Sent: Monday, February 28, 2000 1:35 PM
Subject: Upcoming Advisory Committee on Online Access and Security
Dear Advisory Committee Members,
In the document titled "FTC Privacy Panel - Security 1 Working Group - Preliminary Outline of Issues", you mention the following Seal Programs:
My company, ICSA.net, has been active in a "seal program" since 1997 and would like to be formally added to the list of programs you consider as "adequate". Our service, TruSecure (http://www.TruSecure.com/), currently has been adopted by over 300 corportations as their vehicle towards security and privacy assurance. Through our service we work with our customers to reduce risks and improve security by using a well-defined methodology based on extensive security expertise. Throughout the process, our customer's staff is involved in working with us to accomplish the implementation of essential security practices. These practices cover six categories of risk we consider critical.
Privacy is an important element in almost all areas of information technology. Privacy concerns may involve employee data, personal customer information, proprietary strategic information, and possibly information with national security implications.
2. Electronic threats and vulnerabilities
Electronic threats and vulnerabilities of concern typically fall under three broad categories: sniffing, spoofing, and hacking.
Today, one of the most highly publicized attacks from the criminal underground is the
denial of service. Denial of service can arise from something as simple as a flood of
e-mail messages or from repeated queries sent to the devices on an Internet-visible
network. Other denial of service attacks may involve installation of logic bombs, which
are programs that have unexpected and harmful effects when certain trigger conditions are
met. Denial of service may also occur without malicious intent, though errors and
omissions, and undiscovered bugs in commercial or proprietary software.
4. Malicious code
5. Physical security
Under physical factors, TruSecure analysts look at susceptibility to theft--especially theft of documents, computer components and laptop computers. The analysts also look for physical problems that contribute to a breakdown of information security; e.g., sticky notes showing passwords, signs informing passers-by of the location of valuable network equipment, and so on. Under this category, we also look at perimeter defenses such as gates, locks, guards, surveillance, and mechanisms for alerting security personnel and law enforcement officials in cases of physical intrusion.
6. Human Factors
TruSecure includes practical reviews to verify that policy and procedures fully support an overall security posture.
I appreciate your formal consideration.