September 1998 Vol. I No. III

From the Executive Board Chair

As members of this association, we all have a special interest in awareness, training, and education in the information protection (computer security) field. Sometimes we struggle with understanding what the differences in these three words mean. Looking in Webster's, we find the following definitions:

-- noun; AWARE-- adjective: having or showing realization, perception, or knowledge. Several synonyms: COGNIZANT -- implies vigilance in observing or alertness in drawing inferences from what one experiences; AWAKE -- implies that one has become alive to something and is on the alert; AWAKEN is action taken to make someone become alive to something, to put them on the alert.
-- verb: to undergo instruction, discipline, or drill; TRAINING -- noun: the state of being trained; the skill, knowledge, or experience acquired by being trained.
-- noun: the action or process of educating or of being educated; EDUCATE -- verb: to train by formal instruction and supervised practice especially in a skill, trade, or profession; to develop mentally, especially by instruction.

I subscribe to the following definitions as these terms relate to functions performed by FISSEA members in the computer security discipline:

-- those activities undertaken to awaken (see above) your organization's personnel to organizational policy, and to their computer security responsibilities, system security requirements, best business practices, generally accepted system security principles, and the vulnerabilities of the systems they use. The objectives of the awareness activity are to awaken individuals, to make them alert and vigilant, and to entice them to want to know more about computer security (to get a foot in the door for the next step, training). For example, doing something to make people aware that easily guessed passwords, such as proper names, do not provide acceptable protection.
-- instruction tailored to the role(s) individuals play in an organization; the objective is to adopt a new mode of behavior or to achieve a change in existing behavior. For example, having everyone understand why, know how to construct, and begin to use robust passwords.
-- the formal training and instruction in the computer security discipline required for professional purposes; the objective is to achieve a high level of knowledge and skills enabling one to become an authority in the discipline. For example, instruction, training, and hands-on experience necessary to prepare one to obtain a graduate degree in Information Systems Security, or to become a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), etc.

These definitions may seem restrictive, but they fit in very nicely when applied to our purposes as information systems security educators, and, they also help in understanding the training and awareness requirements found in the Computer Security Act of 1987 and the new NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500-172), March 1998.

So, what's the point here? The point is, quite often the words in the Computer Security Act are misinterpreted. In fact, often you will hear the term "awareness training" used as if there is only one objective for the mandated training. Let's examine the words from the Computer Security Act, as follows:

SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING. (a) In General.--Each Federal agency shall provide for the mandatory periodic training in computer security awareness and (emphasis added) accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency.

(b) TRAINING OBJECTIVES--Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed--

  1. to enhance employees' awareness of the threats to, and vulnerability of, computer systems; and
  2. to encourage the use of improved computer security practices.

While neither the Computer Security Act nor the NIST Special Publication 800-16 addresses the education aspects of the computer security discipline, I encourage all involved in this vital information management function to set higher goals and pursue the formal training and instruction in the computer security discipline required for professional purposes. Become an authority in your field, and lead by example.

We all still have a big and apparently never-ending job ahead of us. I see our primary objective to be Awareness because that's where the real pay-off will be. We need to continue our efforts in the visual arena -- that's the quickest way to get the information protection message to the masses. But, we also need to develop new, interesting, and impressive ways to deliver the awareness messages, and the messages have to be revised continually. Can you think of anyone who isn't aware of the Budweiser frogs? Wouldn't it be great to hear people talking about the "computer security frogs", and anxiously awaiting the next "computer security frog advertisement"? Through awareness, we will be able to reach the general user community and introduce them to our training "products."

Let us hear from those who have an awareness program underway. Tell us what you are doing. Let us share your success stories with the rest of the world. We also welcome questions, and we'll see that answers are provided expeditiously.

‘til next time, keep on pluggin' away...success comes to those who try just one more time!

