September 1998 Vol. I No. III
From the Executive Board Chair
As members of this association, we all have a special interest in awareness, training, and education in the information protection (computer security) field. Sometimes we struggle with understanding what the differences in these three words mean. Looking in Webster's, we find the following definitions:
I subscribe to the following definitions as these terms relate to functions performed by FISSEA members in the computer security discipline:
These definitions may seem restrictive, but they fit in very nicely when applied to our purposes as information systems security educators, and, they also help in understanding the training and awareness requirements found in the Computer Security Act of 1987 and the new NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500-172), March 1998.
So, what's the point here? The point is, quite often the words in the Computer Security Act are misinterpreted. In fact, often you will hear the term "awareness training" used as if there is only one objective for the mandated training. Let's examine the words from the Computer Security Act, as follows:
SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING. (a) In General.--Each Federal agency shall provide for the mandatory periodic training in computer security awareness and (emphasis added) accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency.
(b) TRAINING OBJECTIVES--Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed--
While neither the Computer Security Act nor the NIST Special Publication 800-16 addresses the education aspects of the computer security discipline, I encourage all involved in this vital information management function to set higher goals and pursue the formal training and instruction in the computer security discipline required for professional purposes. Become an authority in your field, and lead by example.
We all still have a big and apparently never-ending job ahead of us. I see our primary objective to be Awareness because that's where the real pay-off will be. We need to continue our efforts in the visual arena -- that's the quickest way to get the information protection message to the masses. But, we also need to develop new, interesting, and impressive ways to deliver the awareness messages, and the messages have to be revised continually. Can you think of anyone who isn't aware of the Budweiser frogs? Wouldn't it be great to hear people talking about the "computer security frogs", and anxiously awaiting the next "computer security frog advertisement"? Through awareness, we will be able to reach the general user community and introduce them to our training "products."
Let us hear from those who have an awareness program underway. Tell us what you are doing. Let us share your success stories with the rest of the world. We also welcome questions, and we'll see that answers are provided expeditiously.
til next time, keep on pluggin' away...success comes to those who try just one more time!
Philip L. Sibert, CISSP
"Siber' Space" Snippits
By Philip L. Sibert
Here we go again....if only we could catch time and hold it for a while! It was summer, hot, hot! summer, last time I wrote to you, and now I'm seeing leaves beginning to fill up my rain gutters. Next thing you know, it will be snowing and time for our annual FISSEA Conference. Which brings to mind several things for your consideration: (1 ) Plan NOW to attend the conference in Gaithersburg, Maryland, March 9 - 11, 1999. Keep checking our web site: http://csrc.ncsl.nist.gov/organizations/fissea/highlight.html. And, (2) Put your thinking caps on and think about a nomination for FISSEA Educator of the Year award. Information about the award is available on our web site at: http://csrc.ncsl.nist.gov/organizations/fissea/educator.html
Thanks!! We received a lot of cards from our last newsletter mailing so our FISSEA membership roster has been reconstituted with (hopefully) valid information. Additional members are always welcome. Membership is open to information systems security professionals, trainers, educators, and managers who are responsible for information systems security training programs in federal agencies. Contractors of these agencies and faculty members of accredited educational institutions are also welcome. There are NO membership fees; all that is required is a willingness to share your products, information, and experiences. Learn more about FISSEA at our web site at: http://csrc.ncsl.nist.gov/organizations/fissea/aboutFis.html.
Are you attending the NISS Conference? Your feedback from the National Information Systems Security Conference, as it may relate to things you either learned, or would like to know more about in the areas of computer security awareness and information protection training, will be appreciated. It may help us target specific topics that need to be presented at our FISSEA conference, or it may point us to outstanding speakers/presenters and topics that should be included in our conference agenda. Please let us hear from you. Contact information can be found on the FISSEA web page at: http://csrc.ncsl.nist.gov/organizations/fissea.html
The Call for Papers for the FISSEA conference (although we would like to have had an over abundance of submissions by July 31) is still open. A copy of the call is posted to our web site at: http://csrc.ncsl.nist.gov/organizations/fissea/callpaper.pdf. Call Ann Brown for more information.
