Event

On 19 September 2012, Jay Rockefeller, a U.S. senator from West Virginia, sent a letter to Fortune 500 CEOs requesting that they detail how they implement cybersecurity measures at their respective firms. Senator Rockefeller requested a response by 19 October 2012.

Analysis

While CEOs are not legally obligated to respond, we believe companies should respectfully comply with congressional requests. While the government can establish a better context for security information sharing and regulation, organizations must recognize the risks and benefits. Government can establish guidelines in a reasoned manner; instead of acting rashly after a cyberattack.

Listed below are eight questions posed by Senator Rockefeller and our notes and suggested responses:

1. Has your company adopted a set of best practices to address its own cybersecurity needs? Response: Yes.
2. If so, how we re these cybersecurity practices developed? Response: Via a strong risk-oriented governance process in which senior managers identified high-value assets and at-risk business processes, and then determined security policies to provide protection.
3. Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them. Note: Mention Gartner resources, if appropriate.
4. (a) When were these cybersecurity practices developed? (b) How frequently have they been updated? (c) Does your company's board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices? Response: (a) We have developed practices over time. (b) They are under continuous review by our risk governance structure; technology professionals; and directors. (c) Yes.
5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices? Note: If you are in a regulated industry, indicate how regulations influence how you formulate cybersecurity foundations of risk management, security governance and architectures.
6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, the best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012? Note: While the government has a role to play in security information sharing, Gartner believes industries should work with government to ensure a balance between improvements in national security (with minimal harm to privacy and liberty), and minimal impact on the industry and taxpayer.
7. What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation's cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012? Note: The same note for Question 6 applies here as well.
8. What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country's most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012? Response: Government efforts have not clearly defined critical infrastructure.

Chief information security officers:

• Proactively request approval from your CEO to provide input on any planned response to Senator Rockefeller's letter.
• Work actively with government regulators to develop reasonable security guidelines.

Some documents may not be available as part of your current Gartner subscription.

• "Blocked U.S. Cybersecurity Act Will Be Back" — Bipartisan support for a strong cyberdefense plan for critical infrastructure indicates that lawmakers eventually will pass cybersecurity legislation. By French Caldwell and Richard Hunter
• "Understanding the Components of Compliance" — Sustaining a successful compliance program is an ongoing process. By John A. Wheeler and French Caldwell