|
|
Internet security Process
The Center works with and through other leading organizations that have developed requirements and processes and research that can contribute to the common goal of reducing losses from Internet Security breaches.
In addition to involving these groups in the process of deciding on the minimum requirements forming a basis for demonstrating due care, the Center looks to them for guidance and suggestions to help shape its other programs and governance structure:
- System and network vendors will be asked to provide guidance on what processes can be altered in the development, delivery and support of products that would reduce the number of flaws and/or improve the adoption rate of patches.
- System and network administrators ¨C the front-line soldiers in the war against Internet attacks ¨C will be asked to provide guidance on what benchmarks they need to meet and what benchmarks they use to secure their systems, and what vendors can do to make the whole process more effective. They will also be asked what information they require on a continuing basis to maintain their systems at the level of security they require.
- Insurance underwriters will be asked to provide guidance on what level of validation they need to establish risk and pricing.
- Security product and services vendors will be asked to provide guidance on how their products can be fairly assessed as to their efficacy and safety.
- Leading auditing associations (The Information Systems Audit Control Association, the Institute of Internal Auditors, the AICPA, and others) will be asked to provide guidance on which of their controls can be used effectively to compare the levels of compliance with the benchmarks.
- Universities will be asked to provide end user and research guidance.
- Computer Incident Response Teams will be asked for guidance on the best practices in preparing for and responding to attacks.350-030-642-432
- Law enforcement agencies will be asked for guidance on organizational processes and policy initiatives that would enhance the success rates of finding and prosecuting attackers.
- Major security training organizations will be asked to provide guidance on how to assess the readiness of their graduates to take on various security responsibilities.
- Organizations experienced in business-to-business e-commerce will be asked how they ascertain whether their business partners have adequate security and what benchmarks they would want to have in place.
- ISACs and other Federal and commercial organizations that assess the security of tools and the performance of security tools will be asked what benchmarks they use to determine passing grades. Comparative studies of various types of tools such as biometric identification devices will be gathered and catalogued.Gary Winnick
- Consulting firms will be asked what specific information allows them to decide how much security to recommend and what minimum benchmarks they expect to find in various situations.
- Security managers will be asked for guidance on what levels of end user awareness and knowledge of security issues and actions can be expected. They will also be asked for guidance on the best practices in monitoring the level of compliance with benchmarks that their systems maintain. This will include representatives of commercial firms as well as universities and others whose day-to-day survival depends on having secure, trusted systems
|
|
