To read the newsletter in your Web browser, go to https://www.csialliance.org/news.

IN THIS ISSUE:

• Executive Director’s Message
• CSIA Kicks Off SOX Compliance Initiative
• CSIA at the RSA Conference
  • CSIA Town Hall Meeting
  • CSIA’s First Birthday Celebration
  • Policy Award Winner to be Announced
  • Full Schedule of CSIA Events
• CSIA Member Spotlight – Entrust
• Embracing Information Security Governance
• Legislative Update
• Congressional Spotlight – Representative Bennie G. Thompson
• DHS Issues National Response Plan
• CSIA in the News
• Upcoming Events
• New CSIA Member

Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

Welcome to the New Year! For some, this means making resolutions. Our resolution at CSIA is to bring clarity to the IT security implications of Sarbanes-Oxley. Publicly-traded corporations are spending millions this year to comply with the law, but in the case of IT security, it is unclear what compliance means.

Last month, CSIA released a report on Sarbanes-Oxley compliance, outlining the implications of Section 404 on information security. As the report concluded, the question is no longer “whether” Section 404 covers information security, but rather “how” to comply with this critical section in the context of IT security. But have Sarbanes-Oxley regulators provided sufficient guidance to corporate management and auditors on IT governance and security to comply with Section 404?

Our SOX report proposes a closer review of how publicly-traded companies and auditors have grappled with compliance. On May 3 at the Ronald Reagan International Trade Center, CSIA will host a SOX Summit in Washington, DC, bringing together key stakeholders from both the corporate management and auditing communities to address that question and shed light on the implications of SOX. CSIA’s SOX report is summarized in this month’s newsletter and in our Member Spotlight, Entrust shares with us some of the protections they have taken in order to work with Section 404.

Also in this month’s newsletter, legislation we saw in the 108th Congress regarding Spyware and the Assistant Secretary for Cybersecurity position in DHS has been reintroduced; CSIA will keep a close eye on the progress of those bills. Finally, this February, CSIA will be hosting a Town Hall Meeting in San Francisco to discuss homeland security, critical infrastructure protection, cyber security in the post-9/11 era, and what steps are being taken to enhance security measures. Our guest speakers include Jamie S. Gorelick of the 9/11 Commission, and Richard Clarke, Former Special Advisor to the President for Cyberspace Security. It should prove to be an enlightening conversation.

Happy New Year from CSIA!

Back to top

CSIA Kicks Off SOX Compliance Initiative

Last month, CSIA released a report on Sarbanes-Oxley compliance. The report, Sarbanes-Oxley Act: Implementation of Information Technology and Security Objectives, outlines the implications of Section 404 on information security. Since its passage, the Sarbanes-Oxley Act of 2002 (SOX) has engendered considerable debate over the law’s implications for corporate information security, especially the case with respect to the internal control provisions of Section 404.

Section 404 of SOX requires senior management of publicly traded companies both to (i) establish and maintain adequate internal controls for financial reporting, and (ii) annually assess the effectiveness of those controls. The law also establishes attestation requirements for public accounting firms to assess management’s certification of the effectiveness of its internal controls over financial reporting.

To determine whether compliance with Section 404 “requires” effective information security, one has to examine other legally relevant materials, in addition to the specific provisions of the statute passed by Congress. These additional materials include:

• Rules issued by the Securities and Exchange Commission (SEC) that implement SOX statutory provisions
• Standards issued by the Public Company Accounting Oversight Board (PCAOB) in Audit Standard No. 2 and adopted in rulemaking by the SEC
• Various provisions contained in the Statements of Auditing Standards Nos. 55, 78, and especially 94, issued by the American Institute of Certified Public Accountants (AICPA) and specifically incorporated into Audit Standard No. 2 by the PCAOB and the SEC

Review of the these statutory and administrative materials clearly indicates that compliance with Section 404 of SOX requires publicly traded companies to employ information security to the extent necessary to ensure the effectiveness of internal controls over financial reporting. The SEC and PCAOB explicitly recognize the potentially adverse effects of IT on internal controls. In effect, these regulators also impose a duty on senior management to secure their corporate IT systems to the extent necessary to ensure the accuracy and integrity of such reporting.

