RE: [ISN] Homeland Security chief mulls SEC cybersecurity filings

From: InfoSec News (isn@private)
Date: Wed Oct 15 2003 - 23:17:55 PDT

  • Next message: InfoSec News: "[ISN] FBI systems still need work, IG says"

    Forwarded from: Gary Hinson <Gary@private>
    
    Disclosing information on cybersecurity to stakeholders might sound like A
    Good Thing, but in practice what will this actually achieve?  It seems to me
    that companies are increasingly supposed to disclose information about
    corporate governance, but what typically appears in the annual reports is
    generalities dotted with occasional references to specific
    governance-related regulations.  Covering information security or IT
    governance in the same bland way seems pretty pointless to me.
    
    If instead organizations are somehow forced to disclose meaty details about
    their security controls, they will inevitably use carefully-chosen words to
    satisfy their PR and legal people, revealing as little potentially damaging
    information as possible.  There is of course a very strong argument that
    disclosing security vulnerabilities will encourage their exploitation and
    thus damage the organization.  "We have some security problems but we won't
    explain" is not very helpful!
    
    Standards such as BS7799 provide a real alternative.  Organizations get
    assessed and certified by independent accredited bodies, against broad
    information security criteria that are interpreted rigorously but sensibly
    in the local context.  BS7799 certificates in effect guarantee that there is
    a reasonably well structured framework of appropriate security controls in
    place.  Now we are starting to get somewhere!  Not only is it possible to
    demonstrate publicly that a certain internationally-accepted baseline level
    of security has been achieved, but this can be done without revealing
    details of the actual security controls (and possibly control gaps) in the
    process.
    
    In my experience, ISO17799/BS7799 goes considerably further by introducing
    an ongoing process for improving information security.  Organizations don't
    stop improving their controls just to meet the standard but continue adding
    value with the structured framework it typically introduces.  There are
    strong parallels with the quality management standard ISO9000.
    
    What would you rather see in the Annual Report: "We have implemented certain
    controls to limit our cybersecurity risks as far as is reasonably
    practicable" or "We continuously monitor and improve our information
    security management controls in accordance with ISO17799 and hold BS7799
    certificate number XXXX"?
    
    Kind regards,
    Gary Hinson, CEO, IsecT Ltd.
    
    
    -----Original Message-----
    From: owner-isn@private [mailto:owner-isn@private]On Behalf
    Of InfoSec News
    Sent: 14 October 2003 13:21
    To: isn@private
    Subject: [ISN] Homeland Security chief mulls SEC cybersecurity filings
    
    
    Forwarded from: Anne & Lynn Wheeler <lynn@private>
    
    http://www.garlic.com/~lynn/aepay3.htm#riskm
    Thread Between Risk Management and Information Security
    
    
    http://www.computerworld.com/securitytopics/security/story/0,10801,85888,00.
    html
    
    Homeland Security chief mulls SEC cybersecurity filings
    Companies could be required to detail cybersecurity efforts
    
    Story by Andy Sullivan
    OCTOBER 09, 2003
    REUTERS
    
    Publicly traded companies could be required to disclose whether they
    are doing anything to secure information on their computer systems,
    U.S. Department of Homeland Security Secretary Tom Ridge said today.
    
    Ridge said he had met with William Donaldson, chairman of the U.S.
    Securities and Exchange Commission, to discuss whether companies
    should be required to disclose cybersecurity efforts in their SEC
    filings.
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 16 2003 - 02:32:56 PDT