08 Oct 2003
BSA Task Force Unveils Industry Framework for Information Security Governance
WASHINGTON, DC - The Business Software Alliance (BSA) Information Security Governance Task Force today announced a management framework that the private sector can implement to address the growing need for cyber security and existing regulatory requirements. The Task Force, Co-Chaired by Entrust Chairman, President and CEO Bill Conner and Internet Security Systems, Inc. (ISS) President and CEO Thomas Noonan, was created to elevate information security governance issues to the higher management level within companies and organizations.
The framework was presented in a white paper released during the BSA's annual CEO Forum held today in Washington, DC, which included meetings with Administration and Congressional leaders. As part of these visits, the Task Force provided copies of the white paper entitled, "Information Security Governance: Toward a Framework for Action" (executive summary below). Findings of the study include:
1. Government has already established a significant legislative and regulatory environment around IT security, and is considering additional action.
2. Information security is often treated solely as a technology issue, when it should also be treated as a governance issue.
3. There is already broad consensus on the actions necessary to remedy the problem.
4. Lack of progress is due in part to the absence of a governance framework.
"Information security is a critical and growing issue. According to Carnegie Mellon University's CERT Coordination Center, the number of reported cyber security incidents has doubled every year since 2000," said Holleyman. "We in industry have long been focused on working with governments to combat these growing crimes. With this task force, we hope to build upon those efforts and provide a framework that helps companies and organizations effectively secure their networks."
"Information security is not just a technical issue that can be addressed by the CIO. It is a corporate governance issue that must be addressed by CEOs and Boards of Directors," said Co-Chairman Bill Conner, CEO, chairman and president of Entrust. "Industry must recognize the reality of existing government regulations and establish information security governance programs if we are to make real progress. The goal of this framework is to provide a preliminary roadmap for this effort."
"Industry needs to take responsibility for its information security practices and the Task Force is designed to encourage that progress," said Co-Chairman Thomas Noonan, president and CEO of Internet Security Systems. "If industry does not take a leadership role on the implementation of security best practices, we will find ourselves at the mercy of reactive regulation. We look forward to continuing our work with the BSA and industry partners to effectively guide the private sector toward better security."
The BSA Information Security Governance Task Force member companies involved in the development of this white paper include: Autodesk, Cisco, Entrust, Intel, Internet Security Systems, Intuit, Microsoft, Network Associates, Novell and Symantec.
Download the full copy of the BSA Information Security Task Force White Paper.
About Business Software Alliance
The Business Software Alliance (www.bsa.org) is the foremost organization dedicated to promoting a safe and legal digital world. BSA is the voice of the world's commercial software industry and its hardware partners before governments and in the international marketplace. Its members represent one of the fastest growing industries in the world. BSA programs foster technology innovation through education and policy initiatives that promote copyright protection, cyber security, trade and e-commerce. BSA members include Adobe, Apple, Autodesk, Avid, Bentley Systems, Borland, Cisco Systems, CNC Software/Mastercam, Entrust, HP, IBM, Intel, Internet Security Systems, Intuit, Macromedia, Microsoft, Network Associates, Novell, PeopleSoft, RSA Security, Sybase and Symantec.
Executive Summary
Because today's economy depends on the secure flow of information within and across organizations, information security is an issue of vital importance. A secure and trusted environment for stored and shared information greatly enhances consumer benefits, business performance and productivity, and national security. Conversely, an insecure environment creates the potential for serious damage to governments and corporations that could significantly undermine consumers and citizens. For firms engaged in critical activities, such as electrical power generation, banking and finance, or healthcare, the stakes are particularly high.
Where do we stand in the effort to bolster information security? If the stakes are so high, why haven't we made more progress? In attempting to answer these questions, the task force identified four findings.
Findings:
- Government has already established a significant legislative and regulatory regime around IT security, and is considering additional action. Many companies are actively addressing their information security needs. What is not as widely recognized is the fact that Congress and state governments have already passed into law several bills that govern how companies must address information security issues.
- Information security is often treated solely as a technology issue, when it should also be treated as a governance issue. The CIO alone cannot remedy the problem; the board of directors and executive management must also be actively engaged.
- There is already broad consensus on the actions necessary to remedy the problem. A review of literature shows that most guidance documents and other reports recommend a common solution and support the approach reflected in ISO 17799 and the Federal Information Security Management Act (FISMA).
- Lack of progress is due in part to the absence of a governance framework. If progress is to be accelerated, a management framework that instructs personnel at different levels about how to implement solutions is crucial.
Each of these findings is discussed in more detail below.
Recommendations:
1. Government and industry should recognize that a significant regulatory regime already exists for information security. Some laws address information security directly; others address it indirectly through such issues as financial governance, privacy, or reporting requirements. Taken together, they have a broad impact on the US private sector, and companies should begin developing programs to comply with them. A summary of these laws is provided in Table 1.
| RECENT LEGISLATION |
WHO IS AFFECTED? |
WHAT DO THE SECURITY PROVISIONS COVER? |
WHAT ARE PENALTIES? |
WHEN IS IT IN EFFECT? |
| Sarbanes-Oxley Act of 2002 |
All public companies subject to US security laws |
Internal controls and financial disclosures |
Criminal and civil penalties |
Current law |
| Gramm-Leach- Bliley Act of 1999 |
Financial institutions |
Security of customer records |
Criminal and civil penalties |
Current law |
| Health Insurance Privacy and Accountability Act (HIPAA) |
Health plans, health care clearinghouses, and health care providers |
Personal health information in electronic form |
Civil fines and criminal penalties |
Final security rule takes effect in April 2005 |
| California Database Security Breach Information Act(SB 1386) |
State agencies, persons, and businesses that conduct business in the State of California |
Reporting of breaches of unencrypted personal information |
Civil fines and private right of action |
Current law |
| Federal Information Security Management Act |
Federal agencies |
Federal information, information systems, and security programs |
Loss of IT funding |
Current law |
| Bottom Line |
Significant impact on US private sector and governments |
Financial, customer, health, personal and government information |
Criminal and civil penalties and private right of action |
Most provisions are already in effect |
Table 1: Impact of Recent Information Security Legislation
2. Industry should develop an information security governance framework that organizations can readily adopt. The Federal Information Security Management Act (FISMA) and International Standards Organization (ISO) 17799 serve as good inputs to this framework. FISMA provides a management template for federal government agencies that can be adapted to private sector needs. ISO gives broad guidance for implementing information security, but must be tailored to fit each company's needs according to their risk assessment. To promote this effort, the task force has developed a preliminary governance framework, for comment and refinement by public and private organizations. A summary of the framework is provided below. A more complete discussion is provided in Table 4 on page 7. A variety of related activities are being undertaken by other organizations, and this effort is designed to complement those activities. BSA will work closely with other industry groups and with government to refine and advance this framework.
| Actors/Actions |
Corporate Executives |
Business Unit Head |
Senior Manager |
CIO/CISO |
| Governance/Business Drivers |
What am I required to do?
What am I afraid not to do? |
| Roles and Responsibilities |
How do I accomplish my objectives? |
| Metrics/Audit |
How effectively do I achieve my objectives?
What adjustments do I need to make? |
Table 2: Preliminary Governance Framework
For more information about this press release please contact us.
Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. Entrust is a registered trademark of Entrust Limited in Canada. All other Entrust product names and service names are trademarks or registered trademarks of Entrust, Inc or Entrust Limited. All other company and product names are trademarks or registered trademarks of their respective owners.
