NEWS 
AND 
VIEWS 
"I touch the future, I teach."  Christa McAuliffe
April 1998   Vol. I No. I


Four Share Educator Award

    De Zafra, Tressler, Pitcher, and Ippolito Win 1997 Award

    The 1997 Educator of the Year (EOY) award was given jointly to the four co-authors of NIST Special Publication 800-16 Information Technology Security Training Requirements: A Role- and Performance-based Model.  Winners are: Dorothea de Zafra (Senior Program Analyst and Science Education Program Coordinator, Office of Collaborative Research Activities, National Institute on Alcohol Abuse and Alcoholism, National Institutes of Health); John Tressler (Computer Security Officer, Office of the Deputy Chief Information Officer, Department of Education; Sadie Pitcher (Information Technology Security Manager (retired), Department of Commerce); and John B. Ippolito (Director, IT Security Services, Allied Technology Group, Inc.). 

    In nominating the first FISSEA group award, the nominator (who prefers to remain anonymous) wrote: The recent completion of the "final draft" of the training guideline which will replace NIST Special Publication 500-172 (Computer Security Training Guidelines) marks a major milestone in FISSEA's growth as a professional organization.  FISSEA can take great pride in the fact that it served not only as a catalyst for the development of this critically needed successor guideline, but also chartered a working group to actually produce it. This guideline, "Information Technology Security Training Requirements: A Role- and Performance-based Model," will soon be issued as NIST Special Publication 800-16.  It could not have been completed without hundreds of hours of hard work and personal sacrifice on the part of the FISSEA working group which produced it after more than four years of intensive effort.  Working drafts of this guideline already have won wide acceptance and, as a result, the publication will serve as a true "training road-map."

    In addition, efforts undertaken with the national security community during the development process have allowed their needs to be addressed directly and incorporated seamlessly into the final product, offering the hope that a single document will serve as the training reference in both defense and civilian agency communities.

    Therefore, it seems fitting that the FISSEA working group which developed the new training guideline be recognized as recipients of the FISSEA "Educators of the Year Award" to be awarded in March, 1998. These individuals, who are the first to point to the many contributions which their colleagues outside of the working group have made to it, truly have achieved a remarkable accomplishment. They have worked together as a team in an exceedingly effective manner, and this document could not have been completed without their individual and collective contributions. In fact, it is because of the sustained, unique and crucial synergy developed by and among the four working groupmembers that it is possible only to nominate the entire team.

    Now that NIST Special Publication 800-16 is being readied for publication, its full significance will become readily apparent. For the first time, it is expected that role-based training modules can be developed reliably and completely. The distinction between awareness and training will be clear to all. The lucid description of a learning continuum, with levels of learning, has received much attention and will serve as a model to other educators in diverse fields. Because of the very detailed outlines for developing training modules at the "Basics and Literacy" levels, as well as at the higher levels of role-based training, IT Security professionals will be equipped to develop and conduct training courses and materials with confidence, reproducibility and cohesion across organizational lines. As well, they are encouraged directly to evaluate both individual courses and the overall IT security training program, thus documenting in business terms the benefit of the educational investment. Finally, because of its extensibility, the training guideline will be able to serve the IT Security profession for years to come.

    Beyond the excellent technical content, this document also holds a compelling and formidable challenge for us, the IT Security community, to embrace the distilled concepts, follow the "road-map" and add our own energy and imagination to do something truly bold. For me, that bold something is the building of a common understanding, not only among ourselves but between and among Human Resources professionals, managers and IT auditors, that the information and strategy contained in the document are sound and are an appropriate basis for elaboration of "best practices" which should infuse job descriptions, personal evaluations / training plans, and formal audit procedures. In its elicitation of a response to this challenge, the document may well accomplish the outcome most prized by all educators: to change individual behavior for the better.

    The FISSEA community offers its sincere thanks and warm congratulations to the 1997 award recipients! 

    The Educator of the Year award recognizes an individual for his or her accomplishments in information systems security training and education. Individuals are nominated and selected based on the justification provided with the nomination. Nominations are judged on 1) originality and uniqueness of the activities undertaken by the nominee; 2) extension of benefits beyond the nominee's organization; 3) scope of the activities; and 4) the amount and type of direct participation by the nominee as compared to contractors or other participants. Nominees need not be members of FISSEA; however, nominations must be from FISSEA members. See the FISSEA website for the process and format for nominating someone for the 1999 EOY award 

    http://csrc.nist.gov/organizations/fissea.html


First Edition

    This is the first edition of our newsletter, FISSEA News & Views.   Our thanks to Fran Nielsen and Mark Wilson of NIST for producing it.  The Executive Board plans to publish the newsletter quarterly. Your input, comments, and suggestions for news items will help us produce a useful tool for sharing information across our community.  Contact the Editor-elect Louis Numkin (lmn@nrc.gov) to contribute ideas. 

Chairman's Remarks

    By Philip Sibert

    Welcome to the new Federal Information Systems Security Educators' Association newsletter!  This newsletter is being established for FISSEA members to communicate and publicize our activities.  Please feel free to send us articles and news items on the topics of  awareness, training, and education relative to Computer Security/Information Systems Security.  Of particular interest are articles dealing with successes you've had at your organization in providing awareness and training, but we'll take (and possibly edit) anything!  Louis Numkin, of the Nuclear Regulatory Commission, has volunteered to shepherd this newsletter, but help from the membership will be greatly appreciated. 

    At the annual conference held March 9 - 11, 1998, a number of business items were completed.  One of the significant items was unanimous membership approval of the new FISSEA By-Laws which provide an operating framework for FISSEA.  These By-Laws also state the responsibilities of the Executive Board and the membership as they relate to the organization's  mission. In line with the nomination and voting procedures spelled out in the By-Laws, the new Executive Board was elected by the membership. 

    Immediately following adjournment of the conference the new Executive Board convened.  The first order of business was to elect an Executive Board Chair and Assistant Chair for the coming year.  I am honored to have been chosen as the new Chair and I am pleased to have Pauline Bowen, of the Food and Drug Administration, as the new Assistant Chair.  We are fortunate to have the talent and energy the new Board members provide, and believe we have the diversity and experience necessary to make FISSEA more productive in our partnership with the Federal work force and those private sector and university organizations supporting and working with us. 

    Plans are already underway for next year's conference, which will be held Tuesday, March 9 through Thursday, March 11, 1999, at the Gaithersburg Hilton Hotel in Gaithersburg, Maryland.  We are considering doing some workshops on Monday, March 8, in conjunction with the conference, probably at a very nominal additional cost.  We have an excellent conference committee, who have hands-on experience in conference activities for their own organizations, working on the 1999 conference.  Of course, we will gladly accept suggestions and recommendations to improve the FISSEA conference for you, so let us know what they are. 

    We will be working closely with NIST on several new initiatives, not the least of which will be helping the community with implementation of the new Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance- Based Model.  This document is the result of several years of "volunteer" work by many people.  Those who were continually involved in the process and saw the project to fruition were duly honored at the conference when they received the first FISSEA group award for Educator of the Year Award.  I congratulate the following folks for a job well done, and even more for their fortitude and persistence in this effort: Dorothea de Zafra, National Institute of Health; John Tressler, Department of Education; Sadie Pitcher, Department of Commerce (retired,  in the contractor community now); and, John Ippolito, Allied Technologies. 

    I appreciate the confidence the membership has shown in me by voting me onto the Executive Board again, and I will work hard to ensure we have a successful year.  The buck stops here, so let me know what we are doing right, what we are not doing so well, and what we can do to make FISSEA better serve you.


Conference Highlights

    By Mark Wilson

    The 11th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference, "Training American Workers in Computer Security," was held March 9-11 in Gaithersburg, Maryland.  Out-going FISSEA Chair Roger Quane of the National Security Agency (NSA) welcomed the attendees and introduced United States Congresswoman Constance Morella.  Representative Morella stressed the importance of our job to safeguard the government's computers and information.  She said FISSEA has a critical task to train system users in computer security. 

    Pat Ciuffreda, now retired from the Department of Justice (DOJ), showed the training video, "The Government Executive Security Briefing," moderated by Representative Morella and developed by DOJ. The video was very well-received by conference attendees.   Ciuffreda described the development of the video, including how the request for proposal for a scriptwriter/creative director and the production timetable were developed.  An earlier video produced by DOJ for general computer security awareness and starring John Walsh of "America's Most Wanted" was also shown. 

    K Rudolph of Native Intelligence gave a presentation on computer based training (CBT) for security.  She emphasized when and why to use CBT, how goals should drive CBT design, the importance of developing a strategy, and how to make the training useful.  A key concept is to keep it simple. 

    John Ippolito of Allied Technology Group briefed attendees on commercial off-the-shelf training products.  Ippolito's talk was followed by a panel presentation by  the authors of the new NIST Special Publication (SP) 800-16 "Information Technology Security Training Requirements: A Role- and Performance-Based Model." It is available online at http://csrc.nist.gov/nistpubs/

    The first day of the Conference wrapped up with the traditional "Speak Out," highlighted by a stirring presentation by John Rossi of the Federal Aviation Administration (FAA).  He described a user awareness presentation he has developed, and a videotape he and other FAA staff developed. 

    Kicking off the second day, John O'Leary of the Computer Security Institute (CSI) enthusiastically presented, "Strategies for Setting Security Training Plan Priorities."  O'Leary stressed understanding the job or jobs of the target audience, the job environment, group and profession culture, understanding management, and organization politics.  He discussed how to locate internal and external sources for information for the training session(s) and concluded  his talk by describing a plan to successfully implement the training program. 

    Charlie Abzug of James Madison University gave an interesting presentation on cryptography, tracing its roots back several thousands of years to ancient Greece and bringing the audience up to date by describing its use in recent history. 

    Donna Dodson of NIST spoke on the public key infrastructure.  She described current work being done at NIST and in industry standards organizations (e.g., the Internet Engineering Task Force (IETF) and the American National Standards Institute (ANSI)). 

    During lunch attendees visited the on-site vendor displays provided through  the Federal Business Council, Inc. Specifically, thank you to Michael O'Neill, for coordinating the vendors' exhibits. 

    After lunch, the "Educator of the Year" award was presented.  For the first time a group award was given at a FISSEA Conference.  The 1997 award for outstanding computer security awareness, training, and education was presented to the four authors of the NIST SP 800-16: Dorothea de Zafra of the Department of Health and Human Services; Sadie Pitcher, retired from the Department of Commerce; John Tressler of the Department of Education; and John Ippolito of the Allied Technology Group. 

    A FISSEA business meeting was then held with Roger Quane presiding.  Business agenda items were: the future of FISSEA, FISSEA By-laws, NIST support and its relationship to FISSEA, and the nomination and election of the FISSEA Executive Board.  Phil Sibert of the Department of Energy led the discussion about the draft FISSEA by-laws.  After some discussion, the by- laws were voted on and accepted unanimously. Mark Wilson of NIST (NIST/FISSEA Liaison) gave an update on the relationship between NIST and FISSEA.  The business meeting ended with members voting on individuals nominated for positions on the 1998 Executive Board. 

    On the final day of the Conference, winners of the Executive Board elections were announced.  The new Board members are: 

    • Philip L. Sibert (Chair), Department of Energy
    • Pauline Bowen (Assistant Chair), Food and Drug Administration
    • Mark Wilson (NIST/FISSEA Liaison), National Institute of Standards and Technology
    • Ann Brown (Conference Director), Indian Health Service
    • Patricia Ciuffreda, Strayer University
    • John Ippolito, Allied Technology Group
    • Fran Nielsen, National Institute of Standards and Technology
    • Louis Numkin, Nuclear Regulatory Commission
    • Roger Quane (Past Chair), National Security Agency
    • Caren Williams, Department of Justice  (formerly with Department of Agriculture)
    Roger Quane then gave a presentation on how to determine the return on investment (ROI) in training.  Chapter 5 of the new NIST Special Publication 800-16 presents more details on evaluation strategies and techniques. 

    George Bieber of the Defense Information Systems Agency INFOSEC Program Management Office gave a well-received presentation on DoD/DISA awareness, training, and education products, both current and planned.  Bieber described a very active DoD security program, including existing CBT courses, platform instruction, slide-based training materials, and the Information Assurance Support Environment (IASE) and other DISA websites (e.g., http://www.disa.mil/infosec). 

    After thanking participants with special thanks to the Conference Chair (Sadie Pitcher), Roger Quane closed the successful 1998 Conference. 


Meet the Executive Board

    During the annual meeting, FISSEA members elected a new executive board for 1998-1999.  The new board members are: Pauline Bowen (Health and Human Services, Food and Drug Administration), Ann Brown (Health and Human Services, Indian Health Services), Patricia Ciuffreda (Strayer University), John Ippolito (Allied Technology Group), Fran Nielsen (National Institute of Standards and Technology (NIST)), Louis Numkin (Nuclear Regulatory Commission), Philip Sibert (Department of Energy), and Caren Williams (Department of Agriculture).  As past chairman, Roger Quane (National Security Agency) remains on the board and Mark Wilson (NIST) remains as NIST liaison to the Association.  The new board's first action was to elect Sibert as its chair and Bowen as its assistant chair. 

    Biographies of board members can be found at the FISSEA web site 
          http://csrc.nist.gov/organizations/fissea.html   however, brief introductions are included here. 

    A member of FISSEA since 1992, Pauline Bowen, a computer specialist, is the FDA's Computer Security Program Manager for the Agency-wide Information Technology Security Program.  Besides chairing the FDA Information Systems Security Office Subcommittee, Bowen regularly participates in the Federal Computer Security Program Managers' Forum (Forum).  She received her B.A. in Applied Behavioral Sciences from National-Louis University in 1989.  She is working toward a Master of Computer Science and is presently attending George Washington University's Management Information Systems Graduate Program. 

    Working in the computer security field since 1980, Ann Brown currently is the Indian Health Services Security Program Manager and its Information Systems Security Officer (ISSO).   Previous federal assignments include being  a consumer safety officer for the Food and Drug Administration, handling an on-line database for the National Clearinghouse for Poison Control Centers, and serving as the Parklawn Computer Center ISSO. Brown holds a BA in chemistry from Sterling College. 

    With 30 years of government experience, Patricia Ciuffreda recently retired from the Department of Justice where she was a member of the information management security staff.  Now, Ciuffreda is a professor of political science at Strayer University.  Her doctorate in public administration was received from NOVA South Eastern University.  She has been a member of FISSEA since 1988. 

    John Ippolito, Director of Information Technology Security Services at Allied Technology Group, Inc., participates in the development of federal guidelines for IT security training programs and the development of Internet-based training and decision support systems.  Ippolito has more than 26 years of experience and an in- depth knowledge of computer and communications security, risk management, and risk avoidance.  He began his career with the General Accounting Office as a management auditor.  He earned a bachelor's degree in information systems management from the University of Maryland at College Park. 

    Fran Nielsen, a computer scientist in the Computer Security Division of the Information Technology Laboratory (ITL) at NIST, is responsible for coordinating IT security management and guidance activities in the Division's Network and Systems Security Group.  These activities include special projects in and guidance on security management; security planning; security education, training, and awareness; incident handling; and security policy.  Nielsen has a doctorate and a masters degree in public administration from the University of Southern California and a masters degree in software engineering from the Johns Hopkins University; her undergraduate degree is in computer technology from the American University. 

    Louis Numkin is a senior computer security specialist in the Office of the Chief Information Officer at the US Nuclear Regulatory Commission.  His duties relate to computer security awareness training, anti-virus activities, classified inspections of nuclear plants, disaster recovery planning, computer security plan review and approval, risk assessment, and the like.  Numkin volunteers in an agency outreach program to provide computer security sessions for schools (elementary through high school) and for senior citizen centers.  Numkin's undergrad degree in business administration and his masters degree in Technology of Management (majoring in Management Information Systems and Computer Systems) are from the American University. 

    Roger Quane has worked in the area of education, training and awareness for the past 25 years. Quane has assisted in the development and implementation of programs in the following subject areas: law enforcement, computer manufacturing, motorcycle safety, driver and traffic safety, occupational health and safety, security management,  computer security, information security,  and information operations.  Quane received his Ph.D.  in Education from the University of Maryland. Currently, he is Senior Education and Training Officer for the Information Operations Technology Center, a joint Center for the Intelligence Community and the Department of Defense. 

    A fed since 1967, Philip Sibert gained valuable experience as a programmer, a social insurance systems analyst, and a computer specialist, working with  IBM, Amdahl, and Univac mainframe computers, and various mini- and micro-computers during his career.  Currently,  Sibert, a Certified Information Systems Security Professional, focuses on computer security at the U. S. Department of Energy as DOE's Computer Security Program Manager for the unclassified computer security program.  Sibert was instrumental in establishing the first federal civilian agency computer incident response capability. Called the Computer Incident Advisory Capability (CIAC), the organization is a key collaborator in the Federal Computer Incident Response Capability (FedCIRC).  Sibert has served on the FISSEA executive board for the past three years. 

    Caren Williams has been the Information Systems Security Program Manager at the USDA's Food Safety and Inspection Service (FSIS) since 1990.   In May, Williams will begin an IT security assignment with the Department of Justice.  In 1996 she was honored as the Charles County (Maryland) Business and Professional Woman of the Year.  Williams is a graduate of the University of Maryland University College; her bachelor of science degree is in information systems management. 

    Mark Wilson has been at NIST since November 1992 and has served as the NIST/FISSEA Liaison since 1996.  Since coming to NIST he has worked on computer security program management issues, including program management reviews, vulnerability analyses and other risk management issues, security awareness and training, security planning, and security in the life cycle management process.  Mark came to NIST from Norfolk, Virginia where he worked for ten years in the computer security field for several U.S. Navy organizations.  During his last job he served as the ADP Operations and ADP Security Director for a naval supply activity.  He earned a B.A. in political science from Old Dominion University in Norfolk in 1983.  Mark is a native of New Jersey and is a U.S. Navy and Vietnam Veteran. 


We Need Your Help!

    Under a Government Information Technology Services (GITS)-sponsored project, FISSEA will assist NIST in establishing a repository of security training materials (e.g., videos, handouts, posters, slides, CBTs).  The intent of the project is to design a web site to contain the materials along with information about their use.  If your agency has developed training materials that can be shared or referenced, or, if you would like to participate on the FISSEA-sponsored task group to work on this project, please contact the NIST GITS IT Security Training Project Manager, Fran Nielsen   fnielsen@nist.gov  (301/975-3669). 

More about FISSEA

    The Federal Information Systems Security Educators' Association (FISSEA), founded in 1987, is an organization run by and for federal information systems security professionals.  FISSEA is sponsored by the National Institute of Standards and Technology (NIST) and assists NIST in meeting its responsibilities under the Computer Security Act. 

    Membership is open to information systems security professional trainers and educators and managers who are responsible for information systems security training programs in federal agencies.  Contractors of these agencies and faculty members of accredited educational institutions are also welcome.  Members are encouraged to participate in the annual FISSEA conference and to serve on its ad hoc task groups. 

    To learn more about FISSEA and its activities or to join the Association, visit our website: 
           http://csrc.nist.gov/organizations/fissea.html

    or send e-mail to: 
           mark.wilson@nist.gov

    or send surface mail to: 
            Mark Wilson 
            NIST/FISSEA Liaison 
            NIST 
            Bldg. 820 Room 426 
            Gaithersburg, MD 20899-0001


Call for Papers

    With the 1998 conference behind us, the FISSEA Executive Board is already planning for next year's event.  We need your help to make the conference a success!  Send your ideas for papers, sessions, panels, and presentations to the Conference Director: 

    To download a copy of the call for papers form you need to have either Adobe Acrobat or Microsoft Word on your system. 

    callpaper.pdf (Acrobat) Click Adobe Acrobat to download a freeware copy. 

    callpaper.doc (MS Word) Open this file, complete the form, and save the file. Send the file as an attachment to an e-mail message to Ann Brown, the 1999 FISSEA Conference Director. 
     


Newsletter Staff

    Louis Numkin .................... Editor
    Fran Nielsen ...................... 1st Edition Editor
    Phil Sibert .......................... FISSEA Chair
    Mark Wilson ..................... NIST Liaison


Top of Page  Back to FISSEA's Newsletter Index
Back to CSRC's Home Page
Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: March 5, 2002.