Working group offers 25 ways to better IT security

A combination of new legislation, public outreach and insurance changes would enhance government and corporate cybersecurity, according to an industry and academic workgroup.

The Corporate Information Security Working Group penned 25 recommendations on steps the private sector can take to improve IT security. It created the list for Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

Putnam drafted legislation last fall that would require publicly traded companies to submit a status report on their IT security plans with filings to the Securities and Exchange Commission. Putnam has not sponsored the legislation; instead, he created the workgroup and has been working with it to identify alternative approaches to motivate companies to improve security.

Some of the recommendations include:

*Enforcing provisions of the Federal Information Security Management Act to require agencies to establish and enforce minimum security configuration standards for systems they deploy

*Proposing an amendment to the Clinger-Cohen Act to highlight the need for cybersecurity during the acquisition-planning process

*Providing an exemption from antitrust laws for critical infrastructure industry groups that agree to obligatory security specifications for software and hardware they purchase

*Establishing third-party designations that identify qualified, certified or compliant organizations

*Establishing programs that use market forces to motivate organizations to enhance cybersecurity programs

*Considering legislation that would set liability limits or create safe-harbor protections as incentives for adoption of IT security controls

*Considering economic incentives that would reward investments by companies in certified security products and services

*Creating tiered federal disaster reimbursement payments that would be based on the extent to which best practices had been executed

*Encouraging the availability and use of cyber insurance as a means to protect critical assets.

Putnam said he is evaluating the recommendations and already has begun drafting a Clinger-Cohen amendment.