Chief information officers examine unique requirements for government agencies.
An increasing emphasis on information security is prompting experts in the technology industry to follow the lead of the medical and legal professions, which feature a system of specialties and subspecialties. One major accreditation organization is taking a closer look at the government sector and addressing the distinct circumstances of information security specialists in that arena. Once specific issues are identified, they could affect the certification process as well as influence public policy.
Compared with other professions, the staff structure in the information technology field is still in its formative stages. Recognizing the value of communication systems to business, large companies have established sizable teams of network administrators, Web page designers and technology troubleshooters. But in many firms, systems management is but one of a long list of items on a job description. The people in charge of computers often are those who can make their way around a hard drive and install software when called on to do so.
However, information security has broken out of the generalist’s domain, with certification being offered in the area for nearly a decade. The International Information Systems Security Certification Consortium, or (ISC)2, Framingham, Massachusetts, provides professionals in the field with a standard for certification that is based on its Common Bodies of Knowledge, a compendium of industry best practices for information security professionals. Individuals who meet the criteria and pass rigorous testing become certified information systems security professionals (CISSPs).
To address the special challenges security personnel in the public sector face, the consortium recently established the Government Advisory Board for Cyber Security. The board comprises 13 senior-level U.S. civilian agency and national security managers from organizations such as the Department of Veterans Affairs, U.S. Justice Department, Defense Information Systems Agency, National Security Agency and U.S. Department of Homeland Security. Board members will conduct informal discussions throughout the year and are scheduled to meet three times annually in formal sessions. Advisory board members are likely to take projects back to their individual agencies to develop them.
Lynn McNulty, principal, McNulty Associates, McLean, Virginia, and a member of the (ISC)2 board of directors, is co-chairman of the advisory board. He explains that the group was created as a forum for information security practitioners. “It’s my experience that the people in the information security field are underrepresented and underappreciated. We wanted to be able to gather the views of people who hold our CISSP credential and also occupy leadership positions within the federal bureaucracy and take those views as input for ourselves and our credential program. At the same time, we want to be able to articulate those views in public policy forums that we attend.
“The issue of certification has received growing notice at the higher levels of government. The October 1992 executive order talked about the need to professionalize the information technology security work force, and certainly that got our attention. And the various versions of the National Strategy to Secure Cyberspace talks about the role that certification can play in improving the quality of the information security work force,” McNulty says.
Co-chairing the advisory board with McNulty is Bruce A. Brody, associate deputy assistant secretary for cyber and information security, Department of Veterans Affairs. Brody says that the advisory board is going to help the consortium in two ways. He agrees with McNulty that with information from government representatives the consortium will be able to enhance the existing certification program and perhaps tailor it for government purposes. “It also will provide us [government information security professionals] with some interesting feedback from (ISC)2 in terms of what it takes to professionalize and certify a large segment of the work force and establish a minimum body of knowledge necessary to do the job. So it’s a good cross-fertilization of both (ISC)2 and the government,” Brody relates.
The co-chairmen of the advisory board bring a wealth of government experience to the group. McNulty was the associate director of computer security at the National Institute of Standards and Technology and the U.S. State Department’s first director of information systems security. Brody served as director of the information superiority investment strategy for the U.S. Defense Department prior to moving to his current position. In addition, he directed intelligence, surveillance and reconnaissance capabilities studies for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.
From their own work in the security field, the two identify several areas that pose a risk to information assurance. Brody believes that vulnerabilities in commercial software present the primary day-to-day threat to information security. “Whenever you hear of a virus or a denial of service attack, what you’re really hearing is that someone out there has been able to exploit a vulnerability that exists in commercial software. And those vulnerabilities—and our constant struggle to find them and patch them and ward off those problems associated with exploiting them—that’s the daily existence of someone in my position. That takes a lot of time,” he says.
McNulty adds that securing networks in a global environment handling the increasing complex systems is another challenge that information security professionals face. “At the same time, people who work in this field are being told that they have to manage risk. They cannot take a risk avoidance posture, but they have to be able to manage risk. How do you get your arms around the global environment—anyplace in the world—when all kinds of different connectivity formats are being used?” he says.
