Law proposed for security audits

WASHINGTON -- New legislation being drafted in the U.S. House of Representatives, which could be introduced as early as next week, would require all publicly traded companies to conduct independent computer security assessments and report the results yearly in their annual reports.

Computerworldobtained a copy of the bill in draft form Friday. Just this week, Richard Clarke, the former chairman of the President's Critical Infrastructure Protection Board, called for congressional action on a specific standard that the U.S. Securities and Exchange Commission could use to measure and enforce corporate cybersecurity efforts.

Known as the Corporate Information Security Accountability Act of 2003, the bill is being sponsored by Rep. Adam Putnam, (R-Fla.), chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. It would require companies to hire an independent auditor to assess existing information security controls and ensure that they meet basic standards that the SEC has yet to be determine. The agency would have 60 days after passage of the bill to come up with specific standards for the audits.

According to the draft legislation, companies would be required "to assess the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems," and "determine the levels of information security appropriate to protect such information and information systems."

To determine the appropriate security for various IT systems, companies would also be required to inventory their critical IT assets; provide an annual risk assessment; spell out their risk mitigation, incident response and business continuity plans; lay out company policies and procedures for reducing security risks to an acceptable level; and detail tests of the company's security controls and techniques to ensure their effectiveness.

Despite the move to require security assessments, some experts have pointed out that SEC involvement and the absence of specific metrics that can be used to measure compliance with a still-undefined set of security standards could be stumbling blocks for the proposal. That is exactly the situation Clarke criticized earlier this week.

"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke said Oct. 20 at the Gartner Symposium ITxpo 2003 in Lake Buena Vista, Fla.

Dan Burton, vice president of government affairs at Entrust in Addison, Texas, said there is broad agreement throughout industry that risk assessment and reporting are the "silver bullets" for cybersecurity. "But industry is wary of SEC involvement," he said. "Anybody who's done SEC compliance before knows that it can be extremely costly and contain all sorts of liabilities."

When asked if the Putnam bill would make a difference -- even without specific metrics having been identified -- Burton said, "Absolutely.

"This would force information security out of the closet," he said. "And it would make security part of the overall fabric of management and business operations."