Four Share Educator Award
De Zafra, Tressler, Pitcher, and Ippolito Win 1997 Award
The 1997 Educator of the Year (EOY) award was given jointly to the four
co-authors of NIST Special Publication 800-16 Information Technology
Security Training Requirements: A Role- and Performance-based Model.
Winners are: Dorothea de Zafra (Senior Program Analyst and Science
Education Program Coordinator, Office of Collaborative Research Activities,
National Institute on Alcohol Abuse and Alcoholism, National Institutes
of Health); John Tressler (Computer Security Officer, Office of
the Deputy Chief Information Officer, Department of Education; Sadie
Pitcher (Information Technology Security Manager (retired), Department
of Commerce); and John B. Ippolito (Director, IT Security Services,
Allied Technology Group, Inc.).
In nominating the first FISSEA group award, the nominator (who prefers
to remain anonymous) wrote: The recent completion of the "final draft"
of the training guideline which will replace NIST Special Publication 500-172
(Computer Security Training Guidelines) marks a major milestone in FISSEA's
growth as a professional organization. FISSEA can take great pride
in the fact that it served not only as a catalyst for the development of
this critically needed successor guideline, but also chartered a working
group to actually produce it. This guideline, "Information Technology Security
Training Requirements: A Role- and Performance-based Model," will soon
be issued as NIST Special Publication 800-16. It could not have been
completed without hundreds of hours of hard work and personal sacrifice
on the part of the FISSEA working group which produced it after more than
four years of intensive effort. Working drafts of this guideline
already have won wide acceptance and, as a result, the publication will
serve as a true "training road-map."
In addition, efforts undertaken with the national security community
during the development process have allowed their needs to be addressed
directly and incorporated seamlessly into the final product, offering the
hope that a single document will serve as the training reference in both
defense and civilian agency communities.
Therefore, it seems fitting that the FISSEA working group which developed
the new training guideline be recognized as recipients of the FISSEA "Educators
of the Year Award" to be awarded in March, 1998. These individuals, who
are the first to point to the many contributions which their colleagues
outside of the working group have made to it, truly have achieved a remarkable
accomplishment. They have worked together as a team in an exceedingly effective
manner, and this document could not have been completed without their individual
and collective contributions. In fact, it is because of the sustained,
unique and crucial synergy developed by and among the four working groupmembers
that it is possible only to nominate the entire team.
Now that NIST Special Publication 800-16 is being readied for publication,
its full significance will become readily apparent. For the first time,
it is expected that role-based training modules can be developed reliably
and completely. The distinction between awareness and training will be
clear to all. The lucid description of a learning continuum, with levels
of learning, has received much attention and will serve as a model to other
educators in diverse fields. Because of the very detailed outlines for
developing training modules at the "Basics and Literacy" levels, as well
as at the higher levels of role-based training, IT Security professionals
will be equipped to develop and conduct training courses and materials
with confidence, reproducibility and cohesion across organizational lines.
As well, they are encouraged directly to evaluate both individual courses
and the overall IT security training program, thus documenting in business
terms the benefit of the educational investment. Finally, because of its
extensibility, the training guideline will be able to serve the IT Security
profession for years to come.
Beyond the excellent technical content, this document also holds
a compelling and formidable challenge for us, the IT Security community,
to embrace the distilled concepts, follow the "road-map" and add
our own energy and imagination to do something truly bold. For me, that
bold something is the building of a common understanding, not only among
ourselves but between and among Human Resources professionals, managers
and IT auditors, that the information and strategy contained in the document
are sound and are an appropriate basis for elaboration of "best practices"
which should infuse job descriptions, personal evaluations / training plans,
and formal audit procedures. In its elicitation of a response to this challenge,
the document may well accomplish the outcome most prized by all educators:
to change individual behavior for the better.
The FISSEA community offers its sincere thanks and warm congratulations
to the 1997 award recipients!
The Educator of the Year award recognizes an individual for his or her
accomplishments in information systems security training and education.
