Industry suggests security improvements
- By Florence Olsen
- Apr 06, 2004
Recommendations from Corporate Information Security Working Group
Corporations, which have been faulted for contributing to an insecure national cyberinfrastructure, had their say today in how they want the federal government to handle their computer security weaknesses.
The Corporate Information Security Working Group, which Rep. Adam Putnam (R-Fla.) convened five months ago, issued several lists of cybersecurity recommendations that Putnam has promised to review before considering any new security legislation.
Most of the recommendations from the group's call on the federal government to provide incentives for good corporate security practices, but they reject any substantial role for the federal government in policing the information security practices of corporations.
Putnam, a member of the House Government Reform Committee, issued a statement saying that businesses have "a responsibility to practice at least basic information security hygiene, and to do their part to contribute to the overall security of computers and information networks in this country."
Last fall, after concluding that corporations were not taking information security seriously enough, Putnam drafted legislation that would require publicly traded companies to include corporate information security plans as part of their annual filings with the Securities and Exchange Commission.
Negative reactions from corporate interests prompted Putnam to pull back and try an alternative, which was to form a working group that would make recommendations on how best to achieve corporate information security.
"I made it clear that the time table would be short, and that the draft legislation would remain a viable option," he said in his statement today.
The group made recommendations on best practices, education, incentives, information sharing and procurement practices. One recommendation was to amend the Clinger-Cohen Act of 1996 to require that federal agencies include computer information security in making IT strategic plans and spending decisions.
Putnam announced that he had already begun drafting that amendment.
The advisory group, made up of 25 senior business and academic leaders, offered several dozen recommendations, including some that would provide an exemption from the federal government's antitrust laws for critical infrastructure industry groups that agree on obligatory security specifications for software and software purchases.
In addition, the group proposed that the federal government encourage the use of cyberinsurance to protect the nation's critical cyberassets.
It also recommended that Congress consider providing safe harbor protections or limitations on liability as part of an overall effort to encourage the private sector to secure its information systems.