People problems still dog security

Toward a Framework for Action

It has become a cliche to say that people are the problem in securing information systems. But now industry experts are hoping they have a model for educating those who are less experienced with technology.

The Business Software Alliance's Information Security Governance Task Force released its security management framework Oct. 8. It is intended to be the first step toward getting managers into a security mind-set.

"Clearly, if you're going to get on top of cybersecurity, you're going to have to do it by managing a system [or] an organization, but it's amazing how often the discussion reverts back to the technology," said Dan Burton, vice president of government relations at Entrust Inc. and one of the leaders on the task force. The framework should help by making people outside the technology organization understand how they fit into the security picture, he said.

The document, titled "Information Security Governance: Toward a Framework for Action," is meant to help companies comply with federal laws and alleviate increased consumer security concerns. It is modeled after international standards and the structure outlined for government agencies in the Federal Information Security Management Act of 2002.

"We in industry have long been focused on working with governments to combat" security incidents, said Robert Holleyman, president and chief executive officer of BSA. "With this task force, we hope to build upon those efforts and provide a framework that helps companies and organizations effectively secure their networks."

The framework outlines governance and business drivers, roles, responsibilities and metrics for chief executives, business unit leaders, program managers and other managers.

The BSA task force is already talking with other industry groups, including the Information Technology Association of America, but the immediate goal is to get groups from other sectors involved, Burton said.

The current white paper presents only an outline of what is considered important — asking questions such as what each level of management is required to do, what they are afraid not to do and how to accomplish those goals. Detailed metrics with examples from many different sectors are also needed "so that a company can open this up and say, 'This is a toolkit that can start me off,' " Burton said.

Companies' need for a governance structure is particularly strong because there are several federal regulations and laws that require security and privacy measures, according to BSA officials. These include the Health Insurance Portability and Accountability Act and the Graham-Leach-Bliley Act, which focus on the health care and financial services industries, respectively.

Much more discussion must occur before the white paper turns into something that company executives can actually use, but it is an important first step, said Bruce McConnell, president of McConnell International LLC, the consulting firm supporting the BSA task force's work.

"It puts on the table that information security is a top management issue," said McConnell, who also served as chief of information policy and technology at the Office of Management and Budget during the Clinton administration. "CEOs and boards haven't been paying enough attention to it, and this helps them learn to do that."

The Bush administration, through the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate, has launched a major push to encourage the private sector to increase its security capabilities.