Given the size and complexity of IT systems and networks in most publicly traded companies, the statutory and administrative materials governing Section 404 may still lack the detail and specificity regarding IT governance and security that management and auditors might want to guide and inform their compliance efforts. This raises a number of objective questions that CSIA hopes to answer this May during a Summit of senior managers, auditors, and IT professionals. During this Summit, CSIA plans to examine these issues:

• Requesting clarification through staff Q & A process
• Discussing the advisability of creating an awareness program focusing on SOX IT security compliance
• Exploring an initiative to prepare guidance on IT security specifically for management.

For additional information, see:

• CSIA White Paper: Sarbanes-Oxley Act: Implementation of Information Technology and Security Objectives
• Press release: Announcing the CSIA Sox Compliance Initiative

Back to top

CSIA Town Hall Meeting at RSA Conference

Featuring 9/11 Commissioner Jamie S. Gorelick and Former Special Advisor to the President for Cyberspace Security Richard Clarke

The Cyber Security Industry Alliance is pleased to host a Town Hall Meeting to discuss homeland security, critical infrastructure protection, and cyber security in the post-9/11 era, and the steps that are being taken to enhance security measures.

WHAT: CSIA Town Hall Meeting

WHEN: Wednesday, February 16, 12:45-1:45 pm

WHERE: Moscone Convention Center in the South Hall, San Francisco, CA

The Town Hall Meeting, which will take place during the RSA Conference 2005, will feature Jamie S. Gorelick of the 9/11 Commission, and Richard Clarke, Former Special Advisor to the President for Cyberspace Security.

Gorelick is a partner at Wilmer, Cutler & Pickering in Washington, DC and is a member of the Council on Foreign Relations and the American Law Institute. She co-chaired, with Senator Sam Nunn, the Advisory Committee of the President's Commission on Critical Infrastructure Protection, and currently serves on the Central Intelligence Agency's National Security Advisory Panel, as well as the President's Review of Intelligence. She will offer her insights on homeland security, critical infrastructure protection, and cyber security issues.

Clarke most recently served on the US National Security Council as Special Advisor to the President for Cyberspace Security; National Coordinator for Security, Infrastructure Protection, and Counterterrorism; and chaired the Counterterrorism Security Group. Prior to his time with the National Security Council, Clarke worked in the US Department of State as Deputy Assistant Secretary of State for Intelligence, and then as Assistant Secretary of State for Politico-Military Affairs. Just after leaving the government in 1993, Clarke testified before the National Commission on Terrorist Attacks Upon the United States on March 24, 2004. Clarke has been an on-air consultant for ABC News and is Chairman of Good Harbor Consulting, LLC.

Paul Kurtz, CSIA Executive Director, and former Special Assistant to the President for Critical Infrastructure Protection on the White House’s Homeland Security Council, will host the town hall meeting.

Please RSVP for the Town Hall Meeting at [email protected]. Snacks and beverages will be provided. We hope to see you there!

To register for RSA Conference 2005, please visit http://2005.rsaconference.com/us/.

Back to top

CSIA’s First Birthday Celebration

Join us for CSIA's First Birthday Party and celebrate our first year of extraordinary accomplishments! The celebration will be held during the RSA conference. We hope to see you there!

WHAT: CSIA’s First Birthday Celebration

WHEN: Tuesday, February 15, 8:30-11:00 pm

WHERE: Thirsty Bear Restaurant • Mezzanine Level, 2nd Floor, 661 Howard Street

Register for CSIA’s First Birthday Celebration at https://www.csialliance.org/news/events/register.

Back to top

Policy Award Winner to be Announced at RSA Conference

Each year, the RSA Conference presents awards for excellence in a variety of categories. For 2005, the award for public policy is co-sponsored by the Cyber Security Industry Alliance. Candidates were nominated and voted on by CSIA members, and Executive Director Paul Kurtz will present the award to the recipient(s).

The RSA Conference Award for Public Policy is designed to recognize significant contribution and leadership in the field of cyber security public policy. The judging committee seeks to reward nominees who hold elected or appointed office, are associated with public interest organizations, or are associated with an organization that has significantly contributed to the development or application of current information security and/or privacy policy.