Individuals are nominated and selected based on the justification provided
with the nomination. Nominations are judged on 1) originality and uniqueness
of the activities undertaken by the nominee; 2) extension of benefits beyond
the nominee's organization; 3) scope of the activities; and 4) the amount
and type of direct participation by the nominee as compared to contractors
or other participants. Nominees need not be members of FISSEA; however,
nominations must be from FISSEA members. See the FISSEA website for the
process and format for nominating someone for the 1999 EOY award
This is the first edition of our newsletter, FISSEA News &
Views. Our thanks to Fran Nielsen and Mark
Wilson of NIST for producing it. The Executive Board plans to
publish the newsletter quarterly. Your input, comments, and suggestions
for news items will help us produce a useful tool for sharing information
across our community. Contact the Editor-elect Louis Numkin
(firstname.lastname@example.org) to contribute ideas.
By Philip Sibert
Welcome to the new Federal Information Systems Security Educators' Association
newsletter! This newsletter is being established for FISSEA members
to communicate and publicize our activities. Please feel free to
send us articles and news items on the topics of awareness, training,
and education relative to Computer Security/Information Systems Security.
Of particular interest are articles dealing with successes you've had at
your organization in providing awareness and training, but we'll take (and
possibly edit) anything! Louis Numkin, of the Nuclear Regulatory
Commission, has volunteered to shepherd this newsletter, but help from
the membership will be greatly appreciated.
At the annual conference held March 9 - 11, 1998, a number of business
items were completed. One of the significant items was unanimous
membership approval of the new FISSEA By-Laws which provide an operating
framework for FISSEA. These By-Laws also state the responsibilities
of the Executive Board and the membership as they relate to the organization's
mission. In line with the nomination and voting procedures spelled out
in the By-Laws, the new Executive Board was elected by the membership.
Immediately following adjournment of the conference the new Executive
Board convened. The first order of business was to elect an Executive
Board Chair and Assistant Chair for the coming year. I am honored
to have been chosen as the new Chair and I am pleased to have Pauline
Bowen, of the Food and Drug Administration, as the new Assistant Chair.
We are fortunate to have the talent and energy the new Board members provide,
and believe we have the diversity and experience necessary to make FISSEA
more productive in our partnership with the Federal work force and those
private sector and university organizations supporting and working with
Plans are already underway for next year's conference, which will be
held Tuesday, March 9 through Thursday, March 11, 1999, at the Gaithersburg
Hilton Hotel in Gaithersburg, Maryland. We are considering doing
some workshops on Monday, March 8, in conjunction with the conference,
probably at a very nominal additional cost. We have an excellent
conference committee, who have hands-on experience in conference activities
for their own organizations, working on the 1999 conference. Of course,
we will gladly accept suggestions and recommendations to improve the FISSEA
conference for you, so let us know what they are.
We will be working closely with NIST on several new initiatives, not
the least of which will be helping the community with implementation of
the new Special Publication 800-16, Information Technology Security
Training Requirements: A Role- and Performance- Based Model.
This document is the result of several years of "volunteer" work by many
people. Those who were continually involved in the process and saw
the project to fruition were duly honored at the conference when they received
the first FISSEA group award for Educator of the Year Award. I congratulate
the following folks for a job well done, and even more for their fortitude
and persistence in this effort: Dorothea de Zafra, National Institute
of Health; John Tressler, Department of Education; Sadie Pitcher,
Department of Commerce (retired, in the contractor community now);
and, John Ippolito, Allied Technologies.
I appreciate the confidence the membership has shown in me by voting
me onto the Executive Board again, and I will work hard to ensure we have
a successful year. The buck stops here, so let me know what we are
doing right, what we are not doing so well, and what we can do to make
FISSEA better serve you.
By Mark Wilson
The 11th Annual Federal Information Systems Security Educators' Association
(FISSEA) Conference, "Training American Workers in Computer Security,"
was held March 9-11 in Gaithersburg, Maryland. Out-going FISSEA Chair
Quane of the National Security Agency (NSA) welcomed the attendees
and introduced United States Congresswoman Constance Morella.
Representative Morella stressed the importance of our job to safeguard
the government's computers and information. She said FISSEA has a
critical task to train system users in computer security.
