Where to go
Federal, state and local technology
officials have a number of evolving
and existing training resources to help with cybersecurity plans. Here are some that they consider to have the most
— The Homeland Security Department (www.dhs.gov) has consolidated a number of formerly independent cybersecurity agencies under its umbrella.
— The Information Analysis and Infrastructure Protection Directorate (IAIP) now incorporates the former National Infrastructure Protection Center and the Critical Infrastructure Assurance Office (www.ciao.gov). CIAO-related projects include help for federal entities in analyzing the strength of their critical infrastructures, including information technology systems, and information on how to protect systems from cyberattacks.
— Also within the IAIP is the National Cyber Security Division (www.dhs.gov/dhspublic), which will identify and offer ways to mitigate IT vulnerabilities. NCSD will send out warnings about impending threats to computer networks and offer technical assistance to keep systems up and running if an assault occurs. In September, DHS officials appointed Amit Yoran, formerly a Symantec Corp. vice president, as the division's director.
— Federal Computer Incident Response Center (www.fedcirc.gov), also within IAIP, reports IT security incidents. An associated resource, the Patch Authentication and Dissemination Capability, lets security officials download authenticated software patches to plug security holes in applications, operating systems and network components.
— InfraGard (www.infragard.net), a combined effort led by the FBI and other public and private agencies, offers federal, state and local law enforcement officials training in computer intrusion vulnerabilities and network security analysis. The group also collects and investigates cyberassaults and distributes e-mail alerts of cyberattacks.
— The National Cyber Security Alliance, a collaboration between DHS and industry, operates Stay Safe Online (www.staysafeonline.info), a Web site with basic security education that is becoming a model for state projects to raise security awareness among employees.
— The National Institute of Standards and Technology's Computer Security Division (www.csrc.nist.gov) is a wide-ranging source for workshops related to developing computer security standards and guidelines, as well as best practices summaries, a database of known vulnerabilities in commercial hardware and software, and their patches.
NIST also is responsible for developing and posting for public review standards relating to the Federal Information Security Management Act, a set of
guidelines for securing federal IT systems. According to Edward Roback, the division's chief, the organization also staffs a SWAT team that can help agencies review their security programs and advise them on how best to invest IT security funds. The latter services are fee-based,
depending on the scope of the individual assessment.
— Also within NIST is the Federal Computer Security Program Managers' Forum, a group of approximately 500 federal IT officials that meets six times a year to discuss security issues. E-mail communications throughout the year enable federal officials to share security problems and discuss solutions. Although the forum is closed to those outside the federal government, it supports the Federal Agency Security Practices Web site (www.csrc.nist.gov/fasp), a clearinghouse for security policies and procedures tested and in use by federal agencies that may be models for state and local efforts.
— The IT Information Sharing and Analysis Center (www.it-isac.org) is a 2-year-old effort by about 25 IT companies to share information about security threats, responses and best practices with state and local IT authorities. It partners with the National Association of State Chief Information Officers (www.nascio.org) to disseminate information to state CIOs.
— The Software Engineering Institute (www.sei.cmu.edu) is based at Carnegie Mellon University and sponsored by the Defense Department. Among its course offerings are classes for IT managers and their technical staff in creating security response teams to react to and prevent attacks. The university is also part of a newly announced initiative with DHS called the U.S. Computer Emergency Response Team (www.us-cert.gov), which is chartered to develop detection tools and dispense security information via the Internet. US-CERT plans to create a cybersecurity tracking center to aid in responding to attacks.