Past recipients include:

• Robert Bennett
  U.S. Senator, Utah
• Sherwood Boehlert
  U.S. Representative, New York
• Tom Davis
  U.S. Representative, Virginia
• NIST Advanced Encryption Standard Committee
• Ed Gillespie and Jack Quinn
  Executive Director and Co-Chairman of Americans for Com

For more information on the RSA Conference Award for Public Policy, visit: http://2005.rsaconference.com/us/general/awards_previous.aspx

Back to top

Schedule of CSIA Events at RSA Conference

2nd Annual Executive Forum for the RSA Conference
Paul Kurtz, Speaker
Monday, February 14
12:00 pm – 6:45 pm
Palace Hotel

RSA/CSIA Policy Award Presentation
Tuesday, February 15
8:05 am – 8:30 am
Moscone Convention Center, South Hall

CSIA First Birthday Celebration
Tuesday, February 15
8:30 pm – 11:00 pm
Thirsty Bear Restaurant, Mezzanine Level, 2nd Floor
661 Howard Street
Register at https://www.csialliance.org/news/events/register

Town Hall Meeting / Roundtable
Moderator: Paul Kurtz
Panelists: 9/11 Commissioner Jamie S. Gorelick and Former
Counterterrorism Coordinator Richard Clarke
Wednesday, February 16
12:45 pm – 1:45 pm
Moscone Convention Center, South Hall, General Session Area
RSVP to [email protected]

Sarbanes-Oxley Part I: Security Governance & Policy
Moderator: Steve Wu
Panelists: Paul Kurtz, John Tritak and Lee Zeichner
Wednesday, February 16
3:25 pm – 4:25 pm
Moscone Convention Center, South Hall
http://2005.rsaconference.com/us/general/presentation_info.aspx?id=5677

International Current Events
Panelists: Paul Kurtz, Behnam Dayanim, Francisco Mingorance and Roland Mueller
Friday, February 18
11:10 am – 12 pm
Moscone Convention Center, South Hall
http://2005.rsaconference.com/us/general/presentation_info.aspx?id=5682

Back to top

Embracing Information Security Governance

by Bill Conner, Chairman, President and CEO, Entrust

Governance is now a critical issue for all organizations. As a result of Sarbanes-Oxley and the new security requirements for critical infrastructure, industry’s role and responsibilities have changed.

Today, executives are becoming increasingly accountable for ensuring that their organizations comply with a host of new regulations and ethical standards, including the protection and security of sensitive information and data. Vast information networks and software programs have dramatically improved productivity and altered how employees and organizations communicate to meet their core business objectives. Yet, they also expose organizations to new risks, vulnerabilities, fraud, theft and even terrorism. Securing and managing enormous amounts of digital information must become a central management mission of all organizations.

This new legal and ethical environment also has caused great confusion due to vague and often differing interpretations with respect to what is subject to government mandates and potential liability. And nowhere is this confusion more apparent than in the application and use of information technology. Yet, for all the debate, it is becoming more and more apparent that information security is of critical importance to good corporate governance. As a result, Information Security Governance will increasingly become subject to greater scrutiny from governments, shareholders, customers and consumers.

For example, the attestations signed by public-company CEOs required under Sarbanes-Oxley declaring that “internal controls'' are in place carry the possibility of both civil and criminal penalties. Legislators in California have attempted to establish rules that determine how companies must structure their networks and secure consumer information or face severe civil penalties and potential class action litigation. Policymakers and regulators have advised that industry can bet on even more regulation unless substantial progress is made. Clearly, this is not the preferred option.

What is needed and what has been advocated by companies such as Entrust and organizations such as the Cyber Security Industry Alliance (CSIA) are the development of information security governance (ISG) programs that incorporate financial and legal controls, information security policies and technology applications. In doing so, organizations will be equipped with management frameworks that outline specific roles and responsibilities for employees and executives that can be incorporated within an organizations overall corporate governance programs and reported to boards of directors.

However, Sarbanes-Oxley is only one part of ISG. ISG is something that all organizations can benefit from in various ways, not just improved regulatory compliance, but also ISG improves internal processes and controls, that have the potential for lower audit and insurance costs and market differentiation derived from improved quality and management.

