Forgot your password?
Security Businesses Government IT

Industry IT Security Certification Proposed 102

Posted by Soulskill
from the measuring-and-documenting-your-weaknesses dept.
Roberto123 writes "The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"
This discussion has been archived. No new comments can be posted.

Industry IT Security Certification Proposed

Comments Filter:
  • War Cap (Score:5, Insightful)

    by causality (777677) on Saturday February 19, 2011 @07:40PM (#35256782)

    As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:

    • War on (some) Drugs
    • War on Poverty
    • War on Terror
    • War on Obesity

    Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.

    Is that really so much to ask? It'd be easier than what we are doing now.

  • by MickyTheIdiot (1032226) on Saturday February 19, 2011 @07:55PM (#35256848) Homepage Journal

    All "certifications" are scams at some level. Some worse than others, but at some point it's about wanting to get your money while doing very little. It will create a nice new market for testing centers, book writers and publishers, and study material makers, but will ultimately do very little. Think how much Microsoft Certified Engineer....

  • by the_Bionic_lemming (446569) on Saturday February 19, 2011 @08:11PM (#35256926)

    I fully support this - as long as we can hold policy makers to the exact same standards of punishment when things go wrong (like recessions, budget shortfalls, and other issues).

  • by Zemran (3101) on Saturday February 19, 2011 @08:27PM (#35256990) Homepage Journal

    ... I will be busy building a new wooden fence around my property to keep out flies. I think that I will be about as successful ...

  • Re:Oh good. (Score:4, Insightful)

    by ozmanjusri (601766) <> on Saturday February 19, 2011 @08:46PM (#35257074) Journal

    push us further towards a "Standards and Compliance" posture, and not a real security posture.

    There's a reason for that.

    Echoing the comments of Microsoft security chief Scott Charney from his Tuesday keynote calling for a “collective defense” of the Internet

    The manufacturer of the deeply flawed system at the hear of most security problems wants everybody else to pay for the consequences, so they're lobbying lawmakers. They'd also be pretty happy if it props up a few buggy whip businesses on the way.

    What's the bet the certification requirements will read like:

    1. Microsoft IIS Server (TM) is current and patched.
    2. McAfee Antivirus (TM) installed and updated.
    3. Microsoft .NET (TM) registered with Microsoft update and verification tool.
    4. All online systems systems pass Microsoft WGA (TM) checks.
    5. ...
    6. Profit.

Nothing will dispel enthusiasm like a small admission fee. -- Kim Hubbard