Information security and the outsider, Part 2

The long view of security strategies for your network.

In this two-part series, guest writer Lt. Col. Robert E. Jennings, vice commander of the New Jersey Wing of the Civil Air Patrol and a leader of the service delivery managers in Dell’s ProSupport organization – looks at how the U.S. government is working with semi-official volunteer organizations. In this part, he looks more closely at how Civil Air Patrol, the all-volunteer, civilian auxiliary of the U.S. Air Force, introduced more rigorous information security practices to better serve new domestic missions from the government.

The remainder of this column is entirely Lt. Col. Jennings’ work with minor edits.

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In this two-part series, guest writer Lt. Col. Robert E. Jennings, vice commander of the New Jersey Wing of the Civil Air Patrol and a leader of the service delivery managers in Dell’s ProSupport organization – looks at how the U.S. government is working with semi-official volunteer organizations. In this part, he looks more closely at how Civil Air Patrol, the all-volunteer, civilian auxiliary of the U.S. Air Force, introduced more rigorous information security practices to better serve new domestic missions from the government.

The remainder of this column is entirely Lt. Col. Jennings’ work with minor edits.

* * *

The orientation of Civil Air Patrol (CAP) used to be easy and straightforward. As the congressionally chartered auxiliary of the U.S. Air Force, CAP performed most of the inland search and rescue in the United States on behalf of the Air Force and provided aviation, communications and people assets in relief of disasters. In the 1990s, CAP began using its light aircraft fleet to provide reconnaissance of domestic drug growth for federal, state and local law enforcement agencies.

9/11 was a transformational event for every government organization and person concerned with information security. CAP aircraft were the first non-military planes in the air after the attacks, using high-resolution digital cameras and satellite uplinks to transmit images of Ground Zero and other areas of interest to National Command Authorities. Since 9/11, CAP’s missions have grown to include more homeland security elements, focused around their unique aviation capabilities.

Traditional information security in the federal government is based on a series of U.S. Code and Executive Orders that have evolved since World War II. Information can be classified as Confidential, Secret or Top Secret, with a number of modifiers such as compartmentalization or nuclear weapons design. While not an official part of the current classification structure, there are administrative designations for unclassified information, such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU).

The level of access that a person can have to classified information in the U.S. is based on the level of investigation they are put through. Anyone who enters the military receives a National Agency Check (NAC) and is usually cleared to handle information classified as Confidential. A NAC investigation also generally permits interim access to Secret information, while a more thorough Background Investigation (BI) is performed, which generally takes 4 to 6 months. A successful BI allows access to Secret information and certain Top Secret material. For more highly sensitive material, such as nuclear weapons, encryption and high-resolution satellite imagery, a more extensive Special Background Investigation (SBI) is conducted, which can take up to a year. The U.S. government is exempt from the Employee Polygraph Protection Act, and certain high-level positions in the defense and intelligence communities require successful completion of a polygraph test.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.