Putnam seeks industry emphasis on info security

If companies don't incorporate information security best practices into their planning and management, the House of Representatives' technology leader says he will try to make them do it.

"While I would clearly prefer an option that did not require a legislative initiative to address this matter as a management issue and incorporate fundamental 'best practices' into information security planning, I have prepared a draft bill that would require an annual information security risk assessment by publicly traded companies," Rep. Adam Putnam (R-Fla.) wrote in an Oct. 30 letter to the Information Technology Association of America.

Putnam, chairman of the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census subcommittee, outlined his concern that companies are treating security as just a technology issue and not a corporate one. The Federal Information Security Management Act (FISMA) of 2002 fostered an emphasis on best practices at federal agencies, but there is no similar across-the-board oversight for the private sector.

The draft Corporate Information Security Accountability Act has gone through several experts in the private sector and, so far, has received positive responses and suggestions, Putnam said. In addition, however, he has organized a working group to work with the subcommittee staff on the draft and to look at potential alternatives to legislation.

The Business Software Alliance last month released a white paper with the beginnings of a security governance framework for the private sector, drawing from FISMA and other security guidance. Officials are hoping to expand on that framework, working with other industry organizations.