Philip L. Sibert, CISSP

horizontal bar

"‘Siber' Space" Snippits

By Philip L. Sibert

Here we go again....if only we could catch time and hold it for a while! It was summer, hot, hot! summer, last time I wrote to you, and now I'm seeing leaves beginning to fill up my rain gutters. Next thing you know, it will be snowing and time for our annual FISSEA Conference. Which brings to mind several things for your consideration: (1 ) Plan NOW to attend the conference in Gaithersburg, Maryland, March 9 - 11, 1999. Keep checking our web site: And, (2) Put your thinking caps on and think about a nomination for FISSEA Educator of the Year award. Information about the award is available on our web site at:

Thanks!! We received a lot of cards from our last newsletter mailing so our FISSEA membership roster has been reconstituted with (hopefully) valid information. Additional members are always welcome. Membership is open to information systems security professionals, trainers, educators, and managers who are responsible for information systems security training programs in federal agencies. Contractors of these agencies and faculty members of accredited educational institutions are also welcome. There are NO membership fees; all that is required is a willingness to share your products, information, and experiences. Learn more about FISSEA at our web site at:

==================== ====================

Are you attending the NISS Conference? Your feedback from the National Information Systems Security Conference, as it may relate to things you either learned, or would like to know more about in the areas of computer security awareness and information protection training, will be appreciated. It may help us target specific topics that need to be presented at our FISSEA conference, or it may point us to outstanding speakers/presenters and topics that should be included in our conference agenda. Please let us hear from you. Contact information can be found on the FISSEA web page at:

==================== ====================

The Call for Papers for the FISSEA conference (although we would like to have had an over abundance of submissions by July 31) is still open. A copy of the call is posted to our web site at: Call Ann Brown for more information.

==================== ====================

Have you recently read a book on information protection, information technology, information security, training, etc., which may be of interest to others? If so, why not write up a review for the next issue of the newsletter. It will be greatly appreciated by all!

==================== ====================

How's your training??? Been to any conferences, seminars, or training recently??? Our audience would really appreciate your views and comments on the content and quality of the training you received, and we would like to know how well the presenters/instructors did. Thanks for your input.

==================== ====================

Do you have an interesting awareness item, concept, program you'd like to share? What's working for you? Let us know, and we'll tell the world about it!

horizontal bar

November One-day Professional Development Seminars Being Offered by the Association for Computing Machinery (ACM)

By Ann Brown

The Washington, D.C. Chapter of the Association for Computing Machinery, in cooperation with theWashington Section IEEE, announces the Fall 1998 series of Professional Development Seminars.

The seminars are organized by the Professional Development Committee of the Washington D.C. Chapter of the Association for Computing Machinery (ACM) to present technical and management topics of interest to computer professionals and managers.

This Fall, the Committee will offer 10 one-day Professional Development Seminars the week of November 9 - 13, 1998 on topics of current interest. Two of the seminars will also be offered on Saturday, November 14, 1998.

The seminars will be held at the Inn and Conference Center, University of Maryland University College, College Park, Maryland, at the intersection of University Boulevard (MD 193) and Adelphi Road. The seminars run from 9:00 a.m. (registration at 8:30 a.m.) until 5:00 p.m.

If payment is by purchase order, the cost is $275. If payment is by cash, check, or credit card, the cost is $220 by Oct. 26 and $260 after Oct. 26. A reduced rate ($95 before Oct. 26 and $135 after Oct. 26) is available for full-time students and senior citizens (age 60 or over). There is an additional $50 fee that applies to seminars conducted in the computer laboratory.

The registration fee includes lunch, refreshments at the morning and afternoon breaks, continental breakfast during registration, and text materials for the seminar. The registration fee also includes parking at the Center, but does not include the lab fee for courses held in the computer lab. Kosher and vegetarian meals are available if requested. The early registration deadline is October 26, so there is still time to register at a substantial discount.

Additional information about the seminars is available via e-mail to, via the Worldwide Web (by late-September) at, or by telephone to (301) 320-8644.

