Industry groups release security tools

SANTA CLARA, Calif. -- A pair of information technology industry groups unveiled security assessment tools at this week's National Cyber Security Summit.

Officials from the Homeland Security Department want proof that the companies are improving their cybersecurity posture, and industry is rushing to provide it, starting with new tools and practices, officials said. Homeland Security Department officials must be able to show specifically how companies are strengthening the nation's cybersecurity, said Robert Liscouski, assistant secretary for infrastructure protection in the department's Information Analysis and Infrastructure Protection Directorate.

"If we can't tell that story, I can tell you there are a lot of people out there willing to legislate compliance," he said.

Groups released two tools designed to help companies become more aware of their security progress.

TechNet, an association of chief executive officers and other senior executives, unveiled its Corporate Information Security Evaluation tool, which takes CEOs, chief information officers and chief security officers through 88 points on risk management, people, processes and technology. The evaluation will help define where questions should be asked and improvements made, said Art Coviello, CEO of RSA Security Inc. and co-chairman of TechNet's Cyber Security CEO Task Force.

The Information Technology Association of America, in partnership with the Marshall School of Business at the University of Southern California, announced its Cyber Security Assessment, which will build on information provided by the TechNet evaluation. The key is performing both assessments regularly and measuring progress at every step, said Harris Miller, president of ITAA.

Both tools drew from the government's recent experience with self-assessments under the Government Information Security Reform Act (GISRA) of 2000 and the Federal Information Security Management Act (FISMA) of 2002, Coviello said. There, the focus also was on repeated measurements to identify shortcomings and demonstrate improvement or regression, he said.

The industry groups developed the tools with input from Homeland Security officials, but they are only part of the solution, Liscouski emphasized, saying that many other tools and measurements must to come into play before anyone can determine that the private sector is on top of the security problem. The entire process will take time, and the government has not ruled out stepping in with some sort of regulation or legislation, he said.

"This is a long-term journey -- you should not be mistaken and think that this is going to happen overnight," he said.

Industry leaders and experts at the event said they are working with federal agencies to set specific tasks, practices and timelines to meet the goals of the Bush administration's National Strategy to Secure Cyberspace. The work includes details of identifying alerts and warnings that communities need to receive and providing a simple, effective and reliable software patch process. The initial steps are to be outlined at the end of the summit.