Have you recently read a book on information protection, information technology, information security, training, etc., which may be of interest to others? If so, why not write up a review for the next issue of the newsletter. It will be greatly appreciated by all!
How's your training??? Been to any conferences, seminars, or training recently??? Our audience would really appreciate your views and comments on the content and quality of the training you received, and we would like to know how well the presenters/instructors did. Thanks for your input.
Do you have an interesting awareness item, concept, program you'd like to share? What's working for you? Let us know, and we'll tell the world about it!
November One-day Professional Development Seminars Being Offered by the Association for Computing Machinery (ACM)
By Ann Brown
The Washington, D.C. Chapter of the Association for Computing Machinery, in cooperation with theWashington Section IEEE, announces the Fall 1998 series of Professional Development Seminars.
The seminars are organized by the Professional Development Committee of the Washington D.C. Chapter of the Association for Computing Machinery (ACM) to present technical and management topics of interest to computer professionals and managers.
This Fall, the Committee will offer 10 one-day Professional Development Seminars the week of November 9 - 13, 1998 on topics of current interest. Two of the seminars will also be offered on Saturday, November 14, 1998.
The seminars will be held at the Inn and Conference Center, University of Maryland University College, College Park, Maryland, at the intersection of University Boulevard (MD 193) and Adelphi Road. The seminars run from 9:00 a.m. (registration at 8:30 a.m.) until 5:00 p.m.
If payment is by purchase order, the cost is $275. If payment is by cash, check, or credit card, the cost is $220 by Oct. 26 and $260 after Oct. 26. A reduced rate ($95 before Oct. 26 and $135 after Oct. 26) is available for full-time students and senior citizens (age 60 or over). There is an additional $50 fee that applies to seminars conducted in the computer laboratory.
The registration fee includes lunch, refreshments at the morning and afternoon breaks, continental breakfast during registration, and text materials for the seminar. The registration fee also includes parking at the Center, but does not include the lab fee for courses held in the computer lab. Kosher and vegetarian meals are available if requested. The early registration deadline is October 26, so there is still time to register at a substantial discount.
The date, topic, and speaker of each seminar follow:
Monday, November 9, 1998 (also offered Saturday, November 14, 1998)
Tuesday, November 10, 1998 (also offered Saturday, November 14, 1998)
Wednesday, November 11, 1998
Thursday, November 12, 1998
Friday, November 13, 1998
Submitted by-- Ann L. Brown, Indian Health Service ISSO
Ann is a member of the FISSEA Executive Board and Conference Director for the 1999 FISSEA Conference.
Book Review and Commentary
By Pat Ciuffreda
Mind Matters by James P. Hogan
One of the things that caused a great deal of discussion in a class I recently taught (Computers and Society) was the 1996 match between world chess champion Gary Kasparov and IBM's chess-playing computer, Deep Blue. That such machines exist, along with some other sophisticated models designed for similar mental challenges, was surprising to many students. The familiar desktop is taken for granted, but the thinking machine that beat Mr Kasparov is not.
Nor are many people aware of the field of cybernetics, that it is a growing and respectable pursuit, one that has been engaged in pioneering research and experiments since the 1940's.
Just a little over a year ago the world watched in fascination, courtesy of NASA and satellite television, the wonders performed by a relatively small robot, the Mars Rover. At its destination it took computer images of fantastic quality and speedily transported them to NASA and the rest of us. In addition, on instruction, the Rover scooped up and provided almost instantaneous analyses of rocks and soil.
While we spend most of our time with laptops, desktops, networks, and the Internet, other developments have been underway that are making machines, through creative and sophisticated programming languages, capable of high-speed performance not dreamt of 20 years ago. These advancements are intriguing for what they portend; they are no longer just computing machines, they are thinking machines, artificial intelligence (AI). For those of us in computer security, and even more so in training and education, it seems appropriate to examine this extension of the computer and prepare for its implications -- social, political, and economic.
