To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39116822,00.htm

Listed firms face IT security audits
Politicians getting twitchy about security...

By Declan McCullagh

Published: Monday 10 November 2003

Corporations listed on US stock exchanges would have to certify that they have conducted an annual computer security audit, according to a draft of long-awaited legislation the US House of Representatives is preparing.

The audit must be conducted by an independent party and assess "the risk and magnitude of the harm that could result from the unauthorised access," alteration or destruction of company computers, says the draft, prepared by Representative Adam Putnam. Putnam is chairman of a House technology subcommittee.

Putnam said in a statement this week: "Given the magnitude of the threat and the depth of the vulnerabilities that exist today, it is imperative that we address this matter aggressively and collaboratively in order to enhance the protection of the nation's information networks on behalf of the American people and the US economy."

He warned that the Federal Information Security Management Act established detailed security regulations for agencies to follow, but private companies have no such obligations.

It's not clear, however, what the fate of Putnam's "Corporate Information Security Accountability Act" will be. Technology companies, leery of aggressive government regulation and mandates from Washington politicians, are quietly trying to convince Putnam not to introduce the proposal.

On Wednesday, a group of prominent tech lobbyists met privately in an attempt to come up with an alternative to Putnam's proposal. Members of the informal working group include representatives of the US Chamber of Commerce, the Business Software Alliance, the SysAdmin Audit Network Security Institute, the National Association of Manufacturers, and the Information Technology Association of America (ITAA).

ITAA president Harris Miller said the group will "come back to [Putnam] early in 2004 with specific recommendations on what everyone at the meeting agreed was a common goal, which was to increase the focus of businesses across the United States on cybersecurity." Miller said the final recommendation could include legislative, regulatory or self-regulatory approaches.

"I don't want to say anything about the bill," Miller said, referring to Putnam's draft. "What I can say is that it's still in the minds of many organisations that it's something that needs further review."

Currently, publicly traded companies must follow a detailed set of rules when filing annual reports with the Securities and Exchange Commission. Putnam's proposal, seen by silicon.com's sister site CNET News.com, would extend that annual reporting requirement to include the audit that would follow standards to be set by the SEC.

It does say, however, that the certification in the annual report "shall not include specific proprietary information and shall not contain any information identifying, directly or indirectly, any specific vulnerability of the [company's] computer information."

For Putnam, making computer security audits mandatory is a matter of national security. During a hearing before his subcommittee in April, Putnam warned: "Federal, state and local law enforcement protect our bridges, railways and streets and provide for our own personal protection... Our critical infrastructure, of the cyber kind, must have the same level of protection if we are to be secure as a nation, from random hacker intrusions, malicious viruses or worse -- serious cyberterrorism."

One limitation of the Putnam bill is that it covers only publicly traded corporations. Other companies, including water companies, power companies, cooperatives and tens of millions of small businesses, would not face mandatory security assessments.

Declan McCullagh writes for CNET News.com