Do we need a Sarbanes-Oxley for the Internet?

Should there be a higher authority for Internet security?

With billions of dollars transacted daily via the Internet and online banking growing, some say it's high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service.

"I'm held to accountability through Sarbanes-Oxley (SOX) and all these other regulatory requirements," says Larry Jarvis, vice president of network engineering for Fidelity Investments. "That doesn't exist for some of these critical elements in the Internet."

Jarvis recommends forming and funding a joint commercial/governmental/academic body to define and enforce security standards for the Internet. But Internet security experts say previous attempts have failed because of the evolving nature of computer and network security technology.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Should there be a higher authority for Internet security?

With billions of dollars transacted daily via the Internet and online banking growing, some say it's high time for industry to collaborate on a stringent security doctrine to hold organizations accountable for operating, providing and commercializing Internet service.

"I'm held to accountability through Sarbanes-Oxley (SOX) and all these other regulatory requirements," says Larry Jarvis, vice president of network engineering for Fidelity Investments. "That doesn't exist for some of these critical elements in the Internet."

Jarvis recommends forming and funding a joint commercial/governmental/academic body to define and enforce security standards for the Internet. But Internet security experts say previous attempts have failed because of the evolving nature of computer and network security technology.

"I think it would be impractical," says Steve Bellovin, a computer science professor at Columbia University and a member of the Internet Corporation for Assigned Names and Numbers' Security and Stability Advisory committee. "The track record of the industry in evaluating stuff against security guidelines is not good. It's very difficult to get a system certified, and once you get something certified it's obsolete. If nothing else, computer systems don't stand still."

Some smaller, specific procurement-focused edicts have worked, says Alan Paller, director of the SANS Institute for security training, certification and research. Paller cites the $500 million U.S Air Force contract awarded to Dell and others last year for systems that complied with the Air Force's security and patching requirements.

The Air Force specification, developed with guidance from the Center for Internet Security, will lower the cost of patching by $100 million by eliminating 85% of known vulnerabilities, according to CIS.

"In war, Patch Tuesday doesn't sound real good," he says, referring to Microsoft's monthly issuance of software fixes. "I can't imagine a large company being not at least interested in following this."

Paller also is a member of the procurement subgroup of the Corporate Information Security Working Group (CISWG ) of the Institute for Internal Auditors, which recommends procurement guidelines and best practices for improving information security in the public and private sector. CISWG comprises 25 senior officials from business, academia and elsewhere, and is chaired by Rep. Adam Putnam (R-Fla.), chair of the U.S. House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

"That is the industry/governmental collaborative effort" for Internet security, Paller says, but adds that the controversial body's recommendations have been "softened over and over again."

Another group that recommends best practices for secure IT procurements is BITS , a nonprofit, CEO-driven financial service industry consortium made up of 100 of the largest financial institutions in the U.S. Its Security and Risk Assessment (SRA) Working Group shares best practices and strategies for developing secure infrastructures, and promotes compliance with security requirements before software products are released. The organization also conducts product testing and certification against baseline security criteria established by the industry.