How the <strong>State</strong> <strong>of</strong> <strong>Florida</strong> Builds Information SecurityExpertise Despite Escalating Risk and Tight Budgets.CHALLENGETraining and education have always been atop priority for the <strong>State</strong> <strong>of</strong> <strong>Florida</strong>’s Office<strong>of</strong> Information Security (OIS) within theAgency for Enterprise Information Technology(AEIT). The (OIS) was established immediatelyfollowing the events <strong>of</strong> 9/11. Its mission? To helpthe <strong>State</strong>’s executive branch agencies addressWith training as an integral factor in thesuccess <strong>of</strong> each focus area, the OIS laid out anaggressive and detailed training and educationprogram for its information security staff. Infact, its training plan is mapped out in a comprehensivethree-year matrix that illustrateshow the <strong>State</strong> will leverage its workforce tomeet federal, state and private informationcyber security issues and to ensure statewidesecurity standards.Helping state agenciescomply with all requirements such as HIPAA,PCI, and those set forth by the U.S. Department<strong>of</strong> Homeland Security (DHS) is critical tothe Office and AEIT’s success.compliance with Federal and <strong>State</strong> securitystandards. Even though legislation points theefforts <strong>of</strong> the OIS toward the executive branch<strong>of</strong> government, the courts, the <strong>Florida</strong> Legislature,cities, counties and municipalities arewilling participants.With technology evolving at what seems tobe the speed <strong>of</strong> light, how does AEIT keep itsThe Office’s five focus areas related to enterpriseinformation security are:information technology staff up-to-date onbest security practices?• Policy• Training• Risk management• Incident responseAnd in light <strong>of</strong> budget cuts, how does AEITmaintain its expertise in protecting critical,proprietary information?• Survivability1
SOLUTIONEstablish GoalsFirst, AEIT worked with the Information SecurityManager community within state agenciesto identify business requirements that needto be addressed, such as staff pr<strong>of</strong>essionaldevelopment goals.“One <strong>of</strong> the most valuable education programsthe <strong>State</strong> has engaged in has been CISSP ® CBK ®Review Seminars and examinations,” said Russo.“We stress this certification because it requiresour experienced managers to have a deepunderstanding <strong>of</strong> the latest, up-to-date informationon the full spectrum <strong>of</strong> security-relateddevelopments and topics.”“We determined which standards and certificationswould best meet our needs and puttogether a program that would take us there,”said Mike Russo, CISSP, and Chief InformationSecurity Officer (CISO) for the <strong>State</strong> <strong>of</strong> <strong>Florida</strong>.The <strong>State</strong> began <strong>of</strong>fering CISSP CBK ReviewSeminars to a select group <strong>of</strong> its pr<strong>of</strong>essionalstaff in 2004. This year, it contracted with(<strong>ISC</strong>) 2® to provide a CISSP Review Seminarand examination for 25 employees from many“We are constantly on the watch for emergingareas that require staff training. “In fact,” saidRusso, “the <strong>State</strong> <strong>of</strong> <strong>Florida</strong> was one <strong>of</strong> the<strong>of</strong> the <strong>State</strong>’s executive agencies, as well asLegislative, Inspector General and AuditorGeneral <strong>of</strong>fices.first to <strong>of</strong>fer training for ethical hacking andincident response.”“If we had more domestic security grant funds,we would have doubled the number <strong>of</strong> participants,”said Russo. “It’s critical for all <strong>of</strong> ourtechnologists, and those who fund, regulate andaudit them, to understand what the latest bestpractices are, and why we do what we do.”Russo says that the <strong>State</strong>’s security educationprogram focuses on national and internationalcertifications because they provide a globallyrecognized, independent and objective demonstration<strong>of</strong> an individual’s level <strong>of</strong> competence.Finding Funding“We try to help staff attain credentials in manyareas. It takes a well-rounded body <strong>of</strong> knowledgeto function effectively.”Millions <strong>of</strong> dollars <strong>of</strong> federal security funds areavailable to every state through the DHS, butthere is no uniformity in how states go about2