Public firms forced to release security information?

Maybe it's just me, but this seems like a bad idea. Telling what security measures you may be using gives hackers enough information to prepare for breaking. Just my opinion.

Quote:

---

Public firms may be forced to disclose computer security steps
Posted by Mirko Zorz - LogError
Friday, 10 October 2003, 9:41 AM CET


Companies that sell stock to the public may be required to disclose what they are doing to protect their computer systems, Homeland Security Secretary Tom Ridge said Thursday.

Ridge said he already has met with William Donaldson, chairman of the Securities and Exchange Commission, to consider whether such disclosures should be included in financial filings.

"I think we need to talk about some kind of public disclosure: What are you doing about your security, physical and cybersecurity?" Ridge said in a speech to the Business Software Alliance (BSA), a software-industry trade group. "Tell your shareholders, tell your employees, tell your communities within which you operate."

SEC spokesman John Nester confirmed that the idea of requiring disclosure about cybersecurity "is being looked at at the staff level."

---

-Kris

Full article here

Interesting comment:

Quote:

---

That study, titled "Information Security Governance: Toward a Framework for Action," found that corporate executives who want to increase computer security have been hamstrung by a lack of clarity about how to solve the problem.

"There is no recognized, standard approach at an organization-wide level to help determine what should be done and who should do it," the report concluded.

---

What about ISO17799?? I thought that was the standard (newly released standard).

And companies should be held responsible for this kind of stuff. There shouldn't be any excuse for not having security in place. It'd be like banks not having vaults. I don't think they need to detail every password, etc. but certainly they should have necessary documentation and audits done to placate shareholders.

Hey Red, where did you see this? I cant find it in any of my sources...maybe my old eyes are going...

Gotta a link? Thanks.

Here's the link, sorry I thought I put one in the first post! Oops. Here ya go http://www.net-security.org/news.php?id=3781

MsMittens, I do agree that companies should disclose some information, but the way I took the article was meaning detailed analysis. Maybe not? I know when I go to my banks website they tell you vaque details and I think thats all really needs to be known?

Hopefully.... Mr. Ridge has smart enough advisors to have them only give basic details like:-

1. We have a firewall
2. We have IDS
3. We screen our employees
4. We place ACL's on our employees access
5. We kill poeple that mess with us.... (just threw that is as an afterthought..... ;) )

Ask companies to reveal much more is, as you say, a bit of a problem.....

But why do I get this sinking feeling that the Gubmint is gonna screw up again..... :rolleyes:

Yea, Tiger I agree with you fully. Leave it to the Gov't to go and think that revealing all makes people feel safer and in reality less is more. Or the less we know the better off we are. (about the security the companies have in place) Just knowing that my bank has security on-line makes me feel better. Oh, please George, call off the NSA. ;)
-Kris

MsMittens:

Working for a HIPPA compliant Agency I looked into the ISO17799 issue to see what it came up with...... What I found was here. I have taken the decision, based on this, that my Agency will move to fulfil HIPPA rather than ISO17799.....

I'm sure that there will be many other organizations that will be "forced" to chose that path.

Well this will keep us security folk busy, now won't it?!!! :deal:

Disclosure can be good but:
1) How much you disclose could be harmfull.
2) How is this information gonna be protected so that someone doesn't hack into it via inside or outside job and use it to infiltrate?! Very similar to the M$ Passport program - there's a goldmine of information...although this security disclosure would contain more huh? (NOT trying to pick on M$ in particular -just an example)
3) Who's gonna validate, how do they determine fines (if any)?
4) Who's deciding WHAT measures needs to be in place?
5) Are they trying to create a HIPAA type standard/code for the non-HIPAA related companies?

I'm with most of you on the concern as to HOW this will be implemented.

Thought provoking...yet scary. :shocked:

Quote:

---

I'm with most of you on the concern as to HOW this will be implemented

---

Maybe they will form a new agency for this. The CSA. Computer Security Agency. They will be in charge of deaming which networks are safe and which ones are in league with Bin Laden. They will be responsible for determing "Terror" websites. They will also confiscate all computers and networks that they think are conspiring with "Terror Groups". They will also take your plumbing.

i remember ages some security company got a bunch of the country's 1337st hackers and paid them to hack their system, they realised then what the company was doing or something and then like really haxed their systems