As a leader in cyber security, Entrust has taken its responsibility seriously in this area and has undertaken three key initiatives over the last two years:

1. Internal Management – Entrust developed and implemented an internal ISG program that now provides comprehensive risk assessments and audits that are reported directly to senior management and the company’s board of directors. These management tools allow for needed program, policy and technology implementations to help comply with government regulations and corporate governance policies.
2. External Advocacy – Entrust CEO Bill Conner has helped to establish and co-chair two national task forces on ISG to determine best practices, educate organizations across all industries, create consensus, and alert policymakers and the private sector to the issue. The task forces are the Business Software Alliance’s (BSA) Task Force on Information Security Governance and the National Cyber Security Partnership’s Corporate Governance Task Force.
3. Technology – Building on our foundation of identity and access management solutions, Entrust unveiled the Entrust Compliance Server that allows organizations to automatically analyze all incoming and outgoing e-mails and centrally enforces policy pertaining to privacy, offensive language, IP protection, spam and regulatory compliance. In effect, this automates ISG processes to ensure greater compliance with regulations as well as customized corporate policies.

Entrust’s leadership in this role has provided a foundation upon which our industry must build. CSIA’s recommendations as outlined in their report, Sarbanes-Oxley Act: Implementation of Information Technology and Security Objectives, offer even more opportunities for us to provide policymakers with guidance and information, as well as inform the private sector of the importance and benefits of ISG.

With increased attention on corporate governance by policymakers, and an increased reliability on networks in the enterprise arena, executives and boards of directors responsible for implementation must embrace information security. Our industry is responsible not only to secure networks, but to provide policymakers and the private sector with the right technologies and insights on policies to ensure a safer nation and business community.

Back to top

Legislative Update

H.R. 29 – The SPY ACT – Congresswoman Mary Bono (R-Calif.)

Latest Update: Also known as the “Securely Protect Yourself Against Cyber Trespass Act.” On January 6, Congresswoman Bono re-introduced her bill from the 108th Congress that aims to protect computer users against internet privacy invasion. It passed overwhelmingly in the House of Representatives in October 2004, but did not pass the Senate before the 108th Congress came to a close.

Summary:This bill would prevent spyware purveyors from hijacking a home page or tracking users’ keystrokes. It requires that spyware programs be easily identifiable and removable, and allows for collection of personal information only after express consent from the user. Additionally, fines are exponentially increased against abusers. As passed, this bill contains an exemption for legitimate security operations.

H.R. 285 – Congressman Mac Thornberry (R-TX) and Congresswoman Zoe Lofgren (D-CA)

Latest Update: Also known as the Department of Homeland Security Cybersecurity Enhancement Act of 2005. On January 6, Congressman Mac Thornberry and Congresswoman Zoe Lofgren reintroduced bipartisan legislation to create an Assistant Secretary for Cybersecurity position within the Department of Homeland Security's Information Analysis and Infrastructures Protection Directorate. The Assistant Secretary position was originally introduced on the 108th Congress in H.R. 10, the 911 Recommendations Implementation Act, where it was approved by the House of Representatives, but ultimately was not included in the final version of the bill.

Summary: The legislation would allow for the Assistant Secretary to have primary authority within the Department for all cyber security-related critical infrastructure protection programs of the Department, including policy formulation and program management. The legislation touts strong support from the technology, education, and financial sectors. 

Back to top

Congressional Spotlight

Representative Bennie G. Thompson (MS-2)

Born: Bolton, Mississippi, January 28, 1948

Elected: 1993 (began seventh term in January 2005)

Committee Assignments: House Agriculture Committee; Homeland Security Committee

Education: Tougaloo College, B.A. (Political Science); Jackson State University, MS, 1972

Career: Grassroots Volunteer, Labor Organizer, Student Activist, Community Leader, Educator.

Notable: Honored by the National Black Nurses Foundation for his support of quality and affordable health care for all Americans; sponsored legislation that called for Congress to ensure that minority farmers are adequately compensated for years of discrimination in the operation of programs of the Department of Agriculture; founding member of the Mississippi Association of Black Mayors and the Mississippi Association of Black Supervisors; lifelong member of the Asbury United Methodist Church in Bolton Mississippi.

