[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Officials: How much security is enough?


By Florence Olsen
Oct. 12, 2005 

In the White House situation room and in corporate boardrooms, people
debate how much information security is enough - without reaching
consensus. But a panel of national security experts said today that
federal standards can help manage the country's considerable risk of a
disruptive cyber event.

Standards that the National Institute of Standards and Technology are
developing provide the basics of due diligence for federal agencies
and businesses, said Ronald Ross, a senior computer scientist and
information security researcher at NIST. He spoke today at an event in
Washington, D.C., sponsored by the Wall Street Journal.

Businesses are not required by law to follow those information
security standards, but Ross said many are doing so voluntarily
because they can reduce the risk of a major cyber incident disrupting
companies' business.

The federal standards include one for categorizing information systems
assets based on whether their loss would pose a high, medium or low
risk to the agency or business. Ross said people are spending too much
time and money to protect low-risk systems and not enough on high-risk

He said NIST will soon issue another federal standard requiring
specific security settings and controls for protecting low-, medium-
and high-risk systems.

Roger Cressey, president of Good Harbor Consulting and a former
counter-terrorism official, said the Homeland Security Department was
slow to focus on cybersecurity vulnerabilities. To an extent, he
added, the department is still reactive and "preparing to prevent the
last attack."

But Cressey said DHS Secretary Michael Chertoff has correctly adopted
a risk management approach to the country's cyber vulnerabilities.  
Whether Chertoff can gain support in Congress and elsewhere for that
approach remains to be seen, Cressey said.

InfoSec News v2.0 - Coming Soon!