The date, topic, and speaker of each seminar follow:

Monday, November 9, 1998 (also offered Saturday, November 14, 1998)

  • Topic: Preparing Graphics for the Web
    Speaker: Cynthia O'Connell
    Class Format: Lecture (but held in the computer lab to demonstrate concepts and techniques)

  • Topic: Managing Year 2000 Risks
    Speaker: Dr. Shawn A. Bohner
    Class Format: Lecture

Tuesday, November 10, 1998 (also offered Saturday, November 14, 1998)

  • Topic: Java, What's Going On Now?
    Speaker: Dr. John H. Carson
    Class Format: Lecture

  • Topic: Javascript Programming and Interactive Web Pages
    Speaker: Walter Houser
    Class Format: Hands-on Laboratory

Wednesday, November 11, 1998

  • Topic: Internet Architecture and Protocols
    Speaker: Dr. Ravi S. Sandhu
    Class Format: Lecture

  • Topic: Cascading Style Sheets
    Speaker: Cynthia O'Connell
    Class Format: Hands-on Laboratory

Thursday, November 12, 1998

  • Topic: Secure Electronic Commerce
    Speaker: Dr. Ravi S. Sandhu
    Class Format: Lecture

  • Topic: Developing Web Applications using Visual Studio 6.0
    Speaker: Andrew Coupe
    Class Format: Lecture

Friday, November 13, 1998

  • Topic: XML/EDI Perspectives
    Speaker: David Webber
    Class Format: Lecture

  • Topic: Managing the Enterprise Web Site
    Speaker: Walter Houser
    Class Format: Lecture

Submitted by-- Ann L. Brown, Indian Health Service ISSO
301-443-1064 x 102 FAX 301-443-7279

Ann is a member of the FISSEA Executive Board and Conference Director for the 1999 FISSEA Conference.

horizontal bar

Book Review and Commentary

By Pat Ciuffreda

Mind Matters by James P. Hogan

One of the things that caused a great deal of discussion in a class I recently taught (Computers and Society) was the 1996 match between world chess champion Gary Kasparov and IBM's chess-playing computer, Deep Blue. That such machines exist, along with some other sophisticated models designed for similar mental challenges, was surprising to many students. The familiar desktop is taken for granted, but the thinking machine that beat Mr Kasparov is not.

Nor are many people aware of the field of cybernetics, that it is a growing and respectable pursuit, one that has been engaged in pioneering research and experiments since the 1940's.

Just a little over a year ago the world watched in fascination, courtesy of NASA and satellite television, the wonders performed by a relatively small robot, the Mars Rover. At its destination it took computer images of fantastic quality and speedily transported them to NASA and the rest of us. In addition, on instruction, the Rover scooped up and provided almost instantaneous analyses of rocks and soil.

While we spend most of our time with laptops, desktops, networks, and the Internet, other developments have been underway that are making machines, through creative and sophisticated programming languages, capable of high-speed performance not dreamt of 20 years ago. These advancements are intriguing for what they portend; they are no longer just computing machines, they are thinking machines, artificial intelligence (AI). For those of us in computer security, and even more so in training and education, it seems appropriate to examine this extension of the computer and prepare for its implications -- social, political, and economic.

There are many good books currently available on this curious and emerging topic. However, let me recommend a recent book that covers the historical development of AI, the concepts related to the mind (by way of Aristotle and Descartes), the mathematical and logical developments associated with thinking and mechanical minds, the beginnings of cybernetics, game trees, and much more, up to the challenging world of today. The book is Mind Matters and it was written by James P. Hogan, a British author who spends part of his time in Ireland and the other part in Florida, USA. Mr. Hogan is an engineer who specializes in electronics and digital systems, and he is also a well known science fiction (SF) author whose novels are classified as "hard SF," a term used to describe fiction based on proven and acceptable scientific information, but extrapolated into the future for a believable and challenging read.

You will first encounter some scenarios that Mr. Hogan provides to acclimate you to possibilities that a decade or so ago would have only been believable in SF -- as an example, self-replicating robots that incorporate design improvements in newer models without human direction or guidance. I can imagine that Charles Darwin would pause and wonder if this were not some kind of "mechanical evolution."

For those of us who remember Stanley Kubrick's much acclaimed film, "2001: A Space Odyssey," we also know there can be a dangerous side to thinking machines. How relieved we all were when astronaut Dave Bowman (Keir Dullea) dismantled the on-board computer, the infamous "HAL."

