Group suggests corporate auditors for cybersecurity
- By Florence Olsen
- Apr 12, 2004
Information Security Governance report
Corporations should hire cybersecurity auditors to examine their information systems just as they pay auditors to scrutinize their financial records, a task force of corporate and academic experts recommended in a report released today.
Security audits conducted annually would help corporations to carry out an already fiduciary responsibility, said Arthur Coviello, a co-chairman of the task force and chief executive officer of RSA Security Inc., an information security company.
If CEOs were to hire auditing companies to perform annual computer and information security audits, accounting firms could gain a substantial business increase, a fact not highlighted in the report. But security-auditing standards would need to be updated, task force members said.
In the report prepared for the Homeland Security Department, the group proposed expanded roles for CEOs and corporate governing boards in strengthening the nation's cybersecurity defenses. But it stopped short of recommending government-imposed mandates on businesses.
The importance of corporate governance for the nation's cybersecurity defenses stems from the fact that about 85 percent of the nation's critical infrastructure of power, water and sewage treatment facilities, for example, is controlled by computer systems owned and managed by private businesses.
But the guidelines proposed for corporate governance are applicable to all organizations, including nonprofit and government agencies, said Amit Yoran, director of DHS' National Cyber Security Division.
One of the recommendations of the task force was that companies should use their corporate Web sites to publicize the fact that they conduct annual security audits.
In a statement issued today, Rep. Adam Putnam (R-Fla.), one of Capitol Hill's most avid information-security watchdogs, said he is "pleased that the corporate governance task force has identified IT security as an integral business matter that should be evaluated...at the highest level of management and in corporate board rooms."
Putnam, chairman of the House Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee, has not said what legislative steps, if any, he will take in response to the recommendations in this and other recent reports on corporate cybersecurity.