Pat Ciuffreda, now retired from the Department of Justice (DOJ),
showed the training video, "The Government Executive Security Briefing,"
moderated by Representative Morella and developed by DOJ. The video was
very well-received by conference attendees. Ciuffreda described
the development of the video, including how the request for proposal for
a scriptwriter/creative director and the production timetable were developed.
An earlier video produced by DOJ for general computer security awareness
and starring John Walsh of "America's Most Wanted" was also shown.
K Rudolph of Native Intelligence gave a presentation on computer
based training (CBT) for security. She emphasized when and why to
use CBT, how goals should drive CBT design, the importance of developing
a strategy, and how to make the training useful. A key concept is
to keep it simple.
John Ippolito of Allied Technology Group briefed attendees on
commercial off-the-shelf training products. Ippolito's talk was followed
by a panel presentation by the authors of the new NIST Special
Publication (SP) 800-16 "Information Technology Security Training Requirements:
A Role- and Performance-Based Model." It is available online at http://csrc.nist.gov/nistpubs/
The first day of the Conference wrapped up with the traditional "Speak
Out," highlighted by a stirring presentation by John Rossi of the
Federal Aviation Administration (FAA). He described a user awareness
presentation he has developed, and a videotape he and other FAA staff developed.
Kicking off the second day, John O'Leary of the Computer Security
Institute (CSI) enthusiastically presented, "Strategies for Setting Security
Training Plan Priorities." O'Leary stressed understanding the job
or jobs of the target audience, the job environment, group and profession
culture, understanding management, and organization politics. He
discussed how to locate internal and external sources for information for
the training session(s) and concluded his talk by describing a plan
to successfully implement the training program.
Charlie Abzug of James Madison University gave an interesting
presentation on cryptography, tracing its roots back several thousands
of years to ancient Greece and bringing the audience up to date by describing
its use in recent history.
Donna Dodson of NIST spoke on the public key infrastructure.
She described current work being done at NIST and in industry standards
organizations (e.g., the Internet Engineering Task Force (IETF) and the
American National Standards Institute (ANSI)).
During lunch attendees visited the on-site vendor displays provided
through the Federal Business Council, Inc. Specifically, thank you
to Michael O'Neill, for coordinating the vendors' exhibits.
After lunch, the "Educator of the Year" award was presented. For
the first time a group award was given at a FISSEA Conference. The
1997 award for outstanding computer security awareness, training, and education
was presented to the four authors of the NIST SP 800-16: Dorothea de
Zafra of the Department of Health and Human Services; Sadie Pitcher,
retired from the Department of Commerce; John Tressler of the Department
of Education; and John Ippolito of the Allied Technology Group.
A FISSEA business meeting was then held with Roger Quane presiding.
Business agenda items were: the future of FISSEA, FISSEA By-laws, NIST
support and its relationship to FISSEA, and the nomination and election
of the FISSEA Executive Board. Phil Sibert of the Department
of Energy led the discussion about the draft FISSEA by-laws. After
some discussion, the by- laws were voted on and accepted unanimously. Mark
Wilson of NIST (NIST/FISSEA Liaison) gave an update on the relationship
between NIST and FISSEA. The business meeting ended with members
voting on individuals nominated for positions on the 1998 Executive Board.
On the final day of the Conference, winners of the Executive Board elections
were announced. The new Board members are:
Roger Quane then gave a presentation on how to determine the return
on investment (ROI) in training. Chapter 5 of the new NIST Special
Publication 800-16 presents more details on evaluation strategies and techniques.
Philip L. Sibert (Chair), Department of Energy
Pauline Bowen (Assistant Chair), Food and Drug Administration
Mark Wilson (NIST/FISSEA Liaison), National Institute of Standards
Ann Brown (Conference Director), Indian Health Service
Patricia Ciuffreda, Strayer University
John Ippolito, Allied Technology Group
Fran Nielsen, National Institute of Standards and Technology
Louis Numkin, Nuclear Regulatory Commission
Roger Quane (Past Chair), National Security Agency
Caren Williams, Department of Justice (formerly with Department
George Bieber of the Defense Information Systems Agency INFOSEC
Program Management Office gave a well-received presentation on DoD/DISA
awareness, training, and education products, both current and planned.
