Representatives from IT trade and security
organisations are calling for federal agencies to force IT
suppliers to build more secure products.
The Corporate Information Security Working Group (CISWG) has
also recommended that insurance companies base the cost of
cyber-risk insurance on a company's security posture as a way of
influencing the adoption of best practices.
Perhaps the most significant CISWG recommendation is one that
calls for the enforcement of the provisions of the Federal
Information Security Management Act (FISMA), said Alan Paller, a
CISWG member and director of research at the Sans Institute.
FISMA requires federal agencies to establish and enforce certain
minimum security configuration standards for systems they buy and
deploy. Requiring suppliers to meet those standards will
also result in more secure systems in the private sector, he
added.
"The federal government has $56bn worth of buying power. If it
sets a minimum requirement for its own machines, it will cost the
vendors nothing to deliver similarly safe machines" to private
industry, Paller said.
The notion that insurance companies should take a more active
role in fostering security standards is a good one, said Gartner
analyst John Pescatore, noting that the insurance industry has
already played an important role in fostering minimum vehicle and
fire safety standards.
Another key recommendation is the need for standard guidelines
and generally accepted measurement tools that users can follow when
implementing security procedures, said Forrester Research analyst
Michael Rasmussen, who presented a paper on the topic to CISWG
members.
Another proposal called for changes to law governing IT
management. The CISWG recommended amendments to emphasise the need
for including information security requirements in the strategic
acquisition planning process.
Other CISWG recommendations include developing programs for
qualification and certification, and giving critical infrastructure
industry groups an exemption from US antitrust laws if they agree
on obligatory security specifications for software and hardware
they purchase.
Jaikumar Vijayan works for
Computerworld