In addition to his scenarios and covering the historical development of AI, Mr. Hogan examines research that is taking place today and is "pushing the envelope:" three dimensional model building, understanding natural languages, and neural networks. And what gives integrity to Mr. Hogan's work is his willingness to discuss the critics of AI who philosophically do not believe we can or should delve into AI, as well as those scientists and mathematicians who believe there are limits to what we can logically pursue or accomplish. While very adequately presenting their criticisms, Mr. Hogan does not rate or condemn any of them. The reader can either make up his or her mind or explore further on his/her own. The author is presenting facts with intriguing possibilities, but he is not predicting any future takeover by thinking machines or robots. They will, he feels, be simply considered for a task well suited to their capabilities.

A very gifted and qualified author, a tour of man's interaction with the machine, and arguments that philosophically challenge us as we contemplate the implications -- this is good stuff! If scientific breakthroughs bring us to that exhilarating yet foreboding achievement of AI, the one that not only creates machines able to challenge us on equal footing, but also out thinks us, faster and more accurately, what will be the results? And, how are we to consider "them?" If some day you are having a conversation with a relative of Deep Blue and you forget for a moment that IT is not a person, if IT can tell when you are not yourself or remind you of an appointment or a birthday you have forgotten, without prompting calls a cab for you when you are running late, discusses opera... Think "soul and ethics" and you are beginning to see the deeper implications.

[Mind Matters by James P. Hogan - Del Rey / Ballentine Books, NY - copyright 1997 - first edition printed March, 1998 - in hardcover $25.]

Pat Ciuffreda is a FISSEA Executive Board member and is a professor of political science at Strayer University. Pat recently retired from many years in the computer security field in the Federal service.

horizontal bar

Train-the-Trainer: A Two-Sided-Coin

By Gale Warshawsky

Education has always been important to me. Studying, learning, expanding my knowledge, as well as sharing my talents with others, has played a large part in my life. As Information Security Practitioners, it is critical that we continue to pursue educational activities to keep ourselves current in an ever- expanding and changing technological world.


We can accomplish our own continuing education in many ways:

  • Attend courses and/or conferences offered through Information Security organizations, for example -- Computer Security Institute, MIS Training Institute, and at local universities;
  • Attend local meetings of Information Security organizations, such as Information Systems Security Association or Information Systems Audit and Control Association (ISACA);
  • Read Information Security publications, such as newsletters, journals, and books.

As Information Security Practitioners, we can work toward earning a professional certification or advanced degree. We can study at a university and earn a Master of Science degree in Information Systems, Computer Science, Telecommunications, or other related fields. We can pursue certification designations. ISACA offers the Certified Information Systems Auditor (CISA) certification and the International Information Systems Security Certification Consortium, Inc. (ISC )2 offers the Certified Information Systems Security Professional (CISSP) certification.


One of my favorite ways to share my areas of expertise is to attend conferences and conduct seminars on something I've developed as part of my job. For example, during the summer of 1998, I presented a session at the MIS Training Institutes' WebSec 98 Conference. In my session I shared how at Visa International we use the Worldwide Web as part of our continuing Awareness, Education, and Training Program. Another thing that I enjoy doing is volunteering my time in the evenings to go to a university professor's course and talk about Information Security to his students. I was a student of this professor myself, when I earned my MS in Information Systems from Golden Gate University. After I graduated, I wanted to share Information Security concerns and Information Security Awareness with other students who were studying for their degrees in a variety of Information Technology related courses.

There are many places that we can share our expertise: conferences, university courses (as guest lecturers), Back to School Nights, local events that are held for children or for adults (science fairs, career fairs, etc.), PTA meetings, local library lecture series, participating in Computer Security Day activities (information below in the resources section of this paper), visiting a Senior Citizens Center, etc. The opportunities are there for us--we just have to volunteer our time. We are most welcome voluntary guest speakers!