Bieber described a very active DoD security program, including existing
CBT courses, platform instruction, slide-based training materials, and
the Information Assurance Support Environment (IASE) and other DISA websites
After thanking participants with special thanks to the Conference Chair
(Sadie Pitcher), Roger Quane closed the successful 1998 Conference.
Meet the Executive Board
During the annual meeting, FISSEA members elected a new executive board
for 1998-1999. The new board members are: Pauline Bowen (Health
and Human Services, Food and Drug Administration), Ann Brown (Health
and Human Services, Indian Health Services), Patricia Ciuffreda
(Strayer University), John Ippolito (Allied Technology Group), Fran
Nielsen (National Institute of Standards and Technology (NIST)), Louis
Numkin (Nuclear Regulatory Commission), Philip Sibert (Department
of Energy), and Caren Williams (Department of Agriculture).
As past chairman, Roger Quane (National Security Agency) remains
on the board and Mark Wilson (NIST) remains as NIST liaison to the
Association. The new board's first action was to elect Sibert as
its chair and Bowen as its assistant chair.
Biographies of board members can be found at the FISSEA web site
however, brief introductions are included here.
A member of FISSEA since 1992, Pauline Bowen, a computer specialist,
is the FDA's Computer Security Program Manager for the Agency-wide Information
Technology Security Program. Besides chairing the FDA Information
Systems Security Office Subcommittee, Bowen regularly participates in the
Federal Computer Security Program Managers' Forum (Forum). She received
her B.A. in Applied Behavioral Sciences from National-Louis University
in 1989. She is working toward a Master of Computer Science and is
presently attending George Washington University's Management Information
Systems Graduate Program.
Working in the computer security field since 1980, Ann Brown
currently is the Indian Health Services Security Program Manager and its
Information Systems Security Officer (ISSO). Previous federal
assignments include being a consumer safety officer for the Food
and Drug Administration, handling an on-line database for the National
Clearinghouse for Poison Control Centers, and serving as the Parklawn Computer
Center ISSO. Brown holds a BA in chemistry from Sterling College.
With 30 years of government experience, Patricia Ciuffreda recently
retired from the Department of Justice where she was a member of the information
management security staff. Now, Ciuffreda is a professor of political
science at Strayer University. Her doctorate in public administration
was received from NOVA South Eastern University. She has been a member
of FISSEA since 1988.
John Ippolito, Director of Information Technology Security Services
at Allied Technology Group, Inc., participates in the development of federal
guidelines for IT security training programs and the development of Internet-based
training and decision support systems. Ippolito has more than 26
years of experience and an in- depth knowledge of computer and communications
security, risk management, and risk avoidance. He began his career
with the General Accounting Office as a management auditor. He earned
a bachelor's degree in information systems management from the University
of Maryland at College Park.
Fran Nielsen, a computer scientist in the Computer Security Division
of the Information Technology Laboratory (ITL) at NIST, is responsible
for coordinating IT security management and guidance activities in the
Division's Network and Systems Security Group. These activities include
special projects in and guidance on security management; security planning;
security education, training, and awareness; incident handling; and security
policy. Nielsen has a doctorate and a masters degree in public administration
from the University of Southern California and a masters degree in software
engineering from the Johns Hopkins University; her undergraduate degree
is in computer technology from the American University.
Louis Numkin is a senior computer security specialist in the
Office of the Chief Information Officer at the US Nuclear Regulatory Commission.
His duties relate to computer security awareness training, anti-virus activities,
classified inspections of nuclear plants, disaster recovery planning, computer
security plan review and approval, risk assessment, and the like.
Numkin volunteers in an agency outreach program to provide computer security
sessions for schools (elementary through high school) and for senior citizen
centers. Numkin's undergrad degree in business administration and
his masters degree in Technology of Management (majoring in Management
Information Systems and Computer Systems) are from the American University.
