PC security audits for businesses?

By Declan McCullagh
Posted on ZDNet News: Nov 6, 2003 8:28:00 PM

Publicly traded U.S. corporations would have to certify that they have conducted an annual computer security audit, according to a draft of long-awaited legislation the U.S. House of Representatives is preparing.

The audit must be conducted by an independent party and assess "the risk and magnitude of the harm that could result from the unauthorized access," alteration or destruction of company computers, says the draft, prepared by Rep. Adam Putnam, R-Fla. Putnam is chairman of a House technology subcommittee.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"Given the magnitude of the threat and the depth of the vulnerabilities that exist today, it is imperative that we address this matter aggressively and collaboratively in order to enhance the protection of the nation's information networks on behalf of the American people and the U.S. economy," Putnam said in a statement this week. He warned that the Federal Information Security Management Act established detailed security regulations for agencies to follow, but private companies have no such obligations.

It's not clear, however, what the fate of Putnam's "Corporate Information Security Accountability Act" will be. Technology companies, leery of aggressive government regulation and mandates from Washington, D.C., politicians, are quietly trying to convince Putnam not to introduce the proposal.

On Wednesday, a group of prominent tech lobbyists met privately in an attempt to come up with an alternative to Putnam's proposal. Members of the informal working group include representatives of the U.S. Chamber of Commerce, the Business Software Alliance, the SysAdmin Audit Network Security Institute, the National Association of Manufacturers, and the Information Technology Association of America (ITAA).

ITAA President Harris Miller said Thursday that the group will "come back to (Putnam) early in 2004 with specific recommendations on what everyone at the meeting agreed was a common goal, which was to increase the focus of businesses across the United States on cybersecurity." Miller said the final recommendation could include legislative, regulatory or self-regulatory approaches.

"I don't want to say anything about the bill," Miller said, referring to Putnam's draft. "What I can say is that it's still in the minds of many organizations that it's something that needs further review."

Currently, publicly traded companies must follow a detailed set of rules when filing annual reports with the Securities and Exchange Commission. Putnam's proposal, seen by CNET News.com, would extend that annual reporting requirement to include the audit that would follow standards to be set by the SEC.

It does say, however, that the certification in the annual report "shall not include specific proprietary information and shall not contain any information identifying, directly or indirectly, any specific vulnerability of the (company's) computer information."

To Putnam, making computer security audits mandatory is a matter of national security. During a hearing before his subcommittee in April, Putnam warned: "Federal, state and local law enforcement protect our bridges, railways and streets and provide for our own personal protection...Our critical infrastructure, of the cyber kind, must have the same level of protection if we are to be secure as a nation, from random hacker intrusions, malicious viruses or worse--serious cyberterrorism."

One limitation of the Putnam bill is that it covers only publicly traded corporations. Other companies, including water companies, power companies, cooperatives and tens of millions of small businesses, would not face mandatory security assessments.