|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
ARE BUSINESSES WILLING TO DISCLOSE KEY SECURITY MEASURES TO THE FEDS?Source: Security Wire DigestPosted on April 16, 2001 Comparing the security of critical infrastructure to Y2K preparedness, a key political figure is calling for new Securities and Exchange Commission (SEC) regulations to force publicly traded companies to disclose their infosecurity measures. Though some security experts view the proposal as a much-needed step, others are concerned that such disclosure will provide a roadmap for hackers. At an Internet Security Policy Forum late last month, Sen. Robert Bennett (R-Utah) said he planned to propose that the SEC regulate and disclose the steps publicly traded companies have taken to protect their informational assets. An SEC spokesman said no cybersecurity proposal is currently in front of the commission. Bennett, who was instrumental in advocating that the SEC regulate Y2K preparedness, says similar regulation is needed for government and private industry to ensure the security of information systems and protect America's overall technical infrastructure. Bennett says that he doesn't view disclosure as a silver bullet, but as a policy which helps to encourage the free market to adopt and sustain security practices. "The value of an SEC disclosure is not to broadcast (security) configurations -- this would be irresponsible," Bennett, a member of the Senate's high-tech task force, told Security Wire Digest. "Government and the free market should strive to raise awareness about the risks involved with interconnected, interdependent and highly automated systems." Though wary of over-regulation, supporters laud the proposal as a step in the right direction. "I'm not a big fan of regulation, but a lot of resources and dollars need to be committed to drive this issue to the proper level and perspective," says Bruce Murphy, CEO of Vigilinx, a managed security consultancy based in New York. "I think there's some benefit to be gained from regulation--companies will take the path of least resistance, and they will overlook things or take somewhat of an ostrich approach to it. I think there is some value to be gained from additional enforcement or compliance measures." However, Murphy and other observers caution that divulging specifics on security measures could lead to exposing which vulnerabilities exist for a particular company. "Going forward, there is a risk that additional details that would be disclosed could be mapped against other available information, providing a combination that would lead to conclusions about a company's ability to protect itself adequately," says Eddie Schwartz, senior vice president of operations at Guardent, a Waltham-Mass.-based security integration and consulting firm. "Studies have been done that indicate people in foreign countries have been mapping the resilience of networks to certain vulnerabilities and creating statistical patterns to apply to specific targets," adds Schwartz. "Now, instead of eight data elements, you've given them 25 for their model. Statistically, they are going to have more success." Paul Robertson, director of risk assessment at Internet security assurance provider TruSecure Corp., says, "Parts of the information wouldn't be as useful to defenders as it would be to hackers, terrorists, hostile government-sponsored foreign competition and others wishing to do harm. Being able to search for victims based on specific profile information would be a boon to most attackers and not a lot of help to the victims." Sen. Bennett believes his proposal will encourage enterprises to have adequate security for their needs, but critics point out such information may also put these organizations at greater risk. "I don't think there's a big deal in saying 'Yes, we have a firewall,' if you start getting into makes and models, that's giving them actual architecture that someone could use against you," says John Frazier, director of security at Dallas, Texas-based e-business solutions firm i2 Technologies. "However, without the specifics, it's kind of a Catch-22. The only way it will have meaning is if you disclose enough detail, but without detail it has no purpose."
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |