Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


ARE BUSINESSES WILLING TO DISCLOSE KEY SECURITY MEASURES TO THE FEDS?

Source: Security Wire Digest

Posted on April 16, 2001

      Comparing the security of critical infrastructure to Y2K preparedness, a key political figure is calling for new Securities and Exchange Commission (SEC) regulations to force publicly traded companies to disclose their infosecurity measures. Though some security experts view the proposal as a much-needed step, others are concerned that such disclosure will provide a roadmap for hackers.

      At an Internet Security Policy Forum late last month, Sen. Robert Bennett (R-Utah) said he planned to propose that the SEC regulate and disclose the steps publicly traded companies have taken to protect their informational assets. An SEC spokesman said no cybersecurity proposal is currently in front of the commission.

      Bennett, who was instrumental in advocating that the SEC regulate Y2K preparedness, says similar regulation is needed for government and private industry to ensure the security of information systems and protect America's overall technical infrastructure. Bennett says that he doesn't view disclosure as a silver bullet, but as a policy which helps to encourage the free market to adopt and sustain security practices.

      "The value of an SEC disclosure is not to broadcast (security) configurations -- this would be irresponsible," Bennett, a member of the Senate's high-tech task force, told Security Wire Digest. "Government and the free market should strive to raise awareness about the risks involved with interconnected, interdependent and highly automated systems."

      Though wary of over-regulation, supporters laud the proposal as a step in the right direction.

      "I'm not a big fan of regulation, but a lot of resources and dollars need to be committed to drive this issue to the proper level and perspective," says Bruce Murphy, CEO of Vigilinx, a managed security consultancy based in New York. "I think there's some benefit to be gained from regulation--companies will take the path of least resistance, and they will overlook things or take somewhat of an ostrich approach to it. I think there is some value to be gained from additional enforcement or compliance measures."

      However, Murphy and other observers caution that divulging specifics on security measures could lead to exposing which vulnerabilities exist for a particular company.

      "Going forward, there is a risk that additional details that would be disclosed could be mapped against other available information, providing a combination that would lead to conclusions about a company's ability to protect itself adequately," says Eddie Schwartz, senior vice president of operations at Guardent, a Waltham-Mass.-based security integration and consulting firm.

      "Studies have been done that indicate people in foreign countries have been mapping the resilience of networks to certain vulnerabilities and creating statistical patterns to apply to specific targets," adds Schwartz. "Now, instead of eight data elements, you've given them 25 for their model. Statistically, they are going to have more success."

      Paul Robertson, director of risk assessment at Internet security assurance provider TruSecure Corp., says, "Parts of the information wouldn't be as useful to defenders as it would be to hackers, terrorists, hostile government-sponsored foreign competition and others wishing to do harm. Being able to search for victims based on specific profile information would be a boon to most attackers and not a lot of help to the victims."

      Sen. Bennett believes his proposal will encourage enterprises to have adequate security for their needs, but critics point out such information may also put these organizations at greater risk.

      "I don't think there's a big deal in saying 'Yes, we have a firewall,' if you start getting into makes and models, that's giving them actual architecture that someone could use against you," says John Frazier, director of security at Dallas, Texas-based e-business solutions firm i2 Technologies. "However, without the specifics, it's kind of a Catch-22. The only way it will have meaning is if you disclose enough detail, but without detail it has no purpose."




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.