Archive

From: dcapuano@icsa.net
Sent: Monday, February 28, 2000 1:35 PM
To: advisorycommittee@ftc.gov
Subject: Upcoming Advisory Committee on Online Access and Security

Dear Advisory Committee Members,

In the document titled "FTC Privacy Panel - Security 1 Working Group - Preliminary Outline of Issues", you mention the following Seal Programs:

iii. Seal programs
a. TRUSTe
b. BBBOnline
(1) Reliability seal program
(2) Privacy seal program
(3) Web Trust (AICPA)
c. PricewaterhouseCoopers

My company, ICSA.net, has been active in a "seal program" since 1997 and would like to be formally added to the list of programs you consider as "adequate".  Our service, TruSecure (http://www.TruSecure.com/), currently has been adopted by over 300 corportations as their vehicle towards security and privacy assurance.  Through our service we work with our customers to reduce risks and improve security by using a well-defined methodology based on extensive security expertise.  Throughout the process, our customer's staff is involved in working with us to accomplish the implementation of essential security practices.  These practices cover six categories of risk we consider critical.

1.  Privacy

Privacy is an important element in almost all areas of information technology. Privacy concerns may involve employee data, personal customer information, proprietary strategic information, and possibly information with national security implications.

2.  Electronic threats and vulnerabilities

Electronic threats and vulnerabilities of concern typically fall under three broad categories: sniffing, spoofing, and hacking.

3.  Downtime

Today, one of the most highly publicized attacks from the criminal underground is the denial of service. Denial of service can arise from something as simple as a flood of e-mail messages or from repeated queries sent to the devices on an Internet-visible network. Other denial of service attacks may involve installation of logic bombs, which are programs that have unexpected and harmful effects when certain trigger conditions are met. Denial of service may also occur without malicious intent, though errors and omissions, and undiscovered bugs in commercial or proprietary software.
These unexpected problems can cause enormous damage to organizations that depend on timely access to their computers and networks. Looking further afield, one finds denial of service resulting from fire, water damage, inclement weather, earthquakes, electrical power failures, civil unrest and
other conditions generally outside the control of the customer.

4.  Malicious code

Organizations that follow relatively simple rules can be diligent against most viruses, worms and Trojan horses. Similarly, with modest attention to policies governing the use of JAVA, JavaScript, ActiveX, and cgi-bin scripts.

5.  Physical security

Under physical factors, TruSecure analysts look at susceptibility to theft--especially theft of documents, computer components and laptop computers. The analysts also look for physical problems that contribute to a breakdown of information security; e.g., sticky notes showing passwords, signs informing passers-by of the location of valuable network equipment, and so on. Under this category, we also look at perimeter defenses such as gates, locks, guards, surveillance, and mechanisms for alerting security personnel and law enforcement officials in cases of physical intrusion.

6.  Human Factors

TruSecure includes practical reviews to verify that policy and procedures fully support an overall security posture.

I appreciate your formal consideration.

David Capuano
Director of Product Management
ICSA.net