WASHINGTON — IT executives continued efforts to pre-empt federal mandates Monday by calling on industry, nonprofits and educational institutions to make information security governance (ISG) a priority.
Flanked by Amit Yoran, director of the Department of Homeland Security’s National Cyber Security Division, and Orson Swindle, Federal Trade Commissioner, a tech industry task force outlined cyber security roles and responsibilities within corporations.
The report combines security standards and best practices, metrics and tools that, according to the task force, bring accountability to three key elements of corporate governance programs: people, process and technology.
“Information security is not just a technology issue, it is also a corporate governance issue,” said Art Coviello, president and CEO of RSA Security and co-chair of the Corporate Governance Task Force of the National Cyber Security Partnership.
The task force will help organizations meet the call to action by promoting ISG programs through an awareness campaign in the coming months.
“In this era of increased cyber attacks and information security breaches, it is essential that all organizations give information security the focus it requires,” Yoran said.
If they don’t, Congressman Adam Putnam (R-Fla.) is waiting with his Corporate Information Security Accountability Act, which would require publicly traded companies include a security status report with their annual filing with the Securities and Exchange Commission.
Putnam’s checklist would include an inventory of IT assets; a risk assessment and management plan; an incident response plan; and a tested business continuity plan. The checklist would have to be certified by an independent auditor.
“Prior to filing the draft legislation, I solicited feedback from a number of private sector individuals, companies and trade associations,” Putnam said last week. “Following a review of that constructive feedback, and confirming that a private sector-driven, market-based initiative was always the desired preference, I decided to postpone the introduction of my proposed draft legislation, while challenging the private sector to identify an alternative approach . . .”
Monday, Putnam said he was pleased with the task force’s proposals.
The task force wants businesses to commit to ISG by stating on their Web sites that they
intend to use the tools developed by the group.
“We cannot solve our cyber security challenges by delegating them to government officials or CIOs,” said Entrust CEO Bill Conner, who co-chairs the task force. “The best way to strengthen United States information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.”