FAA infosec workers get lift

The Federal Aviation Administration is offering its information security

workers a well-rounded education.

As part of its overall effort to audit the agency's computer systems

and train security professionals, the FAA recently hired the International

Information Systems Security Certification Consortium Inc. (ISC2), an international

certification body, to provide training that keeps FAA workers in line with

industry standards.

Key FAA information security professionals will be able to take Certified

Information Systems Security Practitioner (CISSP) classes and decide whether

to take an exam that will certify them, said Raymond Long, director of the

FAA Office of Information Systems Security.

The CISSP training program is geared toward the generalist in information

security, rather than specific software or FAA needs, Long said. The FAA

also will offer certain employees more FAA- specific information security

training on an ongoing basis, he said.

The training will help the agency meet goals described in the Transportation

Department's Strategic Plan for 2000-2005, released Sept. 7. Among the FAA's

first milestones for 2000 are distributing an FAA Information Security Concept

of Operations, finalizing a long-term plan for the deployment of its Computer

Security Incident Response Capability and ensuring that 100 percent of

FAA employees receive general information security awareness training and

that 60 percent of systems administrators receive specialized security training.

The FAA operates a large portion of the 110 infrastructure-critical

systems identified at DOT. In addition, the wide variety of computer viruses

and vulnerabilities in common commercial software has placed extra burdens

on IT security workers at all agencies.

"There is a great benefit to having them at least take the class," Long

said. "A lot of times people say people in government aren't on the level

of industry. This puts us on level footing for our CISSPs to work with

other vendors who have the same rating."

The CISSP exam proves that a worker is competent in setting complex

policies and has a broad knowledge of information security, said Jim Duffy,

managing director of the ISC2. For instance, the course teaches someone

how to write a firewall policy. There are about 3,000 CISSPs worldwide,

he said.

"As computer systems become more complex, management needs to be confident

the people they are employing to install baseline security systems are competent,"

Duffy said. "Two years ago it was "CISSP desired,' but now we're seeing

it more and more required."

A great deal of energy is being devoted in industry and in government

to improving information security, said Alan Paller, director of research

at the System Administration, Networking and Security Institute. The institute

offers a training and certification program for system administrators, who

then have access to the institute's Global Incident Analysis Center.

As of last year, there were 72 million named machines on the Internet,

which means they always keep the same IP address, Paller said.

"Every one of those needs to be tightly secured because the vendors

put out software on those machines that has known vulnerabilities," Paller

said. However, few people managing those machines know how to plug the holes.

The FAA wants to have ISC2 offer six training events for about 40 employees

at a time. The exam has an 80 percent to 90 percent pass rate, he said.