NEWS AT SEI
This article was originally published in News at SEI on: December 1, 2001
The Internet has grown exponentially in the last decade. As the infrastructure has grown so has the number of users. What was once a small community of professionals exchanging research information has become a diverse group of students and researchers, novices and experts. As users have become more diverse, so have the hardware, software, and services available from Internet service providers, Web sites, programmers, and technology companies.
This particular combination of users, services, and high expectations poses serious threats to industries and organizations who now live in an electronic world where, ten years ago, trust was typically assumed.
The Internet Security Alliance was created to provide a forum for information sharing and leadership on information security issues. It represents industry's interests to legislators and regulators and aims to identify and standardize best practices in Internet security and network survivability while creating a collaborative environment to develop and implement information security solutions. The alliance is a collaborative effort between Carnegie Mellon's Software Engineering Institute (SEI), its CERT® Coordination Center (CERT/CC), and the Electronic Industries Alliance (EIA), a federation of trade associations.
The Mission of the ISA
The mission of the ISA is to use the collective experience of its members to promote sound information security practices, policies, and technologies that enhance the security of the Internet and global information systems.
The ISA offers members a single portal for up-to-the-minute threat reports, best security practices, risk management strategies, and more, which will give them the edge in the competitive and volatile environment of the Internet. Further, the Internet Security Alliance will undertake these and other crucial activities:
- Provide early warning of emerging security threats
- Facilitate executive-to-executive communications about solutions to threats and emerging trends
- Conduct research leading to identification and resolution of root causes of problems
- Develop training and certification programs in information assurance and other fields
- Initiate standard-setting activities on the foundation of EIA's 75-year heritage in the standards world
- Develop organizationally viable models for integration and adoption of security practices
Benefits of Membership
ISA membership benefits are many-fold. Members receive otherwise unobtainable early warnings of information security threats, as well as mitigation strategies, expert analysis of reported software vulnerabilities and intruder activity, the opportunity to contribute to the development of industry standards, and a forum to collaborate with staff from other organizations across multiple industries on shared information security concerns.
A key distinction between the ISA and existing groups organized around information security issues is the breadth of its activities. Many of the existing information security groups are centered around specific issues and industries or market sectors. The ISA aims to cut across industries and market sectors to develop a truly global approach to the problems inherent in electronic commerce and communications. While the ISA will readily promote information sharing among its membership, it also will provide advanced notice and detailed analysis of information security threats, access to historical software vulnerability and intrusion data, as well as a means to develop globally recognized standards and practices.
The Internet security issue continues to be a critical issue facing today's corporations and small businesses. By combining the strengths of its diverse membership, the Internet Security Alliance offers its members the opportunities to both share their experiences and develop helpful solutions to some of today's Internet problems. The initial core efforts for Internet Security Alliance will cover the following areas: Management Practices, Technology, and Policy. Each of these working groups is challenged to provide input and knowledge to establishing a base set of recommendations for their respective areas to the whole of the membership.
Management practices is a core element of Internet security. The challenge for this working group is to determine, along with Alliance staff, overall best practices for Internet security. The following are some of the areas that the managing practices working group are concentrating on for Alliance members:
- Establish the Internet Security Alliance as an accredited standards organization
- Determine business risk metrics
- Develop cost vs. loss tables
- Develop a standard process to calculate business loss
The technology working group will be primarily responsible for facilitating the ISA's efforts in information sharing, tools exchange, early threat warning, and vulnerability analysis. Technical staff will also work with the technology working group on dispersing technical threat reports as well as participation on upcoming white papers and reports.
The recent call for legislation to assist in helping defend governments and corporations from the threat of cyber attack truly denotes the importance of sound policy. The policy working group is charged with determining valid recommendations to government bodies on information security issues. Though the Internet Security Alliance does not include government entities as potential members, corporate leadership in public forums on information security is critical. The policy working group will look at global policies and legislative priorities that affect companies around the world. Legislation dealing with issues such as privacy and information-sharing continue to be important steps for the private sector to undertake. Here are some preliminary objectives that the policy working group will be considering:
- Establish Internet Security Alliance Privacy agenda; de- fending against potentially binding legislation that may be introduced or is already in existence
- Promote legislation calling for increased levels of information sharing among corporations and government
Membership in ISA is open to corporations from around the world.