In addition to feeling good about sharing our knowledge, and training others in such outreach efforts as listed above, we can also benefit from such activities ourselves. When one earns the CISA or CISSP designations, we are required to earn Continuing Professional Education (CPE) units to retain the designation. Attending conferences, local chapter meetings, writing papers, conducting an awareness session, all count toward earning the CPEs. Therefore, everyone benefits -- those within our community as well as the Information Security Practitioner who shares his/her expertise.

I am very fond of saying, "If I can make people aware, then I get to educate and train them." This is critical, in my opinion, when it comes to making people aware of Information Security. We live in the Information Age and it has changed the way we communicate and conduct business. Therefore, it is important for us to participate in Train-the-Trainer activities, on both sides of the coin.

Gale S. Warshawsky is a Senior Information Security Analyst for Visa International. She is responsible for designing, developing, implementing, and managing the Information Security Awareness, Education, and Training Program for approximately 5,000 Visa personnel. Ms. Warshawsky was the 1995 FISSEA Educator of the Year, and ISSA's 1994 Individual Achievement Award winner. She may be reached by E-mail at

The following list of resources is not all-inclusive; being on the list does not constitute endorsement by Visa International.

  • Computer Security Institute (CSI)
    600 Harrison Street San Francisco, CA 94107
    Phone: 415 905-2626 FAX: 415 905-2218
    E-mail: Web site:
  • International Computer Security Association (ICSA)
    1200 Walnut Bottom Road, Suite 3 Carlisle, PA 17103
    Phone 717 258-1816 FAX 717 243-8642
    E-mail: Web site:
  • International Information Systems Security Certification Consortium, Inc. (ISC)2 (TM)
    Web site: offers the Certified Information Systems Security Professional (CISSP) certification (
    Suite 105
    415 Boston Turnpike
    Shrewsbury, MA 01545-3469
  • MIS Training Institute
    498 Concord Street
    Framingham, MA 01702-2357
    Phone 508 879-7999 FAX 508 872-1153

horizontal bar

Practice What You Preach

By Louis Numkin

FISSEA Editor's Disaster Report
(Numbers in parentheses in this article refer to points in the conclusion.)

One of my Agency responsibilities is to coordinate (survey, create, test, etc.) our Info Systems' Disaster Recovery Program. I am also the one who provides annual Computer Security Awareness briefings for our employees. Well, these two activities converged for a bit over an hour recently and I lived to tell you all about it...

A request to provide an Awareness briefing for some of our out-of-state Regional employees via televideo conference was received about two months prior to the date of the session. The location here at Headquarters where I would face the camera was sent to me a while later. Demonstrating that I like to prepare ahead of time, I notified the Region of what I would need in the way of time and equipment since (#1) I assumed they were coordinating with our HQ technicians. Two days before the briefing, I received a reminder from the Region, stating the date, time and location where I was to report, and offering that if I had any handouts for the group I could FAX them in for duplication and distribution. After declining the assist, I restated that my hour-and-a-half presentation needs a feed to carry my PowerPoint slides and ability for me to play some videotape vignettes during the session. ["Grasshopper," If you only knew then what you know now...]

So now it gets interesting. A day before the show, the Region informs me that (#2) they have no control on the equipment at HQ and for me to find someone here to answer my concerns. With many other things on my plate (including an all-morning meeting) I was out chasing leads as to whom could assist me. To no avail, the day went on until near closing when I was informed by the Region that even though my talk was 1 ½ hours long, I would only have (#3) one-hour in their tight schedule to do my briefing. Postpone the evening's hair appointment and start reworking the presentation to be 1/3 less but just as satisfying (something like Lite Beer)!

The presentation morning arrives to find me scurrying around trying to locate someone with answers. I am to begin at 10:45 a.m... it is now 7:30 a.m. Call backs are coming in, but the general response is "I dunno," which is not helping. Buttonholing some folks, I finally locate and get to speak to the person who is supposed to be responsible for the equipment... who informs me at 8:00 a.m. that (#4) the location has changed, there is no ability to direct feed my laptop's slides, the document camera will be unavailable (meaning I can't make hard copies of my slides and manually flip them under the lens), and she couldn't remember if the room had a VCR as part of the hookup. Since others are on camera before me, I am unable to even enter the room (#5) without interrupting them.