Roger Quane has worked in the area of education, training and
awareness for the past 25 years. Quane has assisted in the development
and implementation of programs in the following subject areas: law enforcement,
computer manufacturing, motorcycle safety, driver and traffic safety, occupational
health and safety, security management, computer security, information
security, and information operations. Quane received his Ph.D.
in Education from the University of Maryland. Currently, he is Senior Education
and Training Officer for the Information Operations Technology Center,
a joint Center for the Intelligence Community and the Department of Defense.
A fed since 1967, Philip Sibert gained valuable experience as
a programmer, a social insurance systems analyst, and a computer specialist,
working with IBM, Amdahl, and Univac mainframe computers, and various
mini- and micro-computers during his career. Currently, Sibert,
a Certified Information Systems Security Professional, focuses on computer
security at the U. S. Department of Energy as DOE's Computer Security Program
Manager for the unclassified computer security program. Sibert was
instrumental in establishing the first federal civilian agency computer
incident response capability. Called the Computer Incident Advisory Capability
(CIAC), the organization is a key collaborator in the Federal Computer
Incident Response Capability (FedCIRC). Sibert has served on the
FISSEA executive board for the past three years.
Caren Williams has been the Information Systems Security Program
Manager at the USDA's Food Safety and Inspection Service (FSIS) since 1990.
In May, Williams will begin an IT security assignment with the Department
of Justice. In 1996 she was honored as the Charles County (Maryland)
Business and Professional Woman of the Year. Williams is a graduate
of the University of Maryland University College; her bachelor of science
degree is in information systems management.
Mark Wilson has been at NIST since November 1992 and has served
as the NIST/FISSEA Liaison since 1996. Since coming to NIST he has
worked on computer security program management issues, including program
management reviews, vulnerability analyses and other risk management issues,
security awareness and training, security planning, and security in the
life cycle management process. Mark came to NIST from Norfolk, Virginia
where he worked for ten years in the computer security field for several
U.S. Navy organizations. During his last job he served as the ADP
Operations and ADP Security Director for a naval supply activity.
He earned a B.A. in political science from Old Dominion University in Norfolk
in 1983. Mark is a native of New Jersey and is a U.S. Navy and Vietnam
We Need Your Help!
Under a Government Information Technology Services (GITS)-sponsored
project, FISSEA will assist NIST in establishing a repository of security
training materials (e.g., videos, handouts, posters, slides, CBTs).
The intent of the project is to design a web site to contain the materials
along with information about their use. If your agency has developed
training materials that can be shared or referenced, or, if you would like
to participate on the FISSEA-sponsored task group to work on this project,
please contact the NIST GITS IT Security Training Project Manager,
More about FISSEA
The Federal Information Systems Security Educators' Association (FISSEA),
founded in 1987, is an organization run by and for federal information
systems security professionals. FISSEA is sponsored by the National
Institute of Standards and Technology (NIST) and assists NIST in meeting
its responsibilities under the Computer Security Act.
Membership is open to information systems security professional trainers
and educators and managers who are responsible for information systems
security training programs in federal agencies. Contractors of these
agencies and faculty members of accredited educational institutions are
also welcome. Members are encouraged to participate in the annual
FISSEA conference and to serve on its ad hoc task groups.
To learn more about FISSEA and its activities or to join the Association,
visit our website:
or send e-mail to:
or send surface mail to:
Bldg. 820 Room 426
Gaithersburg, MD 20899-0001
Call for Papers
With the 1998 conference behind us, the FISSEA Executive Board is already
planning for next year's event. We need your help to make the conference
a success! Send your ideas for papers, sessions, panels, and presentations
to the Conference Director:
To download a copy of the call for papers form you need to have either
Adobe Acrobat or Microsoft Word on your system.
(Acrobat) Click Adobe
Acrobat to download a freeware copy.
(MS Word) Open this file, complete the form, and save the file. Send the
file as an attachment to an e-mail message to Ann Brown, the 1999 FISSEA
Louis Numkin .................... Editor
Fran Nielsen ...................... 1st Edition Editor
Phil Sibert .......................... FISSEA Chair
Mark Wilson ..................... NIST Liaison