There are many good books currently available on this curious and emerging topic. However, let me recommend a recent book that covers the historical development of AI, the concepts related to the mind (by way of Aristotle and Descartes), the mathematical and logical developments associated with thinking and mechanical minds, the beginnings of cybernetics, game trees, and much more, up to the challenging world of today. The book is Mind Matters and it was written by James P. Hogan, a British author who spends part of his time in Ireland and the other part in Florida, USA. Mr. Hogan is an engineer who specializes in electronics and digital systems, and he is also a well known science fiction (SF) author whose novels are classified as "hard SF," a term used to describe fiction based on proven and acceptable scientific information, but extrapolated into the future for a believable and challenging read.
You will first encounter some scenarios that Mr. Hogan provides to acclimate you to possibilities that a decade or so ago would have only been believable in SF -- as an example, self-replicating robots that incorporate design improvements in newer models without human direction or guidance. I can imagine that Charles Darwin would pause and wonder if this were not some kind of "mechanical evolution."
For those of us who remember Stanley Kubrick's much acclaimed film, "2001: A Space Odyssey," we also know there can be a dangerous side to thinking machines. How relieved we all were when astronaut Dave Bowman (Keir Dullea) dismantled the on-board computer, the infamous "HAL."
In addition to his scenarios and covering the historical development of AI, Mr. Hogan examines research that is taking place today and is "pushing the envelope:" three dimensional model building, understanding natural languages, and neural networks. And what gives integrity to Mr. Hogan's work is his willingness to discuss the critics of AI who philosophically do not believe we can or should delve into AI, as well as those scientists and mathematicians who believe there are limits to what we can logically pursue or accomplish. While very adequately presenting their criticisms, Mr. Hogan does not rate or condemn any of them. The reader can either make up his or her mind or explore further on his/her own. The author is presenting facts with intriguing possibilities, but he is not predicting any future takeover by thinking machines or robots. They will, he feels, be simply considered for a task well suited to their capabilities.
A very gifted and qualified author, a tour of man's interaction with the machine, and arguments that philosophically challenge us as we contemplate the implications -- this is good stuff! If scientific breakthroughs bring us to that exhilarating yet foreboding achievement of AI, the one that not only creates machines able to challenge us on equal footing, but also out thinks us, faster and more accurately, what will be the results? And, how are we to consider "them?" If some day you are having a conversation with a relative of Deep Blue and you forget for a moment that IT is not a person, if IT can tell when you are not yourself or remind you of an appointment or a birthday you have forgotten, without prompting calls a cab for you when you are running late, discusses opera... Think "soul and ethics" and you are beginning to see the deeper implications.
[Mind Matters by James P. Hogan - Del Rey / Ballentine Books, NY - copyright 1997 - first edition printed March, 1998 - in hardcover $25.]
Pat Ciuffreda is a FISSEA Executive Board member and is a professor of political science at Strayer University. Pat recently retired from many years in the computer security field in the Federal service.
Train-the-Trainer: A Two-Sided-Coin
By Gale Warshawsky
Education has always been important to me. Studying, learning, expanding my knowledge, as well as sharing my talents with others, has played a large part in my life. As Information Security Practitioners, it is critical that we continue to pursue educational activities to keep ourselves current in an ever- expanding and changing technological world.
SIDE ONE OF THE COIN: OUR OWN CONTINUING EDUCATION
We can accomplish our own continuing education in many ways:
As Information Security Practitioners, we can work toward earning a professional certification or advanced degree. We can study at a university and earn a Master of Science degree in Information Systems, Computer Science, Telecommunications, or other related fields. We can pursue certification designations. ISACA offers the Certified Information Systems Auditor (CISA) certification and the International Information Systems Security Certification Consortium, Inc. (ISC )2 offers the Certified Information Systems Security Professional (CISSP) certification.
SIDE TWO OF THE COIN: SHARING OUR EXPERTISE WITH OUR COLLEAGUES AND IN OUR COMMUNITIES
One of my favorite ways to share my areas of expertise is to attend conferences and conduct seminars on something I've developed as part of my job. For example, during the summer of 1998, I presented a session at the MIS Training Institutes' WebSec 98 Conference. In my session I shared how at Visa International we use the Worldwide Web as part of our continuing Awareness, Education, and Training Program. Another thing that I enjoy doing is volunteering my time in the evenings to go to a university professor's course and talk about Information Security to his students. I was a student of this professor myself, when I earned my MS in Information Systems from Golden Gate University. After I graduated, I wanted to share Information Security concerns and Information Security Awareness with other students who were studying for their degrees in a variety of Information Technology related courses.
