FREDERICK, MD. - An influential, industry user group is tackling a problem that has stumped many network executives: how to create an enterprise security architecture.

The Network Applications Consortium (NAC) plans to publish a document this summer that outlines the principle, policies, standards, technologies and processes necessary to protect a company's information assets. NAC's Enterprise Security Architecture addresses hot topics in cybersecurity such as governance, technology architecture and operations.

The document will affect how several major corporations - including Bechtel, Boeing, GlaxoSmithKline and State Farm Insurance - make network hardware and software purchases in the future, network executives at these companies say.

NAC members also plan to use the document to influence how key network vendors such as Cisco, Entrust, Microsoft and Symantec create security products. The consortium plans to embrace several security standards - selections have not been finalized - and urge vendors to adopt these standards.

Network executives from several multinational corporations last week participated in a two-day meeting to review and refine the latest draft of the security architecture document. NAC gave Network World a sneak peek at the document and an exclusive opportunity to interview NAC members about their cybersecurity efforts.

NAC's leadership says its Enterprise Security Architecture is the most important document the group has crafted in several years.

"This document is something that we hope will become a common reference point" for our members when they purchase and deploy security products, says NAC Chairman Fred Wettling, infrastructure architecture manager at Bechtel. "It's been a couple years since we've produced a document of this scope."

NAC started work on Enterprise Security Architecture last October, when member GlaxoSmithKline asked for help developing a comprehensive security architecture. A dozen NAC members have worked regularly on the document, which is in its 10th draft. NAC officials expect the document to be finalized by August.

"Everyone was in various stages of putting security architectures together," Wettling says. "State Farm Insurance was further along than the rest of us, but we were all grappling with this issue."

The document's goal is to create a framework that lets companies mix and match security products from different vendors while assuring interoperability and manageability.

The 59-page draft document outlines a framework that a company can use to ensure the confidentiality of information, integrity of data and the availability of IT resources. It is written for corporate decision-makers, such as network, IT and C-level executives.

The draft document doesn't detail what a company's security requirements should be or the types of security products it should deploy. Instead, it provides a methodology for managing information-security risks to an acceptable level and in a cost-effective way.

NAC members say they are struggling to define their own security architectures in the wake of mergers, acquisitions, joint ventures and other business dealings that require rapid and regular changes to network infrastructures. Meanwhile, viruses, worms and other attacks increasingly threaten corporate networks.

"Having a security architecture is a huge priority for us," says Bill Rocholl, first vice president for network technical services at Dutch banking conglomerate ABN AMRO. "We have a strategy and plan for security, but it's not as comprehensive as the one that's being developed here."

Rocholl says ABN AMRO has had a security strategy for two years and a corporate governance plan for four years. He plans to use the NAC Enterprise Security Architecture as an industry benchmark.

"We can validate, compare and do gap analysis to see if our strategies have any holes," Rocholl says. "This framework still needs to be developed, but hopefully it will be helping us solve problems that are three to five years out."