By Clint Kreitner, CEO, The Center for Internet Security
It is a sobering reality that the information assets of any organization that has a computer connected to the Internet, if only for email, are being exposed to unacceptable levels of risk.
Operating systems and other software products are shipped with their security features open rather than closed, and users have no means of communicating with a single voice to vendors about what security settings they want out of the box. That, coupled with the shortage of skilled security professionals, means tens if not hundreds of thousands of computers are delivered every month to customers who put them to work with little help available to secure them.
Security, like safety, is relative. Can we be sure that systems connected to the Internet are completely safe from unauthorized intrusion? No more than we can be sure that every time we venture onto the highway or take an airline flight, we will be guaranteed a safe arrival at our destination.
Information security is about managing organizational risk down to a prudent level, the first consideration being business risk. What damage can be done to your organization's reputation if your computers are repeatedly successfully hacked? What does that say about the quality of your organization and its management?
Second, what is your legal liability if, for example, confidential customer information is hacked from one of your systems, and that customer sues you for damages related to the compromise? The burden will be on you to prove you exercised due care, meaning you followed a recognized standard in your type of business. A number of useful policy and process level security standards are available, but a need exists for detailed operational level specifications that will enhance information system security.
The Center for Internet Security was formed last year to help users meet the challenges and needs noted above. The Center's 150+ members, representing more than 16 countries, are involved in a collaborative process to glean the best security practices, organize that information into practical benchmarks, and make those benchmarks widely available.
Organized as a not-for-profit enterprise, the Center is currently working with its members to develop benchmarks for prominent operating systems, including Solaris, Windows NT, Windows 2000, AIX, IRIX, HP-UX and others.
Each benchmark includes a security ruler, listing a continuum of settings that make a system relatively more secure. A particular organization selects from the scale the settings that are appropriate for its business circumstances. Industry specific rulers will facilitate peer-to-peer comparison. The benchmark includes information relating to the why, when, and how each of the settings can or should be used.
Security software vendors will soon develop automated tools for users to validate the continued implementation of the benchmark security settings they choose. An organization presenting third-party documentation of continuing compliance with the benchmark settings will be eligible to receive documentation from the Center officially noting their level of sustained security compliance.
Knowing a potential business partner's security status in this way will be useful when considering a relationship that involves connecting their systems to yours. When negotiating premiums for insurance coverage, there will be a more explicit basis for underwriting that coverage.
By providing users with widely recognized detailed definitions of prudent security practice, the Center and its members hope to make it possible for all organizations to ensure they maintain a prudent level of security and thus provide appropriate protection for their organization's reputation and information assets.
The challenge is larger than each of us as individual organizations can handle, and therefore, one that calls for a committed cooperative effort in pursuit of the common good. Tackling this challenge is simply the right thing to do in the ever more connected world in which we live and work.
Information about the Center may be found at its website at www.cisecurity.org.