I decide to accept the Regional secretary's offer at 8:30 a.m. and fax my slides to her for duplication so the audience can have them to refer to in absence of the automated PowerPoint presentation. By 9:00 a.m., we have tried several different fax machines, but she is still only getting mostly black images. Sneaking into the room, I quietly find that it is devoid of anything useful to ease my quandary. Locating a technician, I propose (and he agrees) to use a Field Expedient (in the military, I learned about "Field Expedients"--when you employ something that is not meant to be used for a particular function, but that will suffice in a pinch). Now, I head for our Supply Room to get an easel and glue stick. This way the camera will be able to zoom-in on the easel where I can paste hard copy slides for viewing by the audience. Experience has shown that color hard-copy slides do not transmit well and black and white prints of color slides tend to come out dark. Ah, but if making one copy of the dark B&W slide on a duplicating machine lightens the background, (#6) then making a copy of the copy should lighten it more, and so on... until, voila, we have more readable text. 10 :00 a.m. arrives and I'm still asking "But, what about the videotape?"

At 10:30, the prior speaker is supposed to complete his remarks and give the audience a 15-minute break. This should afford me time to set-up and test my link. At 10:45, (#7) he is just about to close. A technician has met me at the room and we give the group a break so we can prepare. I muse how if the camera can focus on the easel, why can't we focus it on the screen of my laptop? Hmmm... It works! And, the tech finds that there is a VCR in the cabinet and we cue my tape. The Region says it can see the video image just fine... Hooray! Camera pre-sets are established for my talking-head, the laptop screen, and the easel as a back-up, and I am quickly shown how to start and stop the videos. Whew... it's 11:00 a.m. as I begin to speak (#8) and the technician departs.

Cometh the time to begin the first video vignette -- I press the right buttons -- the tape begins to play... but, after a moment, the audience reports that they can't hear anything -- where is the voice track? Looking around, (#9) there is no phone in the room so I ask the audience to continue to watch the silent movie while I find a techie. Locating a phone outside the room, he'll be up soon. Back in the room, the vignette is ending, so I begin explaining what they saw and its teaching points. To make a long story short, for the rest of my hour the techies were in and out of the room trying to get an audio feed from the VCR to the Region without success. Being quite familiar with the scenarios, I vocalized what the actors were saying while they performed in the succeeding vignettes.

The speaker who was to follow me entered the room at 11:30 and stomped out at 11:45 (#10) when I didn't relinquish the dais. Even with all the problems, my allowed one-hour presentation which had begun 15-minutes late at 11:00 a.m., ended at noon. After wrapping up the technically deficient session, I received a round of "sympathy" applause from the Region. Thanking them for their patience and attentiveness, I headed off in search of another adventure while still having some hair left on my head. (Though the greatly reduced quantity of follicles saved me from rescheduling the appointment with my barber.)

"What have you learned, Grasshopper?"

  • #1 Assume Nothing! (If you don't recall the old "assume" adage, let me know and I'll fill you in.) Don't trust distant employees to assist you locally. When I apprized the Region of my needs, I expected them to ensure that my set-up was satisfactory. Since I knew my needs and the location were within my complex, I should immediately have sought out the technicians who could make certain it was properly prepared.
  • #2 Who You Gonna Call? Not knowing who to contact locally didn't help me to assure that preparation was on-going.
  • #3 Be fLeXIbLe. If presentations are prepared as a series of segments, this type of time change problem can be easily resolved by simply removing one or two parts.
  • #4 Who You Gonna Call (part II)? As for support staff, if you can't get the answers from the one who is supposed to know, start climbing the hierarchy mountain until you find someone who can help.
  • #5 Be prepared. Always check your equipment configuration and operation before you need it. And, remember that just because it works locally does not guarantee it will work remotely without a verification test before it is needed, and, have your alternative(s) ready. If one method fails, have a different delivery medium as backup; e.g., produce acetate slides to back up PowerPoint presentations (remember your Contingency Plan).
  • #6 Field Expedients. Be creative... but make it seem like you planned things to be the way they come out. Don't let your audience down by not trying something to make a successful block of training better.
  • #7 Timing rarely works like clockwork. No matter how well you plan, unless you are the only presenter and have complete control of the clock, time won't stand still when "stuff happens." And as my friend K. Rudolph says, "going first has obvious advantages."
  • #8 Handcuffs and leg irons. If you are unable to check ALL your equipment in advance of a presentation, remember to bring manacles with you to keep the technician nearby until you are sure everything works as needed.
  • #9 Should your organization frown on people being shackled, make sure you have a phone or pager to contact the technician when things don't work.
  • #10 As a trainer, you should always remember that Murphy is your unseen partner, and things WILL go wrong. Showing impatient discourtesy or a lack of professionalism doesn't help your disposition nor endear you to those around you. Be happily surprised when the preceding speaker ends on time and recognize that if he/she does not, he/she may not be the problem, only the manifestation.

Post Script:
My contact in the Regional office sent me an E-Mail afterward that read, in part: "Louis, It wasn't that bad. The group got over it pretty quickly. However, they did ask that in the future if you do the dub over for the videos that you try to vary your voices a little (just kidding). They thought your commentary was humorous." Shucks, I wonder if Rich Little and Mel Blank were ever referred to as Disaster Recovery Tools?

Louis "Rich/Mel" Numkin, FISSEA News and Views
Editor, and member of the Executive Board. LMN@NRC.GOV

horizontal bar

FISSEA Work Group Established

By Fran Nielsen

The FISSEA Executive Board, at their August 20 meeting, established a FISSEA work group to advise and assist NIST in their leadership of the Government Information Technology Services (GITS) Board sponsored Information Technology Security Training Pilot project. The Board unanimously approved the establishment of the work group, named Fran Nielsen as its chair, and approved the group's formulation meeting to be held later in the day.

At their initial meeting, the work group heard a brief history of the pilot by Pat Ciuffreda, Strayer University, who was instrumental in obtaining the resources for the project. According to Pat, in October 1996, an interagency group collaborated on "what could be done to assure that personnel responsible for managing and administering electronic information systems in the Federal government [were] appropriately and adequately trained." Ultimately, a proposal was developed for seed money from the Innovation Fund sponsored by the GITS Board to support an online IT security training Internet presence. The proposal was approved on February 21, 1997, in the amount of $560,000. In May 1998, the project was transferred to NIST for pilot implementation.

The pilot project promotes sharing of computer security resources. The pilot project is to essentially establish a repository of IT security training materials (e.g., videos, posters, slides/vu-graphs, courseware, computer-based training modules) to be identified and made available on- line. NIST's recently published Special Publication 800- 16, " Information Technology Security Training Requirements: A Role- and Performance-Based Model" will be used to match material in the repository with requirements. Training materials will be annotated with the appropriate SP 800-16 identifiers/cell numbers.

The work group is considering working on the collection of training content and asking a technical contractor to further develop the web site (see: for the proof-of-concept site). The work group has an ambitious agenda and is off to a great start.

To volunteer for the work group, to contribute training materials, or for further information, contact:

Fran Nielsen, 301/975-3669, e-mail:

Fran Nielsen works in the Computer Security Division of the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST). She is a member of the FISSEA Executive Board.

horizontal bar

Dates to Mark on Your Calendars

October 5-9, 1998

National Information Systems Security Conference Crystal City Hyatt Regency

November 5, 1998

Federal CSPM Forum Meeting NIST Main Campus

December 11, 1998

Deadline for submitting Papers for Presentations at 1998 FISSEA Conference

January 12, 1999

Articles for FISSEA News and Views submitted to Lou Numkin, Editor

February 19, 1999

Deadline for submitting Nominations to FISSEA for Educator of the Year

March 9-11, 1999

FISSEA Annual Conference Gaithersburg Hilton Hotel

horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: July 25, 2001.