Federal agencies must set security benchmark, says US workgroup

Representatives from IT trade and security organisations are calling for federal agencies to force IT suppliers to build more...

Representatives from IT trade and security organisations are calling for federal agencies to force IT suppliers to build more secure products.

The Corporate Information Security Working Group (CISWG) has also recommended that insurance companies base the cost of cyber-risk insurance on a company's security posture as a way of influencing the adoption of best practices.

Perhaps the most significant CISWG recommendation is one that calls for the enforcement of the provisions of the Federal Information Security Management Act (FISMA), said Alan Paller, a CISWG member and director of research at the Sans Institute.

FISMA requires federal agencies to establish and enforce certain minimum security configuration standards for systems they buy and deploy. Requiring suppliers to meet those standards will also result in more secure systems in the private sector, he added.

"The federal government has $56bn worth of buying power. If it sets a minimum requirement for its own machines, it will cost the vendors nothing to deliver similarly safe machines" to private industry, Paller said.

The notion that insurance companies should take a more active role in fostering security standards is a good one, said Gartner analyst John Pescatore, noting that the insurance industry has already played an important role in fostering minimum vehicle and fire safety standards.

Another key recommendation is the need for standard guidelines and generally accepted measurement tools that users can follow when implementing security procedures, said Forrester Research analyst Michael Rasmussen, who presented a paper on the topic to CISWG members.

Another proposal called for changes to law governing IT management. The CISWG recommended amendments to emphasise the need for including information security requirements in the strategic acquisition planning process.

Other CISWG recommendations include developing programs for qualification and certification, and giving critical infrastructure industry groups an exemption from US antitrust laws if they agree on obligatory security specifications for software and hardware they purchase.

Jaikumar Vijayan works for Computerworld

Read more on IT risk management