Security groups look at community needs, security governance

SANTA CLARA, Calif. -- Agencies and companies need to determine what security warning information communities need and develop a framework for corporate security governance, officials said at this week's National Cyber Security Summit.

Five task forces formed this week at the summit have until March 1 to develop specific measures that will be implemented under the Homeland Security Department's supervision, but officials have already identified several steps to make progress in the near-term.

For example, the Cyber Security Early Warning task force plans to complete the draft of a comprehensive plan to identify information needs and establish guidelines for handling that data by the group's next meeting on Dec. 17, said Guy Copeland, co-chairman of the task force and vice president of information infrastructure advisory programs at Computer Sciences Corp. That straw man document will be the basis for the real, practical solutions to be reported in March.

Leaders also set a goal for each of the Early Warning task force members to develop a one-page proposal within two weeks for a small security warnings implementation in their own organization that could represent a "baby step" toward larger solutions, he said.

Other task forces developed their plans for specific improvements that DHS officials said they need to prove companies are actually working with government on information technology security. Plans include developing a central repository housing security configuration guides for software and hardware, and identifying best practices for increasing security awareness and capabilities among software developers.

These initiatives are aimed at the commercial sector and state and local government, but will also help federal agencies, experts said. More security-conscious software development practices will result in better products, and greater security governance will reduce the vulnerabilities of partners that agencies connect to through e-government, said Ed Roback, chief of the National Institute of Standards and Technology's Computer Security Division and co-chairman of the Technical Standards/Common Criteria task force.

These are not the only efforts DHS has underway to implement the National Strategy to Secure Cyberspace, but they are important in the effort to improve security without regulation and legislation, said Amit Yoran, who will oversee the initiatives as director of the department's National Cyber Security Division within the Information Analysis and Infrastructure Protection (IAIP) Directorate.

"We are here to talk about progress, we are here to take action and we are here to make tangible improvements in our security," he said.

Officials also want to reach beyond the information technology industry. Recognizing that IT is only one of the sectors that make up the nation's critical infrastructure, -- and that security must also be raised in areas not considered critical under the National Strategy for Homeland Security -- DHS officials are reaching out to agriculture, banking and other groups, said Sallie McDonald, director of strategic partnership within IAIP.

On Jan. 12 and 13, in conjunction with a forum in Washington, D.C. for top executives from across the country, senior officials from the directorate will meet to get feedback on the department's cybersecurity plans and ideas, she said.