Commerce sets infosec policy
- By Colleen O'Hara
- Jan 26, 2003
The Commerce Department chief information officer last week issued the first departmentwide information technology security policy that sets comprehensive ground rules for protecting and accessing the department's systems.
The policy explains the department's IT security program requirements and provides guidance on the implementation of IT security programs within Commerce.
The department has been making progress on IT security since receiving critical reports from the General Accounting Office and Congress in 2001 and 2002, said Thomas Pyke Jr., the CIO at Commerce. For instance, the department now conducts vulnerability testing of its own systems and provides training in IT security for employees and contractors.
However, enhancing IT security is an ongoing process, Pyke said. "We have to be constantly vigilant."
The policy lays out in detail such things as IT security roles and responsibilities and controls that must be included in the department's IT security programs, such as risk management and contingency planning.
Commerce operating units may take the policy and develop more detailed supplemental guidance for their employees, Pyke said.
Pyke said he has asked the heads of operating units and CIOs in the department to notify the Commerce IT security program manager by June 30 that they have met the minimum mandatory standards laid out in the policy or that they will meet them by Sept. 30.