information security: it’s everyone’s business september 16, 2003 greg garcia, vice president,...

Information Security: It’s Everyone’s Business

September 16, 2003Greg Garcia, Vice President, Information SecurityITAA


About ITAA National 450+ Member Company Association Leading Corporate Names in IT

Established in 1961 Leader in Public Policy Advocacy,

Business Development, Networking Programs

Capitol Hill and White House Liaisons 200 Member-Driven InfoSec Committee DC and West Coast Offices


A Brief History of Time – Cyber Attacks Increase

• Denial of Service Attacks in 2000….• …Spurred implementation of PDD 63 and

establishment of sector coordinators (ITAA)

• More attacks from Anna Kournikova, ILoveYou virus, Code Red, NIMDA

• Cyber security makes its way onto the nation’s radar (and computer) screens


A Brief History of Time – Government Focuses• 2002-03, White House releases National Strategy

to Secure Cyberspace with 5 priorities:• National Cyberspace Security Response System• Threat and Vulnerability Reduction Program• Awareness and Training Program• Securing Governments’ Cyberspace• National Security and International Cyberspace Security

Cooperation

Included creation of Cyber Security “Czar”, which ITAA began advocating in 1999

Public/Private Partnership is Overriding Theme as 85% of the network is owned and operated by private enterprise


A Brief History of Time – Government Focuses

• …After Cyber Security leadership left the White House, the National Strategy was in suspended animation without someone in charge to implement it

• Physical security wasn’t enough; no physical security without cyber security

• At urgings of ITAA, and many inside government, Homeland Security Department created the National Cyber Security Division within IAIP

• New NCSD Director, Amit Yoran, will have large job surmounting bureaucratic obstacles, but ITAA committed to helping make it work


A Brief History of Time – NCSD Mission Defined

• Identify risks and vulnerabilities, and coordinate with the private sector

• Oversee a consolidated “war room” Cyber Security Tracking, Analysis, & Response Center (CSTARC) for advance warning and incident response coordination with federal, state, local, private sector and international partners;

• CSTARC absorbed into new “U.S. CERT” announced September 15, 2003

• Help build cyber security awareness and education programs and partnerships with consumers, businesses, governments, academia, and international communities.


Costs of Cyber Security Breaches are Real

CERT reports more than 76,000 incidents in the first half of 2003, almost as many as the 82,000 reported in all of 2002

CSI/FBI 2003 report found 75% of respondents with financial losses

$202 million in losses for those reporting Proprietary information losses over $70 million Denial of Service losses pegged at $65 million But still no good national metrics exist for

evaluating our readiness and measuring improvement


What We Do About It

Information Sharing is Paramount… within the company: training and awareness;

e.g., ITAA I–ACERT Online Awareness Test

Within the industry: ISAC’s

Across industries: Partnership for Critical Infrastructure Protection – (PCIS)

With government and law enforcement: FOIA exemption helps

Internationally: OECD Guidelines


What We Do About It

Private Sector Response Must Adapt and Mobilize

Without action, government mandates will result

CA – Identity Theft Law is a good example Government is watching private sector

leadership and action Develop infosec metrics and constantly review

our progress

Information Security: It’s Everyone’s BusinessWhat ITAA is Doing About It www.itaa.org/infosec

Established Information Security Committee in 1997 PDD 63 Sector Coordinator “National Strategy to Secure Cyberspace” “The Long Campaign: Information Assurance in the Age of

Cyber Terror” Information Assurance in the States and Other National and

Regional Events IT Information Sharing and Analysis co-founder and partner,

www.it-isac.org Founding Sponsor, National Cyber Safety Alliance CyberCitizen -- www.cybercitizenship.org Founder and Board Member, PCIS Created “I-ACERT”, an online information security awareness

test – “for the rest of us” Building a National Information Security Metrics Survey to

Determine a Baseline, Measure Progress, and Inform Public Policy and Investment

http://www.itaa.org/infosec

http://www.cybercitizenship.org/


What Government Can Do About It Strengthen Infosec requirements and

accountability Fund and Spend on Infosec in DHS

and Elsewhere Implement National Plan Defend FOIA Exemption Implement Safety Act Regulations


Going Forward … The Challenges are Many Industry and Government are

Stepping Up, but… More Can Be Done Collaboration is Key Need to solidify the “culture of

security”

Thank You!To Follow Up…

Greg GarciaVice President, Information [email protected]

information security: it’s everyone’s business september 16, 2003 greg garcia, vice president,...

Documents