Feds to push security from talk to action

A program started at an agency as a way to collect and teach information security best practices will be spread across the federal government with the backing of the CIO Council and the General Services Administration.

The U.S. Agency for International Development's Model Information Systems Security Program (MISSP) is intended to help agencies move beyond reading about the practices and policies that improve the security of computer systems to deploying and enforcing practices through training and real-world experience.

Best practices are the basis of MISSP, but the program focuses on education and training. The methods and practices are used already in USAID offices in South America and Egypt, and it is this practical field experience that the program wants to emphasize, said Artch Griffin, an agency expert at the GSA Office of Governmentwide Policy's Information Technology office and an MISSP advocate.

"It is a matter of binding [best practices] with training, education and, in some cases, toolkits," Griffin said. "It's extremely important that you don't just tell people how to behave properly, you give them examples, education and reasons why they should behave that way."

James Craft, a USAID information systems security officer who heads up MISSP, was unavailable for comment.

USAID plans to create training thatit can use worldwide through distance-learning technology. This includes a "learning laboratory" in which administrators can test security implementations on a neutral system rather than risk experiencing the problems that can occur with a live test on an agency network, Griffin said.

USAID began developing the program because it did not have the expertise or resources in-house that many department-level agencies have to create a full security program. "We're going to endorse that now as a governmentwide effort," said John Gilligan, co-chairman of the council's security, privacy and critical infrastructure committee. "We're going to open the door and get information from agencies on their best practices."

Many agencies are beginning to focus on security because of recent embarrassing World Wide Web site defacements, increased congressional oversight and Presidential Decision Directive 63, which requires agencies to develop plans to protect critical computer systems. To provide direction on security, the National Institute of Standards and Technology, the General Accounting Office and other organizations have released several best practices guides and papers, including a draft from the GAO earlier this month covering risk assessment.

But many agencies, especially smaller ones, have approached the CIO Council asking for more direction, Gilligan said. "They'd like something that's a little more of a cookbook," he said.

The backing from the CIO Council and GSA gives the program a basis for its governmentwide push and USAID's efforts to gather information from many different agencies, Griffin said.