The Corporate Information Security Working Group of the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census was convened by Rep. Adam Putnam (R-FL) to identify strategies that will produce meaningful improvement in the computer security of corporate America. Since approximately 85 percent of this nation’s critical infrastructure is owned or controlled by the private sector, it is important to improve the protection of corporate information systems from the threat of cyber attack and preserve the information assets that are stored in these systems.

According to Rep. Putnam "Following hearings, interviews and meetings with private sector leaders, including IT and non-IT companies, I determined that information security was not a high priority matter for much of corporate America. The issue of information security is still viewed by many as primarily a technology issue, as opposed to a management and governance issue. Therefore, the matter is not sufficiently being reviewed or considered at the 'C' level of management, Board of Directors, or ownership level in the case of small and medium sized businesses." The CISWG was convened to address issues that would elevate the awareness of information security as a priority at the management level and to encourage private industry to voluntarily embrace information security as a key business issue. The CISWG was comprised of representatives of both the public and private sector. The CPA profession was represented by the American Institute of Certified Public Accountants.

The CISWG created subgroups that met independently of the full CISWG and deliberated significant areas and released recommendations in spring 2004. The reports of the groups that were released in March 2004 are as follows:

• Recommendation of the Best Practices and Guiding Principles subgroup to identify and communicate a set of voluntary information security best practices to the private sector.

• The Best Principles and Guiding Principles subgroup also mapped existing voluntary security frameworks to look at the common elements and themes in these frameworks.  

• Incentives-Liability/Safe Harbor Working Group recommendations which reiterated that voluntary commitment to information security by the private sector would be more effective than mandated compliance and identified ways to encourage and assist the private sector with voluntary efforts to adopt information security best practices. View poster.

• Recommendations of the Education, Awareness and Training Subgroup on how to increase awareness of information security in large enterprises, small business and even among home users.

• Recommendations of the Procurement Practices subgroup, which explored ways that both the federal and private sector could encourage software vendors to increase the security of their products through their vast purchasing power.

The Best Principles and Guiding Principles subgroup continued their work on refining its work and expanding upon its initial recommendations in order to improve the usefulness of its recommendations to the private sector. Their full report was completed in November 2004. Download The Best Principles and Guiding Principles subgroup also mapped existing voluntary security frameworks to look at the common elements and themes in these frameworks. See the report_of_best_practices_and_metrics for more information on their final recommendations.