The Seattle Times: Business & Technology: Cybersecurity is job of CEO, report says

Your account

Today's news index

Weather

	NEWS / HOME
	LOCAL

	BUSINESS/TECH

	Microsoft

	Boeing/aerospace

	Biotech

	NW companies

	Stock market

	Personal technology

	Events calendar

	COLUMNISTS
	Paul Andrews
	Daneen Skube

	NATION/WORLD

	POLITICS

	CONSUMER

	EDUCATION

	OBITUARIES

	SPECIAL PROJECTS



	OPINION



	SPORTS



	ENTERTAINMENT



	HEALTH



	TRAVEL / OUTDOORS



	LIVING



	PACIFIC NW MAGAZINE



	COMICS / GAMES



	PHOTOGRAPHY



	NWCLASSIFIEDS



	NWSOURCE



	SHOPPING



	SERVICES

Monday, April 12, 2004 - Page updated at 12:00 A.M.

Weekly interest and loan rates | Home values

Northwest stock contest 2004 | Consumer affairs

Cybersecurity is job of CEO, report says

By Jonathan Krim
The Washington Post

	E-mail this article

	Print this article

	Search archive

Chief executives of U.S. corporations and their boards should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said.

The group stopped short of urging legislation requiring CEOs to certify their companies' cybersecurity measures, as they are required to do for financial statements. But in a report scheduled to be released today, the group said cybersecurity should be taken just as seriously by top management.

"The best way to strengthen U.S. information security is to treat it as a corporate-governance issue that requires the attention of boards and CEOs," the report said. For too long, it said, top executives have ignored computer security or left it to technology officers, who might not have the clout or inclination to make necessary changes.

The report is the latest produced with the Homeland Security Department to address computer breaches that have cost businesses and consumers billions of dollars. Members of the 37-member task force included representatives from academia and companies such as Intel and Verisign.

Early last year the Bush administration announced a national strategy to improve cybersecurity. But after heavy lobbying from technology companies, the initiative recommended no mandates on the private sector and left it up to the companies to devise self-regulatory steps for improvement.

The new report rejects government mandates but recommends that auditing firms examine cybersecurity readiness when certifying companies have adequate internal and financial controls.

"Any system of internal control ... has to take into account cybersecurity," said Arthur Coviello, chief executive of RSA Security and co-chairman of the group. If such auditing takes place, he said, government regulations won't be necessary.

The plan would require major auditing firms to agree on guidelines for evaluating cybersecurity controls.

The report also lays out how companies should incorporate cybersecurity into their corporate-governance procedures and recommends the proposals be adopted by all companies.

The recommendations include requiring chief executives to order annual security evaluations and to report the results to their boards of directors.

The task force does not suggest a deadline but asks companies to certify on their Web sites that they have adopted the guidelines. It urges the Department of Homeland Security to push companies to adopt them.

More business & technology headlines

BUSINESS/TECH NEWS
SEARCH



	Today		Archive

Advanced search