Congressman Bennie Thompson is an emerging player on Capitol Hill in the area of cyber security. In the 108th Congress, the Congressman served as the Ranking Member of the Subcommittee on Emergency Preparedness and Response of the House Select Committee on Homeland Security, where he worked to ensure that our nation’s first responders were prepared and equipped with the best tools and technology to deal with terrorist attacks. At the beginning of this Congress, Congressman Thompson was named the Ranking Member of the now-permanent House Homeland Security Committee. As the top Democrat on the Committee, the Congressman is working to solve the most important issues affecting cyber security – - and national security – as a whole. Recently, Congressman Thompson was a featured speaker at a CSIS event regarding the need to dramatically streamline oversight of the Department of Homeland Security. This includes bringing cyber security to the forefront of this discussion and changing the way decision-makers think about security issues.

Congressman Thompson has certainly been a force in effecting change over the years. Early in his career, Congressman Thompson was a true civil rights activist, becoming an active participant in the fight for equality. As a product of Mississippi colleges, he had first-hand knowledge of the disparity between funding, equipment, and supplies provided to the historically black colleges and those provided to white colleges. Injustices such as these have helped provide the drive and motivation for Congressman Thompson to proceed in his fight for civil rights and equal opportunities for all.

Congressman Thompson is also a strong supporter of access to affordable, quality healthcare and for the labor rights for workers. At the age of 20, Congressman Thompson secured the first rural doctor for the town of Bolton and has been honored by the National Black Nurses Foundation for his support of quality and affordable health care for all Americans. The Congressman has also sponsored legislation, which called for Congress to ensure that minority farmers are adequately compensated for years of discrimination in the operation of programs of the Department of Agriculture.

In addition to serving on the Homeland Security Committee, Congressman Thompson also serves on the House Agriculture Committee, where he is a champion for rural America. He is a founding member of the Mississippi Association of Black Mayors and the Mississippi Association of Black Supervisors. Congressman Thompson is a lifelong member of the Asbury United Methodist Church in Bolton, Mississippi, and has been continuously active in numerous civic, community, and professional organizations.

Congressman Thompson’s work on civil rights, healthcare and education has been – and continues to be – hard-fought and successful. His leadership role on Homeland Security, protecting cyberspace and our critical infrastructures, is certainly a benefit to CSIA. With Congressman Thompson’s attention on cyber security and homeland security generally, we anticipate positive changes in the way cyberspace and our nation are protected.

1. Congratulations on your appointment as the Ranking Member of the now permanent House Committee on Homeland Security! What are your plans for the Committee for this Congress?

As Ranking Member of this Committee, I have a responsibility to the American people to make sure that their government is getting homeland security right. Under my leadership, strong, sustained and determined oversight of the Department of Homeland Security will be a top priority.

Our government has spent billions of dollars on various homeland security programs. In addition, Congress has passed hundreds of pages of legislation mandating new security-related programs. The Administration has created programs that are supposed to protect our ports, our food supply, our borders, our computer networks, and our critical infrastructures. It is responsible for ensuring funds get to first responders in every community – from New York to Gulfport, Mississippi – so they have the equipment to provide assistance to those who are the first on site when terrorists strike.

No one knows whether many of these programs are working well or whether the current Administration is spending our citizens’ money effectively. From what I’ve seen so far from the Department, it is not doing its job. I plan to make it Congress’ job to see that the Department and this Administration get it right.

The House Democrats plan to hold the Department of Homeland Security accountable. We are going to make sure that it knows that Congress will be keeping a very close eye on the kind of security it delivers. It's not enough for the Department to roll out a security program every week or month – or to announce that a program has beaten a deadline. I want to know that the security programs being promoted by the Department, including its cyber security programs, are real and effective – not smoke and mirrors. A press release announcing a security program does not make for real security.

The Committee on Homeland Security will hold the Department accountable. We will make sure it is doing what Congress created it to do – protecting the homeland by getting the job done.

2. What do you think are the most important cyber security issues the Committee will tackle this Congress?

The first thing I expect the Committee to tackle is the Administration’s deprioritization of cyber security in the federal government. Two years ago, there was a Special Assistant to the President for cyber security. Today, the top cyber security person is an Acting Director buried deep into the bureaucracy of the federal government. As a result, the government’s cyber security efforts are lagging and the National Strategy to Secure Cyberspace, released two years ago, remains largely unimplemented.

