2004 01 30 larry clinton hill briefing on isa and insurance industry certification program

7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program

1/15

Larry ClintonOperations Officer

Internet Security [email protected]

202-236-0001


2/15

The Internet Security Alliance

The Internet Security Alliance is a collaborative effort between

Carnegie Mellon UniversitysSoftware Engineering Institute (SEI)

and its CERT Coordination Center (CERT/CC) and the Electronic

Industries Alliance (EIA), a federation of trade associations with

over 2,500 members.


3/15

Sponsors


4/15

The Past


5/15

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Present


6/15

Growth in Incidents Reported

to the CERT/CC

1988 1989 1990 1991 1992 1993 1994 19951996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


7/15

Computer Virus Costs (in

billions)

0

30

60

90

120

150

'96 '97 '98 '99 '00 '01 '02 '03

Ran e

(Through Oct 7)

$

billion


8/15

Attacks are Inevitable

According to the US Intelligence community Americannetworks will be increasingly targeted by malicious actorsboth for the data and the power they possess. NationalStrategy to Secure Cyberspace, 2/14/02

The significance of previous attacks is not in the amount ofdamage caused but it foreshadows what we could face inthe future CIPB

Things are getting worse not better. NYT 1/30/03


9/15

Traditional Regulation

likely Ineffective

The problem is international The Internet evolves too rapidly The political consensus is deregulatory and the

need is urgent


10/15

Traditional Regulation

Harmful ? Open process could provide map of vulnerabilities Private Industry has better tools---inadequate tools

could lead to less security

Political Process encourages compromise. Needmax effectiveness so no false sense of security

Tech regulation could blunt innovation leading toless choice, economy, security


11/15

ISAlliance Best Practices

Cited in US National DraftStrategy to Protect Cyber

Space (September 2002)

Endorsed by TechNet for CEOSecurity Initiative (April 2003)

Endorsed National Associationof Manufacturers


12/15

Common Sense Guide

Top Ten Practice Topics

Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster Recovery


13/15

ISAlliance Cyber-Insurance

Program

Coverage for members

Free Assessment through AIG

Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance

Best Practices (July 2002)


14/15

ISAlliance Incentive

Model Model Programs for market Incentives---AIG ----Nortel

---Visa ----VerizonSemaTech Program

Tax Incentives

Liability Carrots

Procurement Model

Research and Development


15/15

ISAlliance Qualification

Program No Standardized Certification Program Exists or

will exist soon

ISAlliance in cooperation with big 4 and insuranceindustry create quantitative measurement forqualification for ISA discounts as proxy forcertification

ISA works with CMU CyLab on Certification

2004 01 30 larry clinton hill briefing on isa and insurance industry certification program

Documents