chief executive officers and other senior executives, unveiled its Corporate Information Security Evaluation tool, which takes CEOs, chief information officers and chief security officers through 88 points on risk management, people, processes and technology. The evaluation will help define where questions should be asked and improvements made, said Art Coviello, CEO of RSA Security Inc. and co-chairman of TechNet's Cyber Security CEO Task Force.

The Information Technology Association of America, in partnership with the Marshall School of Business at the University of Southern California, announced its Cyber Security Assessment, which will build on information provided by the TechNet evaluation. The key is performing both assessments regularly and measuring progress at every step, said Harris Miller, president of ITAA.

Both tools drew from the government's recent experience with self-assessments under the Government Information Security Reform Act (GISRA) of 2000 and the Federal Information Security Management Act (FISMA) of 2002, Coviello said. There, the focus also was on repeated measurements to identify shortcomings and demonstrate improvement or regression, he said.

The industry groups developed the tools with input from Homeland Security officials, but they are only part of the solution, Liscouski emphasized, saying that many other tools and measurements must to come into play before anyone can determine that the private sector is on top of the security problem. The entire process will take time, and the government has not ruled out stepping in with some sort of regulation or legislation, he said.

"This is a long-term journey -- you should not be mistaken and think that this is going to happen overnight," he said.

Industry leaders and experts at the event said they are working with federal agencies to set specific tasks, practices and timelines to meet the goals of the Bush administration's National Strategy to Secure Cyberspace. The work includes details of identifying alerts and warnings that communities need to receive and providing a simple, effective and reliable software patch process. The initial steps are to be outlined at the end of the summit.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.