There are many places that we can share our expertise: conferences, university courses (as guest lecturers), Back to School Nights, local events that are held for children or for adults (science fairs, career fairs, etc.), PTA meetings, local library lecture series, participating in Computer Security Day activities (information below in the resources section of this paper), visiting a Senior Citizens Center, etc. The opportunities are there for us--we just have to volunteer our time. We are most welcome voluntary guest speakers!
In addition to feeling good about sharing our knowledge, and training others in such outreach efforts as listed above, we can also benefit from such activities ourselves. When one earns the CISA or CISSP designations, we are required to earn Continuing Professional Education (CPE) units to retain the designation. Attending conferences, local chapter meetings, writing papers, conducting an awareness session, all count toward earning the CPEs. Therefore, everyone benefits -- those within our community as well as the Information Security Practitioner who shares his/her expertise.
I am very fond of saying, "If I can make people aware, then I get to educate and train them." This is critical, in my opinion, when it comes to making people aware of Information Security. We live in the Information Age and it has changed the way we communicate and conduct business. Therefore, it is important for us to participate in Train-the-Trainer activities, on both sides of the coin.
Gale S. Warshawsky is a Senior Information Security Analyst for Visa International. She is responsible for designing, developing, implementing, and managing the Information Security Awareness, Education, and Training Program for approximately 5,000 Visa personnel. Ms. Warshawsky was the 1995 FISSEA Educator of the Year, and ISSA's 1994 Individual Achievement Award winner. She may be reached by E-mail at firstname.lastname@example.org
The following list of resources is not all-inclusive; being on the list does not constitute endorsement by Visa International.
Practice What You Preach
By Louis Numkin
FISSEA Editor's Disaster Report
One of my Agency responsibilities is to coordinate (survey, create, test, etc.) our Info Systems' Disaster Recovery Program. I am also the one who provides annual Computer Security Awareness briefings for our employees. Well, these two activities converged for a bit over an hour recently and I lived to tell you all about it...
A request to provide an Awareness briefing for some of our out-of-state Regional employees via televideo conference was received about two months prior to the date of the session. The location here at Headquarters where I would face the camera was sent to me a while later. Demonstrating that I like to prepare ahead of time, I notified the Region of what I would need in the way of time and equipment since (#1) I assumed they were coordinating with our HQ technicians. Two days before the briefing, I received a reminder from the Region, stating the date, time and location where I was to report, and offering that if I had any handouts for the group I could FAX them in for duplication and distribution. After declining the assist, I restated that my hour-and-a-half presentation needs a feed to carry my PowerPoint slides and ability for me to play some videotape vignettes during the session. ["Grasshopper," If you only knew then what you know now...]
So now it gets interesting. A day before the show, the Region informs me that (#2) they have no control on the equipment at HQ and for me to find someone here to answer my concerns. With many other things on my plate (including an all-morning meeting) I was out chasing leads as to whom could assist me. To no avail, the day went on until near closing when I was informed by the Region that even though my talk was 1 ½ hours long, I would only have (#3) one-hour in their tight schedule to do my briefing. Postpone the evening's hair appointment and start reworking the presentation to be 1/3 less but just as satisfying (something like Lite Beer)!
The presentation morning arrives to find me scurrying around trying to locate someone with answers. I am to begin at 10:45 a.m... it is now 7:30 a.m. Call backs are coming in, but the general response is "I dunno," which is not helping. Buttonholing some folks, I finally locate and get to speak to the person who is supposed to be responsible for the equipment... who informs me at 8:00 a.m. that (#4) the location has changed, there is no ability to direct feed my laptop's slides, the document camera will be unavailable (meaning I can't make hard copies of my slides and manually flip them under the lens), and she couldn't remember if the room had a VCR as part of the hookup. Since others are on camera before me, I am unable to even enter the room (#5) without interrupting them.
