From: www.itworld.com

Users mold security benchmark

by Patrick Thibodeau

May 14, 2001 —

 

The problem with IT security benchmarks is that the reference point is a constantly shifting target as new technologies and threats emerge.

And that's an especially difficult problem to overcome, said corporate security systems managers. They are examining the fruits of a relatively new cooperative effort that this week will yield the near-final version of a systems security benchmark for Sun Microsystems Inc.'s Solaris.

But despite concern about the benchmark's continued usefulness, end-user members of the Center for Internet Security said the organization's technical benchmark for securing Solaris systems will be key to their security efforts.

"To me, this is a great economic package for us," said Iris Patton, who heads security for the Americas at Houston-based Shell Services International Inc., the IT unit of Royal Dutch/ Shell Group. In return for the $5,000 membership fee the company paid to the CIS, it's receiving technical information that's good enough to serve as a substitute for high-priced consultants, she said.

Comparative Analysis

The CIS's benchmarking effort is primarily a technical initiative. But companies interested in broader approaches to security can take an approach similar to the one used by Ford Motor Co.

Last July, Ford embarked on a $100 million security upgrade after benchmarking its IT security processes against those of some other, noncompeting companies, including Intel Corp. and Motorola Inc.

"What level of security do they have in place?" said Patrick Milligan, Ford's manager of security, strategy and technologies, who spoke at the Secure E-Business Conference last week in Arlington, Va. Ford shared its internal assessments with the companies involved and compared their security practices with its own processes.

Milligan advised other companies considering taking a similar route to decide upfront whether to utilize consulting services in support of benchmarking or to do it internally.

While big consulting firms offer excellent consulting services, he said, "we at Ford did the benchmarking ourselves to gain a better understanding of security practices/procedures utilized in industry, so that we could effectively develop our internal strategy."

The CIS is a nonprofit, cooperative group in Bethesda, Md., that was formed last October. Its members include more than 140 companies, government agencies and consulting firms.

The benchmark outlines a list of specific operational actions and settings for securing systems at different levels of protection. It was developed through a collaborative effort that involved ongoing feedback on the benchmark's drafts from technicians at some of the member companies, such as Shell's Unix gurus.

Donna Francis, who manages compliance security and policy for the IT group at Subaru of America Inc. in Cherry Hill, N.J., said the benchmark's collaborative approach will help fill security knowledge gaps.

"A [single] company can't always experience all the things that go wrong," she said. "It's just impossible."

But the true test of the benchmark will be its usefulness over time, said Francis.

"How are they going to keep it updated?" she said. "How are people going to add their experience next year or in the coming months as things change?"

Clint Kreitner, the CIS's president and CEO, said the goal is to keep Solaris current through information it gets from members, vendors and others. The CIS will also certify tools.

Other planned benchmarks will deal with Linux and Microsoft Corp.'s Windows 2000 and NT. The organization intends to release the Solaris benchmark next month.

"This is a consensus effort," said Kreitner. "We're not a commercial organization with something to sell. The knowledge is out there; it's just unevenly distributed."

The value to companies will vary. Deborah Eagan, security coordinator at Lincoln Electric System, a Nebraska-based utility with about 110,000 customers, said that as a smaller company, Lincoln Electric will still have to use consultants. But Eagan said she believes the standard will enable the utility to "get much more out of the consulting experience."

Carmen Banks, information security manager at Hallmark Cards Inc. in Kansas City, Mo., said the benchmark will be helpful as a standard to measure subsidiary and business-partnership security.


Computerworld