Category: News

The recommendations—all voluntary—are to include television advertising aimed at small businesses and data collection research with the federal government, according to sources involved in the planning.

A little more than a year after the White House released its National Strategy to Secure Cyberspace, which includes a blueprint showing the private sector how to improve network security, federal policy-makers remain concerned that industry-owned networks are vulnerable to terrorist attack.

Patrick Leahy, D-Vt., said the country has been fortunate that terrorists have not infiltrated U.S. networks. “We can assume, unfortunately, that they would if they had the opportunity,” Leahy said. “It is essential that we work with the private sector to thoroughly assess our weaknesses and take steps to deal with them.” “In most cases, the recommendations will be more like road maps of what we need to do to get where we want to be,” said Gary Garcia, vice president of information security policy at the ITAA.

A primary aim of the industry-led initiative, which comprises five task forces, is to encourage buy-in from stakeholders, including infrastructure owners, users and vendors, Garcia said. To reach out to smaller businesses and individual users, the task forces are recommending public awareness campaigns, sources said.

The fear is that Congress will impose expensive new security obligations on corporations because so much of the country’s interdependent infrastructure is held in private hands. Last year, Rep. Adam Putnam, R-Fla., floated the idea of mandating security audit reporting, but Putnam is still talking with industry leaders about alternative proposals, an aide said.

While much of the task forces’ work sets only a framework for improving network security, some recommendations will provide specific direction, sources said. The plans will include detailed schedules and will recommend projects for improved education, such as including a network security course in the ordinary curricula at community colleges, Schmidt said. Before month’s end, the industry group plans to launch a Web site enumerating its recommendations and other information to better secure private networks, sources said.

http://www.eweek.com/article2/0,4149,1542841,00.asp?kc=EWRSS03119TX1K0000594

The SEC separates companies into two categories: accelerated filers and non-accelerated filers.

Accelerated filers, generally U.S. companies with equity market capitalization over $75 million that file at least one annual report with the SEC, now have until Nov. 15, 2004 to comply with Section 404 of Sarbanes-Oxley.

Non-accelerated filers, on the other hand, now must begin to comply with Section 404 for their first fiscal years ending on or after July 15, 2005, rather than the original April 15, 2005 deadline.

The extensions weren’t unexpected, since many companies have been lobbying the SEC for later deadlines, claiming that they wouldn’t be ready to implement the required controls. The SEC, in fact, has extended deadlines for Sarbanes-Oxley before; in May 2003, it shoved back a proposed October 2003, deadline into June 2004.

More info: http://www.securitypipeline.com/news/18200989;jsessionid=TEW4AMCIOMSLEQSNDBCSKHQ

The unnamed technology — Xerox refers to it as a categorizing tool — is available now, and can be licensed by enterprises that want to incorporate it into existing document systems, as well as by third-party software vendors in the document management, customer relationship management, and information retrieval markets, said Xerox.

The Xerox tool, said Eric Gaussier, a researcher at the Grenoble facility, uses a hierarchical model able to understand the dependency between multiple categories, unlike so-called “flat” search and retrieval tools which treat each category separately.

More info: http://www.techweb.com/wire/story/TWB20040226S0008

Introduced at security software maker RSA’s ongoing conference in San Francisco, the group has been christened the Cyber Security Industry Alliance (CSIA) and will be headed by Paul Kurtz, a former special assistant to the president who has worked on technology issues for the White House’s Homeland Security Council.

Among the 12 companies represented in the organization are security specialists such as Check Point Software, Computer Associates International, Entrust, Internet Security Systems, Network Associates, Symantec and RSA. The overriding goal of CSIA would be to gather input from leading cybersecurity providers and create initiatives for proposals to fellow technology vendors and government regulators alike. The group will be broken up into four committees that address the association’s major areas of interest.

Although Microsoft and other information technology leaders were not asked to be directly involved with the organization, Kurtz said it would be critical to generate participation from such companies in order to gain support for CSIA measures.

More info: http://zdnet.com.com/2100-1105_2-5165204.html

The pair, both software-based, include Proventia Web Filter, a content filtering package for Web gateways, and Proventia Mail Filter, an anti-spam filtering agent also deployed at the gateway.

Web Filter relies on a database of more than 20 million Web sites and some 2.6 billion individual pages, all categorized under labels such as online shopping and erotic content. Companies use this database, and a set of customizable rules, to define what their employees can access, when they can surf to sites, and the enforcement actions taken if workers try to reach forbidden content.

Both packages are available now under Cobion’s OrangeBox brand, and will ship under ISS’s own Proventia brand name in the second quarter.

ISS also plans to wrap the new software into hardware-based appliances — its Proventia family is primarily appliance-based — in the second quarter of 2004.

More info: http://www.techweb.com/wire/story/TWB20040225S0007

A little-known and perhaps largely outdated auditing standard for outsourcers could be the next big hurdle for Sarbanes-Oxley compliance. The standard in question is Statement on Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations.” Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.

Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the June deadline for Section 404 compliance facing many public companies.

Stan Lepeak, vice president of the research firm Meta Group, believes that incompatibilities between SAS 70 and Sarbanes-Oxley will “dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that.” Tom Eubanks, of IBM business consulting services, isn’t so sure. “On first blush,” he says, “one might think, ‘Why would you outsource in a world where Sarbox is in place…and the magnifying glass is on the finance function?’ ” But what Eubanks and his colleagues are finding, he adds, is that “companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues.”

All in the Timing Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports.

Type I includes the service auditor’s opinion on the fairness of the presentation of the provider’s description of its controls and how well they’re designed to meet specified control objectives.

Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor’s opinion on the effectiveness of the controls during the period under review.

More info: http://www.cfo.com/article/1,5309,12161|0|C|1|,00.html