Public firms forced to release security information?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Public firms forced to release security information?

  1. #1
    Member
    Join Date
    Oct 2003
    Posts
    48

    Public firms forced to release security information?

    Maybe it's just me, but this seems like a bad idea. Telling what security measures you may be using gives hackers enough information to prepare for breaking. Just my opinion.
    Public firms may be forced to disclose computer security steps
    Posted by Mirko Zorz - LogError
    Friday, 10 October 2003, 9:41 AM CET


    Companies that sell stock to the public may be required to disclose what they are doing to protect their computer systems, Homeland Security Secretary Tom Ridge said Thursday.

    Ridge said he already has met with William Donaldson, chairman of the Securities and Exchange Commission, to consider whether such disclosures should be included in financial filings.

    "I think we need to talk about some kind of public disclosure: What are you doing about your security, physical and cybersecurity?" Ridge said in a speech to the Business Software Alliance (BSA), a software-industry trade group. "Tell your shareholders, tell your employees, tell your communities within which you operate."

    SEC spokesman John Nester confirmed that the idea of requiring disclosure about cybersecurity "is being looked at at the staff level."
    -Kris
    --Kristoph


  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Full article here

    Interesting comment:

    That study, titled "Information Security Governance: Toward a Framework for Action," found that corporate executives who want to increase computer security have been hamstrung by a lack of clarity about how to solve the problem.

    "There is no recognized, standard approach at an organization-wide level to help determine what should be done and who should do it," the report concluded.
    What about ISO17799?? I thought that was the standard (newly released standard).

    And companies should be held responsible for this kind of stuff. There shouldn't be any excuse for not having security in place. It'd be like banks not having vaults. I don't think they need to detail every password, etc. but certainly they should have necessary documentation and audits done to placate shareholders.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    Question Gotta link?

    Hey Red, where did you see this? I cant find it in any of my sources...maybe my old eyes are going...

    Gotta a link? Thanks.

  4. #4
    Member
    Join Date
    Oct 2003
    Posts
    48
    Here's the link, sorry I thought I put one in the first post! Oops. Here ya go http://www.net-security.org/news.php?id=3781

    MsMittens, I do agree that companies should disclose some information, but the way I took the article was meaning detailed analysis. Maybe not? I know when I go to my banks website they tell you vaque details and I think thats all really needs to be known?
    --Kristoph


  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hopefully.... Mr. Ridge has smart enough advisors to have them only give basic details like:-

    1. We have a firewall
    2. We have IDS
    3. We screen our employees
    4. We place ACL's on our employees access
    5. We kill poeple that mess with us.... (just threw that is as an afterthought..... )

    Ask companies to reveal much more is, as you say, a bit of a problem.....

    But why do I get this sinking feeling that the Gubmint is gonna screw up again.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Member
    Join Date
    Oct 2003
    Posts
    48
    Yea, Tiger I agree with you fully. Leave it to the Gov't to go and think that revealing all makes people feel safer and in reality less is more. Or the less we know the better off we are. (about the security the companies have in place) Just knowing that my bank has security on-line makes me feel better. Oh, please George, call off the NSA.
    -Kris
    --Kristoph


  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    MsMittens:

    Working for a HIPPA compliant Agency I looked into the ISO17799 issue to see what it came up with...... What I found was here. I have taken the decision, based on this, that my Agency will move to fulfil HIPPA rather than ISO17799.....

    I'm sure that there will be many other organizations that will be "forced" to chose that path.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Well this will keep us security folk busy, now won't it?!!!

    Disclosure can be good but:
    1) How much you disclose could be harmfull.
    2) How is this information gonna be protected so that someone doesn't hack into it via inside or outside job and use it to infiltrate?! Very similar to the M$ Passport program - there's a goldmine of information...although this security disclosure would contain more huh? (NOT trying to pick on M$ in particular -just an example)
    3) Who's gonna validate, how do they determine fines (if any)?
    4) Who's deciding WHAT measures needs to be in place?
    5) Are they trying to create a HIPAA type standard/code for the non-HIPAA related companies?

    I'm with most of you on the concern as to HOW this will be implemented.

    Thought provoking...yet scary.

  9. #9
    Member
    Join Date
    Oct 2003
    Posts
    48
    I'm with most of you on the concern as to HOW this will be implemented
    Maybe they will form a new agency for this. The CSA. Computer Security Agency. They will be in charge of deaming which networks are safe and which ones are in league with Bin Laden. They will be responsible for determing "Terror" websites. They will also confiscate all computers and networks that they think are conspiring with "Terror Groups". They will also take your plumbing.
    --Kristoph


  10. #10
    Junior Member
    Join Date
    Oct 2003
    Posts
    4
    i remember ages some security company got a bunch of the country's 1337st hackers and paid them to hack their system, they realised then what the company was doing or something and then like really haxed their systems

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •