Post on 05-Apr-2018
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
1/15
Larry ClintonOperations Officer
Internet Security Alliancelclinton@eia.org703-907-7028
202-236-0001
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
2/15
The Internet Security Alliance
The Internet Security Alliance is a collaborative effort between
Carnegie Mellon UniversitysSoftware Engineering Institute (SEI)
and its CERT Coordination Center (CERT/CC) and the Electronic
Industries Alliance (EIA), a federation of trade associations with
over 2,500 members.
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
3/15
Sponsors
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
4/15
The Past
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
5/15
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Present
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
6/15
Growth in Incidents Reported
to the CERT/CC
1988 1989 1990 1991 1992 1993 1994 19951996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
7/15
Computer Virus Costs (in
billions)
0
30
60
90
120
150
'96 '97 '98 '99 '00 '01 '02 '03
Ran e
(Through Oct 7)
$
billion
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
8/15
Attacks are Inevitable
According to the US Intelligence community Americannetworks will be increasingly targeted by malicious actorsboth for the data and the power they possess. NationalStrategy to Secure Cyberspace, 2/14/02
The significance of previous attacks is not in the amount ofdamage caused but it foreshadows what we could face inthe future CIPB
Things are getting worse not better. NYT 1/30/03
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
9/15
Traditional Regulation
likely Ineffective
The problem is international The Internet evolves too rapidly The political consensus is deregulatory and the
need is urgent
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
10/15
Traditional Regulation
Harmful ? Open process could provide map of vulnerabilities Private Industry has better tools---inadequate tools
could lead to less security
Political Process encourages compromise. Needmax effectiveness so no false sense of security
Tech regulation could blunt innovation leading toless choice, economy, security
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
11/15
ISAlliance Best Practices
Cited in US National DraftStrategy to Protect Cyber
Space (September 2002)
Endorsed by TechNet for CEOSecurity Initiative (April 2003)
Endorsed National Associationof Manufacturers
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
12/15
Common Sense Guide
Top Ten Practice Topics
Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster Recovery
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
13/15
ISAlliance Cyber-Insurance
Program
Coverage for members
Free Assessment through AIG
Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance
Best Practices (July 2002)
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
14/15
ISAlliance Incentive
Model Model Programs for market Incentives---AIG ----Nortel
---Visa ----VerizonSemaTech Program
Tax Incentives
Liability Carrots
Procurement Model
Research and Development
7/31/2019 2004 01 30 Larry Clinton Hill Briefing on ISA and Insurance Industry Certification Program
15/15
ISAlliance Qualification
Program No Standardized Certification Program Exists or
will exist soon
ISAlliance in cooperation with big 4 and insuranceindustry create quantitative measurement forqualification for ISA discounts as proxy forcertification
ISA works with CMU CyLab on Certification