On January 6, my colleagues Congresswoman Zoe Lofgren and Congressman Mac Thornberry took the first steps to address this problem by introducing HR 285, the Department of Homeland Security Cybersecurity Enhancement Act of 2005, which has been referred to the Committee on Homeland Security. The legislation creates the position of an assistant secretary for cyber security within the Department of Homeland Security. This bill makes sure the Department gives the person responsible for leading our nation’s cyber security efforts the authority to get it right.

There will be other cyber security issues, including education and awareness, incentives, and research and development that the Committee will address. As the Committee’s Subcommittees take form, I expect the subcommittee that oversees cyber security will be extremely active.

3. How can policy organizations such as CSIA be of the greatest help to the efforts of Congress?

CSIA and other groups can help Congress understand what issues are most important to the communities you represent. You can tell us what the Department of Homeland Security is doing right and doing wrong. You can help us help the Department be honest and accountable to the American people about the job it is doing on homeland security.

Back to top

DHS Issues National Response Plan

On January 6, 2005, the U. S. Department of Homeland Security issued their National Response Plan, which establishes a unified and standardized approach within the United States for protecting citizens and managing homeland security incidents. The Plan was created in partnership with federal departments and agencies; state, local and tribal officials; private sector; and national and international associations.

The Plan helps standardize federal incident response actions by integrating existing and formerly disparate processes. The National Incident Management System (NIMS) will be used for standardized training, organization, and communications procedures, and a comprehensive framework has been incorporated for private and non-profit institutions as they plan and integrate their own preparedness and response activities.

The National Response Plan and the supporting National Incident Management System (NIMS) establish incident management processes to:

• Improve coordination and integration between federal, state, local, tribal, regional, private sector, and non-governmental organization partners
• Integrate the federal response to catastrophic events
• Improve incident management communications and increase cross-jurisdictional coordination and situational awareness
• Improve federal to federal interaction and emergency support
• Maximize use and employment of incident management resources
• Facilitate emergency mutual aid and federal emergency support to state, local, and tribal governments

The Incident Annexes address contingency or hazard situations requiring specialized application of the NRP. The Incident Annexes describe the missions, policies, responsibilities, and coordination processes that govern the interaction of public and private entities engaged in incident management and emergency response operations across a spectrum of potential hazards. These annexes are typically augmented by a variety of supporting plans and operational supplements.

The Cyber Incident Annex establishes procedures for a multidisciplinary, broad-based approach to prepare for, remediate, and recover from catastrophic cyber events impacting critical national processes and the national economy.

For more information on the National Response Plan, a fact sheet can be found at http://www.dhs.gov/dhspublic/interapp/press_release/press_release_0581.xml. The National Response Plan and the Incident Annexes are located at http://www.dhs.gov/nationalresponseplan.

Back to top

CSIA in the News

CSIA Coverage

InformationWeek, January 10, 2005
Bush to Address Cybersecurity
Top E-government official envisions I.T. security as part of every project, but critics still want a top cyber security official. Paul Kurtz, CSIA's executive director and former senior director of critical infrastructure protection for the White House's Homeland Security Council, would like to see responsibility for cyber security and physical security divided between two assistant secretaries. Robert Liscouski, Homeland Security assistant secretary for infrastructure protection, now handles both.
This article also appeared in an earlier edition of InformationWeek, InternetWeek and in CRN.

CSIA Press Releases

Citrix Member Release, January 10, 2005
Cyber Security Industry Alliance (CSIA), the only CEO public policy and advocacy group exclusively focused on cyber security policy issues, today announced that Citrix Systems, Inc. (NASDAQ: CTXS), the global leader in access infrastructure solutions, has joined the organization as a Charter member, which is the highest level of CSIA membership. In addition, Mark Templeton, president and CEO of Citrix Systems, has joined CSIA’s Board of Directors.

CSIA Kicks Off Sarbanes-Oxley Compliance Initiative, December 14, 2004
Cyber Security Industry Alliance (CSIA) today kicked off an initiative on Sarbanes-Oxley compliance with the release of a report outlining the implications of Section 404 on information security. The question is no longer “whether” Section 404 covers information security, the report concludes, but rather “how” to comply with this critical section in the context of IT security. To download the full report, click here.

Back to top

Upcoming Events

Back to top

New CSIA Member

CSIA welcomes our new member!

Charter Member

iPass, Inc.
CEO: Ken Denman

CSIA Members

Charter Members

Principal Members

Emerging Security Partner