Security tests for employees scrutinized at conference

BALTIMORE -- At the National Security Agency, the U.S. government's secretive intelligence gathering arm, employees are required to pass a test to show basic understanding of information security policy and procedures. Failing the test may result in a loss of an e-mail account and system access rights.

It's no idle threat, says U.S. Air Force Col. John Whiteford, the deputy CIO at the NSA. All employees -- from the agency's director on down -- must complete the Web-based information security training course, which is followed by a 25- to 30-question, multiple-choice online test. If they fail, they take it again. So far, no one has lost his access rights, said Whiteford.

"We expect [NSA employees] to have basic competency and security awareness," said Whiteford. "We insist that our employees pass the test." The NSA started the program about a year and a half ago as part of general program to improve information security.

It would be difficult to find disagreement among the security professionals attending the annual government-sponsored National Information Systems Security Conference here this week on the need to provide employees with some basic information security knowledge. But finding agreement on the value of taking a test to prove that you have those skills was something else all together.

"It's certainly better than nothing," said Jon David, assistant vice president for security engineering at Lehman Brothers Inc. in Jersey City, N.J., of the NSA's security testing plan. But he said online tests were ripe for abuse -- an employee could seek the help of a friend, for example -- and he pointed out that there's a risk that an employee might resent taking the test "and deliberately not help afterward."

Eugene Spafford, director for the Center for Education and Research in Information Assurance and Security at Purdue University in West Lafayette, Ind., said testing has its limits.

"The key to good education of any kind is practice and repetition," he said. Testing "is the weak link in most self-paced instruction. If you don't go back and repeat the testing or repeat the previous material, there is a danger that you lose some of that."

David said he faces a twofold training task. First, he wants management to understand the importance of keeping security current. "People seem to feel that security is something you buy -- it's not a product, it's a process -- you work on it."

Second, David said he must ensure that all employees are aware of basic security practices, such as protecting their passwords or not leaving their machines on while they're away from their desks. He said he prefers to rely on employee professionalism to instill compliance, but he also has system-monitoring tools and logs to keep an eye out for security breaches.

"I like professionalism and Big Brother," said David.

But some tests are effective. The U.S. Justice Department has been using penetration testing to improve its security procedures and to search for vulnerabilities. The testing is raising management's awareness of the need for good security, said Linda Burek, deputy assistant attorney general for information resources.

The penetration testing results "scare [senior managers] quite a bit," Burek said. "That has been one of the most effective things we have done," she said.

Related links:

  • For more security coverage, visit our Security Watch page.
  • Have opinions on security issues? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon