April 12, 2004 3:23 PM PDT

Task force puts security responsibility on CEOs

A security task force of private industry experts, academics and government officials released a report on Monday urging CEOs and boards of directors to take responsibility for building information security programs to prevent electronic crime and help secure the Internet.

The proposal, published by the Corporate Governance Task Force, is the fourth report to be released by the National Cyber Security Partnership, a cross-sector group that aims to create initiatives to secure e-commerce and the Internet infrastructure upon which the United States relies.

"America cannot solve its cyber-security challenges by delegating them to government officials or CIOs (chief information officers)," task force leaders wrote in a letter introducing the report. "The best way to strengthen U.S. information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs."

The two leaders--F. William Conner, CEO of security firm Entrust, and Arthur Coviello, CEO of RSA Security--called for companies to adopt and support the guidelines and for the government to recognize businesses that do so. The Corporate Governance Task Force has more than 40 members, including well-known companies such as Intel, Motorola and Sun Microsystems, U.S. government agencies and such academic institutions as Carnegie Mellon and George Mason universities.

The report calls for companies to annually evaluate their information security, conduct periodic risk assessments and update their policies based on the results. In addition, the task force urged companies to educate their workers to be more aware of information security and create incident response teams.

Established late last year, the National Cyber Security Partnership brings together security experts from the private, academic and public sectors in attempt to improve security. The members divided the organization into five working groups to focus on specific problem areas: creating awareness in home computer users and small businesses; establishing a cybersecurity early warning system; making information security part of corporate governance; advocating technical best practices for security; and pushing security improvements into the software development process.

A report published in April by the Security Across the Software Development Life Cycle Task Force proposed changes to education, software development and patch methods, as well as incentives to convince software makers to improve the security of their wares. Two other reports, published in March, summarized the prescriptions of the Awareness and Outreach Task Force and the Cyber Security Early Warning Task Force.

TechNet, a lobbying group for the technology industry and the administrator for the Corporate Governance Task Force, stressed the importance of raising awareness of security among companies' top executives.

"Strong and effective information security governance is critical in strengthening our cyberinfrastructure," said Rick White, president and CEO of TechNet.

The report can be found on the National Cyber Security Partnership's Web site.

1 comment

Join the conversation!
Add your comment
Did someone say "responsible" ?
The one and only way to get back on track!!!

I do question the statement on delegation, made early, and its exclusion of the CIO. I think by definition, CHIEF Information Officer, CIO's are at the front of the responsibility line.
Posted by bjbrock (98 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.