Commerce sets up IT security education program

The first step toward better information security in the government is to provide more training for the people responsible for keeping systems safe.That’s the approach being taken by Nancy DeFrancesco, chief information security officer for the Commerce Department. With DeFrancesco as the champion, the department is implementing an education and training program for its information security professionals that she hopes will develop into a center of excellence within the Security Line of Business initiative established by the Office of Management and Budget.DeFrancesco convinced the department last month to hire (ISC)2 Inc. of Palm Harbor, Fla., to provide courses for employees to earn designations as Certified Information Systems Security Professionals (CISSP), System Security Certified Professionals (SSCP) and Certification and Accreditation Professionals (CAP).“Education is a large part [of our IT budget] because I make it that way,” DeFrancesco said. “I have a commitment from the Secretary of Commerce [Carlos M. Gutierrez] that it’s important.”For the past two years, IT security professionals in the department had been using the Office of Personnel Management’s online learning center. But DeFrancesco wanted a broader course offering, and she wanted to give employees different ways to access materials.“Our component [agencies] were interested in instructor-led training, and, of course, people learn in different ways,” she said.Getting the funding to set up the educational program was a challenge, DeFrancesco said. Her office has a small budget; most information security funds are allocated to the department’s major program areas. To gain the funding, she persuaded component agencies, such as the Census Bureau, to contribute money to get it off the ground.“We had great participation—I was very surprised and pleased,” she said. “A solid education program is critical to reaching personnel in the department with significant information security responsibility.”John Mongeon, head of the government services division at (ISC)2, said that DeFrancesco’s push to set up training and education opportunities shows that “Commerce is dedicated to building the next generation of information security managers.”“Commerce is a pretty robust agency, with personnel all over the place,” Mongeon said.To accommodate the dispersed workforce, his company will be providing courses through several channels—classes on-site at Commerce headquarters in Washington, vouchers for employees scattered around the country to take classes off-site at (ISC)2 public education venues, and online classes.The first, one-day class, on the system certification and accreditation process, was held May 31 at Commerce headquarters. All the session’s 25 slots were filled and DeFrancesco already has a waiting list for the next offering. The department will hold a week of information security training the first week of August, and is planning to schedule other certification and accreditation classes in June and July.DeFrancesco said that she is hoping the information security education program will prove so successful that it can be established as a center of excellence in OMB’s Security LOB.A COE does not have to provide soup-to-nuts solutions for a particular line of business; instead, it can carve out a particular specialty. The Justice Department, for instance, last fall submitted a business case to OMB that its Cyber Security Assessment and Management system should become the standard tool for all agencies looking to track FISMA compliance.Sources said the Treasury Department and the Environmental Protection Agency also submitted business cases related to aspects of the Security LOB for fiscal 2007, but no decisions have been made about granting any of the applications.It might seem ironic for a department to aspire to host a center of excellence in security despite its poor Federal Infor- mation Security Management Act grades—under FISMA agencies are graded on their security measures and compliance, and Commerce has veered from F to C- to D+ over the past three years. But DeFrancesco said it’s appropriate, because everything starts with educating and training the people who bear the responsibility for implementing security.“I did participate on the task force for the information security LOB, [and I’m] very familiar with that particular initiative,” she said.DeFrancesco said it is too early to put together the business case application to submit to OMB. The education program first has to get up and running, and demonstrate its value to information security professionals.