10 April 1997
Source: http://www.ncsa.com/issb.html
Thanks to RH

Information Systems Security Board

Industry Outreach
- Your Participation Requested

The National Information Infrastructure Task Force (NIITF) of the National Security Telecommunications Advisory Committee (NSTAC) is investigating the advisability of establishing an Information Systems Security Board (ISSB) to improve the common understanding of the nature and purpose of information systems security. The ISSB would promote information systems security principles and standards to improve the reliability and trustworthiness of information products and services. In its investigation, the NIITF has developed a proposed model to stimulate the development of a private-sector-based focal point to enhance the security component of the NII.

A Concept Paper for the ISSB was written in July, 1996 and in December, 1996 a meeting was held to discuss to formation of an ISSB. The National Computer Security Association (NCSA) is assisting this effort by sponsoring this information on their web site to encourage participation by industry leaders and interested parties. They are making various documents available via the Web and their ftp server at ftp.ncsa.com/pub/.

On December 13, 1996, representatives from The National Information Infrastructure (NII) Task Force of The President's National Security Telecommunications Advisory Committee (NSTAC) held a meeting at Steptoe & Johnson in Washington, D.C. to discuss industry interest in developing an industry-run Information Systems Security Board (ISSB). Stewart Baker of Steptoe & Johnson discussed the antitrust laws and their application to the meeting, with particular emphasis on the need to avoid discussion of competitive conditions and to show openness to all interested participants. Guy Copeland, a representative from the Task Force, briefly discussed the ISSB model and the purposes of the meeting. Will Ozier, Chairman of the GSSP Committee, next discussed the efforts of the Generally Accepted System Security Principles (GSSP) project.

Several representatives from the Administration expressed support for the concept of the ISSB. These representatives also indicated that the Administration would like private industry to take the lead in this area and is more than willing to take "a back seat" to such an effort. These representatives did request for periodic updates on any industry driven initiative in this area.

  1. The general discussion of the ISSB concept began. In summary, the following concerns were raised by some of the participants. First, some expressed concerns about the government's role in developing, promoting, and implementing the concept. Along these lines, some expressed concerns about a privately run ISSB that appeared to be regulating instead of merely providing guidance.
  2. Issues were raised about the utility of the proposed functions for the ISSB, including testing and certifying products. In particular, concerns were expressed about creating a false sense of security in products with ISSB logos and whether the ISSB should instead focus on the larger infrastructure rather than individual products.
  3. Some participants indicated that any industry-run initiative should have international scope and recognition.
  4. Before proceeding with an industry-run initiative, some participants indicated that there must be a better understanding of the activities already undertaken in both the private sector (e.g., GSSP, National Computer Security Association (NCSA), Academic Community) and the public sector (e.g., NIST, NSA, international bodies).

Participants also expressed some support for this initiative.

  1. Some participants observed that private industry should act now or otherwise the government may begin unacceptable initiatives.
  2. Some participants recognized the need for an organization to assist with understanding the complex security issues.
  3. It was observed that uniform standards may be useful in limiting legal liability for security breaches and possibly allowing industry to obtain insurance coverage for losses.
  4. In the end, a majority of the participants decided that an exploratory committee should meet to address these issues. It was observed that the Task Force's concept was merely a model and any industry-run organization could begin from a "clean state."

John Wilson of the Information Technology Industry Council agreed to host the exploratory meeting to further discuss these issues, including the ultimate need and proper role of an ISSB. Some issues that need to be addressed by an exploratory meeting include:

  1. Role of existing organizations and whether a new organization is needed or whether an existing organization could expand its mission. Some of the existing organizations include GSSP, NSCA, Banker's Roundtable
  2. Role of the government. The consensus was that the government should not have a role, at least initially, in this effort. Still, the Committee may want to consider the work underway in this area by NSA, NIST, CCIP, and International Bodies
  3. Role of the industry-run ISSB, including its functions, structure, and its relationship to the government

What Can You Do?
We are making a number of documents available to further promote discussion of the formation of the ISSB. In the interests of time, all documents are available now by ftp (see the links below). These documents will be coded for the Web and will be posted here as soon as possible.

This page will be updated shortly with a list of contact persons. Please check back.

Downloadable Documents

[Hypertext versions of the first three documents at http://jya.com/issb2.htm]

ISSB Concept Paper
Includes purpose and background statements.

ISSB Background
Why the ISSB is needed and how this started.

Minutes of the Dec, 96 NII Task Force/ISSB Industry Outreach Meeting
Why the ISSB is needed and how this started.

Power Point Presentation
General Information

Acrobat Reader
You will need the Adobe Acrobat Reader to be able to read files in ".pdf" format. You can download Acrobat Reader at: http://www.adobe.com/prod index/acrobat/readstep.html


Industry comments on this proposal should be directed to issb@ncsa.com.