In addition to these overarching challenges that all information security professionals face, agency security personnel must address government-specific issues, McNulty and Brody agree. “Number one, they face a lot more oversight than anybody in the private sector,” McNulty says. “Very few private sector personnel have the people from the GAO [Government Accounting Office] looking over their shoulders. Very few are called to congressional hearings and are given a report card.”
Brody points out that in the information security field, the gold standard for professionalism is the CISSP; however, it is a broad standard that applies to personnel who work in industry as well as the government. “When you come into the government, some of the unique rules, regulations, legislation, policies that exist in the government create yet another set of specialties and sets of knowledge that need to be acquired. And that’s different than the general CISSP. Maybe what needs to be established is something like a ‘CISSP for government’ in which our unique body of knowledge in addition to the universal body of knowledge is tested, and information security professionals are tested and certified against that,” Brody says.
The beauty of the diversity of the advisory board, Brody emphasizes, is that there is enough representation from across the government to sort out the many issues that federal security professionals must address. However, board members from each department also will bring their specific issues to the table, which may indicate that a general certification even for government personnel is not enough. A need could exist to have yet a third grouping that would address the unique security requirements of specific agencies, he adds.
“I don’t know the answer to that, and I think that’s one of the things this board will help us get the football moving down the field on,” Brody relates. “I’m convinced that at some point a governmentwide certification will be a very doable and very useful thing. What we need to be careful of is that, in the process of certifying information security practitioners around the government, we don’t lose sight of the uniqueness of each of our individual environments.”
Brody offers a personal example. At Veterans Affairs, 90 percent of his department is devoted to health care issues. The information security concerns in this environment may be entirely different from those in the aviation field or in a treasury agency, he says. “And that’s what we need to know. That’s why I think we can add some value with this board.”
McNulty points out that the National Strategy to Secure Cyberspace (SIGNAL, April, page 33) indicates that the government should lead by example. Federal departments’ information security problems are well documented, he says. “We think that a lot of these problems involve the need to obtain the best professional information security management. Our new motto is that security is more than just technology. We want to provide the certification programs that will demonstrate to Congress and to outside observers that people who work in the information security technology profession are qualified and competent and come to the job as problem solvers who can deliver cost-effective solutions for federal agencies. We also want to promote the fact that information security is now a separate and distinct profession,” he adds.
Because the commercial sector focuses on the bottom line, investments in strengthening information security and educating the information security work force are more difficult to justify, Brody relates. However, in the government, and particularly in the military, information superiority is viewed as an enabler and force multiplier, so justifying spending more money on security is easier.
Although the advisory board has conducted only its first meeting, Brody is confident that some of the high-priority issues will surface in due time, and the agendas of future meetings will be based on those items. Experts who are not on the board may be asked to speak to these issues so that board members can get a complete picture of the details surrounding a topic. Board members will then take recommendations to leaders in their own agencies as well as share them with the (ISC)2 board of directors.
Brody is open-minded about what the priorities should be for the advisory board, but he predicts that determining how agencies can educate their work force and bring all information security specialists to a designated level of performance across the government will probably be one of the key issues board members discuss. A governmentwide certification could be the second focus topic. Current security problems will almost certainly be a subject of conversation as this information could help determine the particulars of certification. Finally, agency-specific problems will be discussed so that best practices can be shared.
In the area of professionalizing the information security work force, Brody says a lot is going on in industry that can be helpful. This is especially true in areas where the commercial sector is collecting knowledge about vulnerabilities, threats, attacks, defenses and technologies that can be employed to address these. McNulty points out that the advisory board is interested in hearing the opinions of commercial contractors since contractors who work on government projects might have feedback concerning the implications of federal regulations that affect them.
Within the next year, Brody would like the advisory board to have at least an idea of the common body of government knowledge in security and perhaps a program in place to test against this body of knowledge. Potentially, several individuals might already be certified in this particular area. “I don’t think a year from now that would be too difficult. And I would be willing to dedicate the appropriate level of resources to that from my own department,” he says.
After the advisory board has been fully established, McNulty says the consortium intends to add members from state and local governments. In addition, (ISC)2 is considering forming additional advisory boards that would comprise representatives from the private sector, specific countries or designated regions.
Additional information on the International Information Systems Security Certification Consortium is available on the World Wide Web at http://www.isc2.org.