ClarkeTouts Broad Approach To IT Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


ClarkeTouts Broad Approach To IT Security

The former federal counterterrorism czar offered 10 steps to help secure IT installations.

Richard Clarke, best known as the former counterterrorism czar for presidents Bill Clinton and George W. Bush, ended his government career as the White House adviser to the President on Cyberspace Security. He's now bringing that expertise to the IT world.

In an Internet presentation sponsored by RSA Security Inc., Clarke on Thursday sounded the alarm on some possible threats, but also unveiled a list of 10 steps, or checkpoints, to help secure IT installations. Clarke, now chairman of Good Harbor Consulting, advocates a broad approach to IT security, employing what he terms "a holistic view of risk."

Clarke noted that the broad area of IT security is growing has traditionally been slighted by top management in large corporations. He said management--including CEOs, board directors, CIOs, CFOs, HR heads, and internal auditors--should meet regularly to discuss security issues. "This whole group needs to get together once a month," he suggested.

Security issues are rapidly growing in importance to business, he said, noting that not only do top executives have to pay attention to legislation like Sarbanes-Oxley and HIPAA, but also that there is much pending legislation--on both the national and state levels--that could benefit from input from informed IT managers and from involved top management. "This [can be] about showing the Congress that you don't need to be regulated, because you're doing it yourself," he said.

He ticked off a list of proposed legislation that could become law. The SEC is considering supporting legislation that would require an IT-security readiness statement to be filed with the SEC annually. The FCC is examining regulations that would require ISPs to beef-up their security. Also under consideration, he noted, is legislation aimed at improving security at chemical and electric-power plants.

Clarke listed 10 steps for businesses to follow:

* Establish automatic monitoring of compliance and auditing capabilities of networks. "Every day you can see if you're secure," he said.

* Acquire a patch-management system and service. Noting that 50 or 60 patches are issued each week by software providers, Clarke called patching "the No. 1 headache of CIOs."

* Set up an identity-access-management system, preferably a two-factor password-ID system. "Almost any password can be broken" by programs easily available on the Internet, he noted.

* Data should be encrypted in sensitive areas. He said proposed California legislation calls for many IT organizations to encrypt data.

* Participate in an early-warning system, preferably with an organization with a set of detect sensors.

* Establish rigorous security-oriented service-level agreements with ISPs. Clarke indicated that the FCC is considering making this provision mandatory for certain IT users.

* Institute an IT security-awareness program, a sort of catch-all program that would educate staff on widespread security aspects of their networks.

* All software--not just products from Microsoft--should be systematically tested. Clarke noted that buffer-overflow problems have been cited for years but little has been done to correct the problem. He said there is a need for "software products that test software."

* Secure the physical part the IT organization to make sure that intruders can't just walk in and violate security.

* Address "the road-warrior problem," as illustrated by network users logging in from remote locations who unknowingly have infected software, typically on laptops.

Clarke also addressed the possible security threat posed by the offshore outsourcing of IT operations. "I don't think it's a problem," Clarke said. "Some Indian companies do a better job than U.S. companies."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll