FROM THE EXECUTIVE BOARD CHAIR
As FISSEA members we are challenged by the tremendous responsibility
to ensure employees' awareness of the threats to and vulnerability of computer
systems; and to encourage all users of Federal computer systems to use
improved computer security practices. In order to do this, we must
embrace the recently issued NIST Special Publication 800-16, "Information
Technology Security Training Requirements: A Role- and Performance-Based
Model. (We also need to be familiar with the Special Publications,
FIPS Publications, and statutes that govern our organizations and programs.)
Be sure to "ear mark" your copy of these publications whenever you have
any question about their contents. Then, send in questions for either
a written response or a response via our FISSEA web page. We can
also discuss this at the annual conference.
If you have an idea on how to do some aspect of training or awareness,
or a unique and effective way, let us know that, too. We'll gladly
give you credit for anything submitted. We need to reach out and
touch everyone with our training and awareness today because we no longer
live in a confined environment.
When using the computer systems and networks provided to us for our
work, we have a community responsibility to know how our systems are vulnerable
and how we, as individual users, can use those systems in a responsible
and secure way. It is our job to reach out to everyone to help them
understand their responsibilities and realize they are accountable for
their actions. Therefore, accountability will become one of the ingredients
in the training and awareness mix we deliver. Ultimately, everyone
will see that understanding the vulnerabilities of the systems and networks
and knowing how to use improved security techniques will make them better
computer and network users. Better users will understand what they
are accountable for, and this accountability will bring prevention--prevention
of errors and prevention of unauthorized activities.
"‘SIBER' SPACE" SNIPPITS
Time surely flies when you're having fun! (Or when there's a deadline
popping over the horizon!) It seems like it was just yesterday
that the April issue went out. The Board of Directors is committed
to providing quarterly FISSEA newsletters in April, July, October, and
January. It will be extremely helpful if FISSEA members submit articles
to Lou Numkin, the "FISSEA News and Views" editor, by the first of each
A mistake was made in our last issue when the "return mail" card sent
out was smaller than the post office allows. Because of this, we
are unable to determine if all cards mailed were received. Therefore,
in this issue there will again be a card to mail back to NIST verifying
your desire to continue membership in FISSEA, and requesting you provide
contact information. Please return the card, even though
you may already have mailed one back recently. THANKS FOR YOUR
EVALUATING RESULTS-BASED LEARNING FOR INFORMATION TECHNOLOGY
SECURITY: Synopsis of NIST ITL Bulletin dated
The training requirements for Results-Based Learning were developed
by the FCSPM Forum and FISSEA. Results- based training for information
technology (IT) security focuses on employees' job functions and their
specific organizational roles and responsibilities. This approach
to learning is based on the premise that employees have unique backgrounds
and different ways of learning. Other considerations in the program
are that employees may have more than one role in an organization, and
that IT security training may need to be tailored for the specific responsibilities
of each role. Awareness of the need for IT security is the starting
point in the learning process for all employees. The next step is
training, which starts with security basics, then training in a range of
security-related skills needed by employees for their specific roles and
responsibilities. It is critical that the training is current and
customized to meet the needs of the individual employees and organizations.
Organizations need to evaluate the effectiveness of the training and
its relevance to their IT security training requirements. Evaluating
training can be beneficial for employees (able to assess post-training
job performance), managers (able to assess on-the-job performance after
training), and trainers (able to use evaluation to improve training methods).
The evaluation process can include the following:
An evaluation plan must identify mission-related goals and learning objectives,
along with the following:
Training (student) satisfaction - provides feedback from the student's
Learning effectiveness - what employee learned from training
Teaching effectiveness - how well training is implemented
Training program effectiveness - value of the training in relation to organization's
overall IT security training program.
There are four levels of evaluation: 1) End-of-Course Evaluation
(Student Evaluation) where employees rate training; 2) Behavior Objective
Testing (Learning and Teaching Effectiveness) that measures level of information
or skill of the training with respect to employee's background, education,
and skills; 3) Job Transfer Skills (Student Performance Effectiveness),
which is a "before" and "after" job skills comparison completed by the
employee's supervisor to evaluate how the training benefits the organization
as well as the employee; and 4) Organizational Benefit (Training Program
Effectiveness) that quantifies the value of training in relation to the
costs by interviewing employees, supervisors, and colleagues.
Description of environment before training
Activity to be performed so evaluator can observe employee conduct, skills
Success measures derived from employee's work rather than from classroom
testing; i.e., written behavioral objectives; risk management techniques;
qualitative skills; and nature and purpose of training activity
Steps for collecting and using evaluation data
NIST Special Publication 800-16, Information Technology Security
Training Requirements: A Role- and Performance-Based Model, provides
detailed, specific information to help organizations evaluate their IT
security training programs, the extent to which the programs are useful,
and how to make wise decisions in allocating training resources.
An electronic copy of NIST 800-16 can be accessed at http://csrc.nist.gov/training/800-16.pdf.
IN YOUR SPARE TIME (YOU CAN LAUGH HERE!)
CHECK OUT THE FOLLOWING URL: http://glef.org/learnlive/redirect/esources.html
Anyone familiar with the George Lucas Education Foundation? If so,
let us know. There is an extensive list of sponsors, many from the
computer industry. Maybe we should try to have them speak at the
annual conference? Your help is appreciated!
First... a KUDO is due: The FISSEA Exec Board thanks K. Rudolph,
Native Intelligence, and John Orban, NRC, for creating our newsletter banner
artwork. Though I may have had the original idea, it took these two
folks to get it into our paper. Thanks, again.
And now, the rest of the column...
Did you ever wonder what happens to all the letters and words that an
Editor cuts out of articles written by newsletter contributors? Well,
they are molded into a post script column that fills a little more white
space and hopefully carries some message.
For years, folks who know me know that I am a staunch supporter of Government
Computer Security professionals getting out into their community schools
and senior citizen centers to preach the gospel of good computer security
as well as computer ethics. My agency and management have always
supported this endeavor... but... I have been informed that in the future
we may not be able to because of budget and other constraints. Oh,
they will still permit personnel to keep up such efforts on an individual
case basis, but our agency Community Outreach Program may be a thing of
This is a real concern to me. Advertising by our Public Affairs
Office mentor and internally has resulted in more employees volunteering
their time and staying interested in this good deed activity. No,
the fight is not over yet, but from what I've been told, this central focusing
office will no longer be able to directly encourage our participation.
It is mentioned here as an inducement to get each of you to ensure that
if your agency has such a program, support it and don't let it die.
If your agency does not have an outreach program to schools and centers,
suggest it and offer to participate. It feels good to give something
back to your community.
The April 24, 1998, Washington Post's Federal Diary column by Mike Causey
was entitled "Mobilizing an Army of Volunteers." It referenced something
that may make my quest in this editorial a bit easier for the readership.
For those of you who are unaware, "The White House has announced a policy
encouraging 'citizen service' by federal workers... In a directive...to
agency heads, President Clinton told them to develop volunteer-friendly
procedures. The directive is titled 'Strengthening Our Commitment
This directive states that employees "should be encouraged to do volunteer
work on their own time. But it also gives Cabinet officers and agency
heads the authority to pay workers for the time they spend on volunteer
services." It means that if one's boss approves, administrative leave
could be granted for volunteer activities outside of the agency.
According to Causey, "Agencies have 90 days to report to the Office of
Personnel Management on what they have done to set up voluntary service
programs. OPM will coordinate the effort and provide agencies with
citizen service guidelines." Also quoting from the directive, agencies
may grant "excused absence (paid administrative leave) for volunteer work
if the absence is directly related to the department or agency's mission
... (and) the absence will clearly enhance the professional development
or skills of the employee in his or her current position."
Mike's conclusion is that "an agency head interested in a community
or national program could easily steer thousands of volunteers to it by
not only granting them paid time off, but also giving the employees experience
or skill credits for doing the work."
Kudos to Causey for bringing this to the public's attention. It
is my feeling that each of us should ensure that our agencies are aware
of and support this directive. Reports must be in to OPM by the end
of July so get on your horses and ride, compadres! Enlist the support
of other school volunteers and encourage your agency to respond favorably
to this initiative. As President Bush said, "make yourself a Shining
Star." And then, with agency support, get out into your schools and senior
centers and explain computer security and ethics to help improve all our
BOARD MEMBERS TRAINING ACTIVITIES
The Year 2000 can mean big trouble for Government personnel and business
people who depend on computer software--which is almost everyone.
Two FISSEA board members (Dr. Pat Ciuffreda and John Ippolito) are involved
in private sector efforts that directly address computer ethics and the
Year 2000 problem.
PAT'S WORK AT STRAYER
Dr. Pat Ciuffreda just completed teaching the course, "Computers and Society,"
at Strayer University in Takoma Park, Washington, D.C. For the first
time a course that addressed the ethical, sociological, and philosophical
effects of information technology on social settings was taught at Strayer.
This included the Year 2000 problem as a case study since it highlighted
the pervasiveness of computing on today's society as industries try to
identify and resolve their Year 2000 dependencies.
In Pat's class of thirty, only a few students understood why or
how the problem occurred and was allowed to persist as technology advanced.
Further, although almost half of her students had heard references to the
Year 2000 issue or remembered seeing a newspaper article, none appreciated
its broad implications to our computer- dependent society. Her class
included computer science, business administration, and accounting majors.
With these educational backgrounds, Pat expected that the students would
have learned about the Year 2000 problem in their other course work or
reading and would have kept up-to-date on the impacts of technology on
The students became more interested after Pat presented an overview
of the problem, its history, and described what Government and industry
are trying to do to address this challenge. In open discussions,
the students made it clear that they wanted to know as much as possible
about the issues associated with the Year 2000 and what the impacts would
be if this challenge was not met. The students' expanded interest
provided Pat the opportunity to involve her class in the Year 2000 issue
by assigning it as the topic of their term papers. The students prepared
insightful and comprehensive reports, some of which were as thought- provoking
as the General Accounting Office Year 2000 report. Working with her
students on the Year 2000 problem was a dual learning experience.
Her students became aware of the Year 2000 problem, and uncovered potential
Year 2000 implications that she had not previously considered.
JOHN'S WORK AT THE UNIVERSITY OF MARYLAND
The Maryland State government recognized that there are not enough programmers
with Year 2000 remediation experience to support the needs of both the
public and private sectors. State officials, working with the University
of Maryland, established a program to train "Year 2000 Technicians" to
help alleviate the labor shortage. Under this program, individuals
receive a 5 week day or 7 week night course in COBOL and techniques for
identifying and resolving Year 2000 dependencies. In addition to
receiving the training at no cost, students who stay with the program for
two years receive monetary credits toward continuing their education at
the University of Maryland. The University and the State get partial
repayment from private sector organizations who hire program participants.
In addition to paying the students a competitive wage for their skills,
participating companies pay into a fund that supports Year 2000 training
and follow-on education.
Establishing the Year 2000 Technician Program created another problem
for the University. Where would they get instructors who understood the
Year 2000 problem and could teach COBOL from a practical perspective?
This is where John Ippolito came in. In addition to teaching a number
of the classes, John helped locate instructors who had both attributes.
Working with the University and its Year 2000 Technician Program provided
several insights into the problem and how organizations and individuals
are dealing with it:
People are still in denial. Many company managers and individuals
still do not believe a Year 2000 problem exists. Consequently, they
are not addressing the problem. Failure to address the problem is
giving lawyers an incentive to become experts in Year 2000 liability because
they see easy wins when suing and a market for their services to prevent
companies from being sued.
A number of highly-qualified individuals do not want to go into Year 2000
remediation work. As was simply put by one instructor, he didn't
want to get the 2:00 a.m. call when a program failed to work because of
an undetected/uncorrected Year 2000 dependency.
Many people are still waiting for the silver bullet. Providing silver bullets
has generated a sizable market in Year 2000 remediation tools.
Those who really understand the problem recognize that, while tools can
help the process, they are not silver bullets and failures will occur,
regardless of how much effort is put into remediation. Thus, organizations
must develop contingency plans, something that few organizations have created,
even for their critical assets.
Both Pat and John agree the need is critical to train people, at all levels,
in the issues that can affect the availability and integrity of our information
technology infrastructure. The Year 2000 problem is an issue that
won't go away, but can be ignored. Resolving the Year 2000 issue
will require attacking the critical issues senior management has ignored
There are a number of Year 2000 "experts" who are predicting the fall of
society as our technology- dependent economy collapses as a result of Year
2000 problems. These harbingers of doom are putting their money into
gold and other traditional disaster hedges, while at the same time selling
their expertise to Government and industry to resolve the Year 2000 problem.
Ethics — is it ethical for a manager to ignore Year 2000 dependencies when
there are lives at stake?
Resources — will management now devote the resources necessary to ensure
that their people are properly trained and their system integrity assured
rather than the binge-like spending required to resolve those same issues
in crisis mode?
For more information on the Year 2000 issue, you may wish to visit The
Year 2000 Information Center Web site at http://www.year2000.com/.
Recognition — will management recognize the year 2000 problem and accept
the recommendations of those responsible for system availability and security
when they identify potential problems rather than ignore the situation
until there is a failure?
Did you know...The National Economic Council
and the Office of Science and Technology Policy, in consultation with the
Office of Personnel Management, seek information about how to make the
most efficient use of new information technologies for training Federal
employees in ways that will also accelerate the development of the
broader commercial marketplace. Additional information and materials
are available at http://www.fed-training.org.
Check out all of the items on that web site.
Your article or comments
DEAR FISSEA MEMBERS:
Your help is needed. A pilot project to promote sharing of computer
security training resources throughout the Government is being conducted.
As part of this effort a prototype web site is being constructed that will
maintain a repository of such materials, allowing Federal users easy access.
With the web site, you will be able to provide comments on your experience
with specific training materials, obtain training materials, and obtain
other individuals' comments on their experience with those materials.
The initial objective is to populate the training materials repository
with public domain materials currently available in electronic form, or
where the owner of those materials agrees to supply copies upon request.
Your help is needed in identifying such materials.
Any materials you contribute are greatly appreciated. Please complete
the materials transmittal form and send it, along with a copy of the materials,
If you know of anyone (in either the public or private sector) who
has materials and might be willing to provide us with copies, please send
contact information to the above address.
National Institute of Standards and Technology
U.S. Department of Commerce
NIST North, Mail Stop 427
820 West Diamond Avenue
Gaithersburg, MD 20899
It is appreciated if you would send any materials and information at
your earliest convenience. Thank you for your help. If you
have any questions, please don't hesitate to call me on (301) 975-3669,
or send e-mail to: email@example.com.
TRAINING AND AWARENESS MATERIALS TRANSMITTAL FORM
e-mail address: _____________________________
U.S. mail address: __________________________
Material being contributed: ____________________
Format: (e.g., word processing, image, hard copy, executable, video)
Comments about material : ___________________
Are you willing to be the distribution point for these materials?
Yes _____ No _____
If so, at no-cost __________ or per cost __________
e-mail address: ____________________________
U.S. mail address: _________________________
DID YOU KNOW ABOUT THE....FEDERAL GOVERNMENT DISTANCE LEARNING
WHILE THERE, VISIT THE GOVERNMENT ALLIANCE FOR TRAINING AND
EDUCATION .... GATE... AT:
Goals: Promote sharing of Distance Learning resources
across agencies; establish a Federal Center for Excellence in Distance
Learning; identify and establish gateways for interconnectivity; establish
and maintain data bases for uplinks, studios, receive sites, courses, and
other video teletraining services; identify requirements for new and emerging
Distance Learning technologies; promote professional association through
the United States Distance Learning Association/Federal Government Distance
Membership: Open to all Government/Department
of Defense Agencies--No contractors are allowed to attend these meetings.
History: Established March 1995. Concerned
with duplication of hardware and courseware across Agencies.
Current Actions: Establishing data bases; creating
WWW pages; seeking funding for government-wide teletraining course; and
developing and staffing charter.
RECOMMENDED READING: NEW SECURITY BOOK
NEW BOOK: At Large - The Strange Case of the World's Biggest Internet
Invasion by David H. Freedman and Charles C. Mann, Touchstone, 1998,
Paperback, $13.00, ISBN: 0-684-83558-4
At Large - The Strange Case of the World's Biggest Internet Invasion
is the true story of how an obsessive asthmatic teenage hacker with lots
of time on his hands broke into many high profile Web sites using widely
known security holes, persistence, and hacker toolkits. Besides being
a great read, this book shows, in dramatic fashion, the need for better
security on today's Internet. The Net is growing faster than the availability
of experienced system administrators, so the security problem is actually
getting worse. Well-documented security holes (sendmail, etc.) are not
being patched routinely, and users are using easy-to-crack, one-word passwords
and giving them up through social engineering (hackers tricking users into
giving up their passwords, usually over the phone). There are automated
tools that allow inexperienced hackers to find and exploit holes, become
root and install Trojans, and wreak havoc on unprotected Web sites.
It's been said that if someone wants to get into your system, there's nothing
you can do. The idea is to make it more difficult to get in, and use monitoring
tools like Tripwire to catch the offenders and SATAN to test for weak points
remotely. While the press writes mainly about hackers breaking in
from the outside, most security breaches happen from the inside, by a disgruntled
employee. Recent surveys show that 33-73% of companies reported security
breaches from insiders and 17-48% from outsiders, with losses in about
30% of these cases, some over $1 million each. This book will put
a jolt in most sysops, and reads like a good novel to boot.
ASSOCIATION FOR COMPUTING MACHINERY SEMINARS
Washington, D.C., Chapter Association for Computing Machinery Fall
1998 Professional Development Seminars, November 9-13, 1998
The Professional Development Committee of the Washington, D.C., Chapter
of the Association for Computing Machinery (ACM) presents technical and
management seminars for computer professionals and managers. This Fall,
the Committee will offer 12 one-day Professional Development Seminars the
week of November 9 - 13, 1998, on topics of current interest. The
seminars will be held at the Inn and Conference Center, University of Maryland
University College, College Park, Maryland, at the intersection of University
Boulevard (MD 193) and Adelphi Road. The seminars run from 9:00 a.m. (registration
at 8:30 a.m.) until 5:00 p.m..
Additional information about the seminars is available via e-mail to
via the Worldwide Web at http://www.acm.org/chapters/dcacm/
or via anonymous FTP to acm.org. The files are in the directory chapter_forums/chapter_articles/prochap.
The information is available in both ASCII and Postscript format.
The early registration deadline is October, so there is still time to
register at a substantial discount.
The following is the current speaker status.
Web Site Management - Speaker - Houser
Y2K - Speaker - Bohner
XML - Speaker - Webber
Preparing Graphics for the Web - Speaker - O'Connell
Internet Architecture - Speaker - Sandhu
Server Side Programming (ASP) - Speaker - Coup
Internet Security Threats: Identification and Reduction - Speaker
Cascading Style Sheets - Speaker - O'Connell
Secure Electronic Commerce - Speaker - Sandhu
NT Security - Speaker - Rustein
Java Script - Speaker - Houser
Advanced Java - Speaker - Carson
Call for Papers and Presentation Planning Form
FISSEA Information Security Conference
March 9-11, 1999, Gaithersburg, MD
Self-nominations accepted. Topic
suggestions and speaker recommendations also desired.
1. Session Title. _________________________________________________________________
2. Attach a Session Description.
(Not to exceed 75 words.)
3. Technical Level. Describe the
technical level of your presentation. Use 1 for a non-technical presentation,
and 5 for highly technical topics. Technical level: __________
4. Speaker(s). If there are multiple
speakers for this session, please list the primary point of contact first.
Name, as to be shown in the program.
Mailing address. ___________________________________________________________
Preferred e-mail address. ___________________________________________________
Office Phone. _______________________________
5. Duration of session in minutes. The
standard session length is 50 minutes including time for questions and
answers. __________ minutes
Office Fax. _________________________________
6. Maximum number of attendees for this
session. If no limit, leave blank. _______________
7. Hands-on for attendees? (yes or no)
8. Presentation needs. The presentation
area will be equipped with a microphone, podium, and projection screen.
There will also be a microcomputer set up for projection. This PC
will be running Windows95 and PowerPoint97. Please provide (in detail)
any additional audiovisual equipment, hardware, software (including version),
or connectivity required below.
9. List any equipment you will be
bringing, special cabling, electrical requirements, etc.
10. Is there anything else we should know
that will help ensure the success of your presentation?