FAA infosec workers get lift
- By Paula Shaki Trimble
- Sep 18, 2000
The Federal Aviation Administration is offering its information security
workers a well-rounded education.
As part of its overall effort to audit the agency's computer systems
and train security professionals, the FAA recently hired the International
Information Systems Security Certification Consortium Inc. (ISC2), an international
certification body, to provide training that keeps FAA workers in line with
Key FAA information security professionals will be able to take Certified
Information Systems Security Practitioner (CISSP) classes and decide whether
to take an exam that will certify them, said Raymond Long, director of the
FAA Office of Information Systems Security.
The CISSP training program is geared toward the generalist in information
security, rather than specific software or FAA needs, Long said. The FAA
also will offer certain employees more FAA- specific information security
training on an ongoing basis, he said.
The training will help the agency meet goals described in the Transportation
Department's Strategic Plan for 2000-2005, released Sept. 7. Among the FAA's
first milestones for 2000 are distributing an FAA Information Security Concept
of Operations, finalizing a long-term plan for the deployment of its Computer
Security Incident Response Capability and ensuring that 100 percent of
FAA employees receive general information security awareness training and
that 60 percent of systems administrators receive specialized security training.
The FAA operates a large portion of the 110 infrastructure-critical
systems identified at DOT. In addition, the wide variety of computer viruses
and vulnerabilities in common commercial software has placed extra burdens
on IT security workers at all agencies.
"There is a great benefit to having them at least take the class," Long
said. "A lot of times people say people in government aren't on the level
of industry. This puts us on level footing for our CISSPs to work with
other vendors who have the same rating."
The CISSP exam proves that a worker is competent in setting complex
policies and has a broad knowledge of information security, said Jim Duffy,
managing director of the ISC2. For instance, the course teaches someone
how to write a firewall policy. There are about 3,000 CISSPs worldwide,
"As computer systems become more complex, management needs to be confident
the people they are employing to install baseline security systems are competent,"
Duffy said. "Two years ago it was "CISSP desired,' but now we're seeing
it more and more required."
A great deal of energy is being devoted in industry and in government
to improving information security, said Alan Paller, director of research
at the System Administration, Networking and Security Institute. The institute
offers a training and certification program for system administrators, who
then have access to the institute's Global Incident Analysis Center.
As of last year, there were 72 million named machines on the Internet,
which means they always keep the same IP address, Paller said.
"Every one of those needs to be tightly secured because the vendors
put out software on those machines that has known vulnerabilities," Paller
said. However, few people managing those machines know how to plug the holes.
The FAA wants to have ISC2 offer six training events for about 40 employees
at a time. The exam has an 80 percent to 90 percent pass rate, he said.