Forwarded from: Gary Hinson <Gary@private> Disclosing information on cybersecurity to stakeholders might sound like A Good Thing, but in practice what will this actually achieve? It seems to me that companies are increasingly supposed to disclose information about corporate governance, but what typically appears in the annual reports is generalities dotted with occasional references to specific governance-related regulations. Covering information security or IT governance in the same bland way seems pretty pointless to me. If instead organizations are somehow forced to disclose meaty details about their security controls, they will inevitably use carefully-chosen words to satisfy their PR and legal people, revealing as little potentially damaging information as possible. There is of course a very strong argument that disclosing security vulnerabilities will encourage their exploitation and thus damage the organization. "We have some security problems but we won't explain" is not very helpful! Standards such as BS7799 provide a real alternative. Organizations get assessed and certified by independent accredited bodies, against broad information security criteria that are interpreted rigorously but sensibly in the local context. BS7799 certificates in effect guarantee that there is a reasonably well structured framework of appropriate security controls in place. Now we are starting to get somewhere! Not only is it possible to demonstrate publicly that a certain internationally-accepted baseline level of security has been achieved, but this can be done without revealing details of the actual security controls (and possibly control gaps) in the process. In my experience, ISO17799/BS7799 goes considerably further by introducing an ongoing process for improving information security. Organizations don't stop improving their controls just to meet the standard but continue adding value with the structured framework it typically introduces. There are strong parallels with the quality management standard ISO9000. What would you rather see in the Annual Report: "We have implemented certain controls to limit our cybersecurity risks as far as is reasonably practicable" or "We continuously monitor and improve our information security management controls in accordance with ISO17799 and hold BS7799 certificate number XXXX"? Kind regards, Gary Hinson, CEO, IsecT Ltd. -----Original Message----- From: owner-isn@private [mailto:owner-isn@private]On Behalf Of InfoSec News Sent: 14 October 2003 13:21 To: isn@private Subject: [ISN] Homeland Security chief mulls SEC cybersecurity filings Forwarded from: Anne & Lynn Wheeler <lynn@private> http://www.garlic.com/~lynn/aepay3.htm#riskm Thread Between Risk Management and Information Security http://www.computerworld.com/securitytopics/security/story/0,10801,85888,00. html Homeland Security chief mulls SEC cybersecurity filings Companies could be required to detail cybersecurity efforts Story by Andy Sullivan OCTOBER 09, 2003 REUTERS Publicly traded companies could be required to disclose whether they are doing anything to secure information on their computer systems, U.S. Department of Homeland Security Secretary Tom Ridge said today. Ridge said he had met with William Donaldson, chairman of the U.S. Securities and Exchange Commission, to discuss whether companies should be required to disclose cybersecurity efforts in their SEC filings. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 16 2003 - 02:32:56 PDT