Cybersecurity coalition offers IT security tools

A coalition of public- and private-sector organizations today released a set of guidelines to help nongovernmental organizations manage IT security issues.

"This is not a technical, CIO or chief security officer issue," said F. William Conner, CEO of Entrust Inc. of Addison, Texas, and co-chairman of the task force that produced the guidelines. "It is a corporate governance, board-level and CEO issue."

The task force, formed by the National Cyber Security Partnership and supported by the Homeland Security Department, called for voluntary adoption of the guidelines by companies, nonprofits and educational institutions.

The document is based largely on existing standards and accepted best practices.

"A lot of it is common sense," said Art Coviello, CEO and president of RSA Security Inc. of Bedford, Mass., and Conner's co-chairman. "We didn't reinvent the wheel."

The guidelines focus on process rather than technology, outlining a process of risk assessment, policy development, architecture development and ongoing review overseen at the highest levels of management. It incorporates tools such as standards from the International Standards Organization and the International Electrotechnical Commission, and practices set out in the Federal Information Security Management Act.

The U.S. Chamber of Commerce, the IT Association of America, TechNet and the Business Software Alliance created NCSP with DHS at a conference in December. The partnership established five task forces to come up with plans for implementing the National Strategy to Secure Cyberspace, released last year.

Although the guidelines are voluntary, government officials in attendance at the release briefing said regulatory enforcement could not be ruled out.

"That threat is always there," said Orson Swindle, commissioner of the Federal Trade Commission. "We are going to enforce existing laws."

Swindle made a comparison with online privacy policies, which have been widely adopted without regulatory mandates by companies doing business online.

"We chose to engage in a heated and controversial dialog for several years," rather than immediately try to impose regulations on companies, he said. "The result is we are farther down the road," than if regulation had been the first step.

Adequate regulatory and legal requirements for information security already exist, RSA's Coviello said.

"We believe leaders of organizations today already have a fiduciary responsibility" to ensure IT security, he said. What has been missing is a generally accepted framework for compliance. He said the task force's guidelines provide one.

DHS had little direct input in the guidelines. The department's major contribution was in "not impeding" the task force's work, Conner said.

Amit Yoran, director of the DHS National Cyber Security Division, said it was too early to comment on specific recommendations in the guidelines and that DHS will not prescribe specific actions for organizations to secure systems.

"That's an organizational risk management decision" to be made by each organization, he said.

William Jackson writes for Government Computer News magazine.