As CIOs seek qualified consultants and staff to beef up security in response to federal warnings of potential cyberterrorism, a small inconspicuous Web site could come in handy.

Though not very thick with information, the simply designed, nearly black-and-white Information Systems Security (INFOSEC) Assessment Training and Rating Program (IATRP) site provides contact information of security gurus who have successfully completed the National Security Agency (NSA)-sponsored INFOSEC Assessment Methodology (IAM) course. The site is sponsored and run by NSA.

Currently 220 of the nearly 700 professionals who have completed the two-part IAM program have site listings that include name, phone number, e-mail address, and date of completion. The discrepancy in the public listing vs. the total of those certified, according to NSA, is due to the fact that professionals need to return a waiver to be listed on the site.

A separate entity from NSA’s primary online presence, the IATRP site clearly states that a professional’s placement does not constitute an endorsement or recommendation of services on the part of NSA or any other government agency, nor does it assure proof of an individual’s experience level.

What the IATRP is all about
The IATRP’s first phase is composed of IAM classes geared to facilitate the transfer of government-developed technology into the private sector. The two-day course was originally developed by NSA to train Department of Defense organizations to perform their own INFOSEC assessments.

The course is designed for experienced Information Systems Security (ISS) analysts who conduct or are interested in conducting INFOSEC assessments of government information systems. The course teaches NSA’s INFOSEC assessment standards, a high-level, nonintrusive process for identifying and correcting security weaknesses in information systems and networks.

The rating part of the IATRP lets service providers request appraisals and receive ratings that reflect the maturity of the process required to perform INFOSEC assessments.

According to the short IAM program description, the site’s purpose is to distribute information about the program and ultimately to provide a list of INFOSEC assessment service providers who use the standardized methodology and have received a rating. That way, government customers seeking INFOSEC assessment services can review the IAM documents and decide if an INFOSEC assessment is required.

Finding certified providers will be quick
None of the seven certified companies are listed on the site, though NSA hopes to post that information once the service providers authorize publication.

One company, Backbone Inc., a Fairmont, WV, security firm, is excited about its IATRP site debut in the next few months.

“We consider it as very significant,” said James E. Wingate, CISSP, Backbone’s director of information assurance, noting that Backbone is the newest and smallest of the six certified companies.

“I believe the IAM and IA-CMM are very significant in terms of providing a baseline standard for the conduct of an INFOSEC assessment. It gives potential clients and customers a means to determine the credentials of a security firm that they may be considering doing business with,” Wingate said.

“There are a lot of companies who have ‘hung out their shingle’ as a security firm over the past couple of years, and more and more are doing it each day. However with the emergence of the IAM, there are now only seven companies that have adopted and us[e] the IAM and IA-CMMS for conducting assessment,” he explained.

Publicity is a win-win for professionals, customers
Jack Ward, who works for Computer & Hi-tech Management’s (CHM) IT security group, says the certification affords the industry better corporate services and standards and that the site helps alert both companies and industry professionals to the IAM course opportunity.

“I took the training to learn the system and to be able to assure my customers, which are government customers, that I had been ‘certified’ in this widely valued and endorsed system.  The training and the support post-training has more than lived up to these expectations,” said the security professional, who has also earned his MCSE+I and CCNA.

Based in Virginia Beach, VA, CHM recently won a $7.8 billion contract for technical support at HUD as well as two IT contracts with the National Institute of Health.

The IATRP site, Ward noted, has expanded from providing a basic course listing and overview to boasting detailed course explanations and the listing of certified professionals. Ward, whose company is examining the IA-CMM certification, believes the site will help push certification ahead.

“As an INFOSEC professional, I believe this kind of certification and preparation is just the thing this industry needs to promote better corporate services and standards,” he said, adding that he also uses the site to find course colleagues.

One IAM-certified security analyst, who conducts client testing and evaluations for a leading El Segundo, CA, services provider, thinks the listing is beneficial for both professionals and customers seeking expertise.

“I think publicizing qualified individuals is a positive thing,” said the security analyst, who requested anonymity. “It’s my opinion that only a small sector of the IT community is aware of IAM/IACMM and thus may find less value in the site because of a lack of knowledge on what the qualifications of the listed professionals are. Unlike other programs, IAM professionals do not identify themselves as IAM-certified professionals like others, such as the CISSP, SCCP, MCSE,” he added.

It’s clear that site design isn’t a priority
The IATRP site essentially has four pages:

  • A homepage that explains the IATRP as well as the INFOSEC Assessment Capability Maturity Model (IA-CMM)
  • An IAM page that explains the course, requirements, and registration information
  • The certified professionals listing page
  • A nearly blank page except for IA-CMM contact information

Future enhancements to the site, last revised this August, are set to include posting the complete IA-CMM model description as well as IAM course materials. The site, launched in April, will also soon include IAM course dates and location information.

When the security certification initiative was first launched in 1999, program information was initially housed on NSA’s primary Web site.

How do you find security expertise?

When you’re seeking a specific certified professional, what Web sites or information sources do you reach out to? Share your resources with the TechRepublic CIO community.