I decide to accept the Regional secretary's offer at 8:30 a.m. and fax my slides to her for duplication so the audience can have them to refer to in absence of the automated PowerPoint presentation. By 9:00 a.m., we have tried several different fax machines, but she is still only getting mostly black images. Sneaking into the room, I quietly find that it is devoid of anything useful to ease my quandary. Locating a technician, I propose (and he agrees) to use a Field Expedient (in the military, I learned about "Field Expedients"--when you employ something that is not meant to be used for a particular function, but that will suffice in a pinch). Now, I head for our Supply Room to get an easel and glue stick. This way the camera will be able to zoom-in on the easel where I can paste hard copy slides for viewing by the audience. Experience has shown that color hard-copy slides do not transmit well and black and white prints of color slides tend to come out dark. Ah, but if making one copy of the dark B&W slide on a duplicating machine lightens the background, (#6) then making a copy of the copy should lighten it more, and so on... until, voila, we have more readable text. 10 :00 a.m. arrives and I'm still asking "But, what about the videotape?"
At 10:30, the prior speaker is supposed to complete his remarks and give the audience a 15-minute break. This should afford me time to set-up and test my link. At 10:45, (#7) he is just about to close. A technician has met me at the room and we give the group a break so we can prepare. I muse how if the camera can focus on the easel, why can't we focus it on the screen of my laptop? Hmmm... It works! And, the tech finds that there is a VCR in the cabinet and we cue my tape. The Region says it can see the video image just fine... Hooray! Camera pre-sets are established for my talking-head, the laptop screen, and the easel as a back-up, and I am quickly shown how to start and stop the videos. Whew... it's 11:00 a.m. as I begin to speak (#8) and the technician departs.
Cometh the time to begin the first video vignette -- I press the right buttons -- the tape begins to play... but, after a moment, the audience reports that they can't hear anything -- where is the voice track? Looking around, (#9) there is no phone in the room so I ask the audience to continue to watch the silent movie while I find a techie. Locating a phone outside the room, he'll be up soon. Back in the room, the vignette is ending, so I begin explaining what they saw and its teaching points. To make a long story short, for the rest of my hour the techies were in and out of the room trying to get an audio feed from the VCR to the Region without success. Being quite familiar with the scenarios, I vocalized what the actors were saying while they performed in the succeeding vignettes.
The speaker who was to follow me entered the room at 11:30 and stomped out at 11:45 (#10) when I didn't relinquish the dais. Even with all the problems, my allowed one-hour presentation which had begun 15-minutes late at 11:00 a.m., ended at noon. After wrapping up the technically deficient session, I received a round of "sympathy" applause from the Region. Thanking them for their patience and attentiveness, I headed off in search of another adventure while still having some hair left on my head. (Though the greatly reduced quantity of follicles saved me from rescheduling the appointment with my barber.)
"What have you learned, Grasshopper?"
Louis "Rich/Mel" Numkin, FISSEA News and Views
FISSEA Work Group Established
By Fran Nielsen
The FISSEA Executive Board, at their August 20 meeting, established a FISSEA work group to advise and assist NIST in their leadership of the Government Information Technology Services (GITS) Board sponsored Information Technology Security Training Pilot project. The Board unanimously approved the establishment of the work group, named Fran Nielsen as its chair, and approved the group's formulation meeting to be held later in the day.
At their initial meeting, the work group heard a brief history of the pilot by Pat Ciuffreda, Strayer University, who was instrumental in obtaining the resources for the project. According to Pat, in October 1996, an interagency group collaborated on "what could be done to assure that personnel responsible for managing and administering electronic information systems in the Federal government [were] appropriately and adequately trained." Ultimately, a proposal was developed for seed money from the Innovation Fund sponsored by the GITS Board to support an online IT security training Internet presence. The proposal was approved on February 21, 1997, in the amount of $560,000. In May 1998, the project was transferred to NIST for pilot implementation.
The pilot project promotes sharing of computer security resources. The pilot project is to essentially establish a repository of IT security training materials (e.g., videos, posters, slides/vu-graphs, courseware, computer-based training modules) to be identified and made available on- line. NIST's recently published Special Publication 800- 16, " Information Technology Security Training Requirements: A Role- and Performance-Based Model" will be used to match material in the repository with requirements. Training materials will be annotated with the appropriate SP 800-16 identifiers/cell numbers.
The work group is considering working on the collection of training content and asking a technical contractor to further develop the web site (see: http://csrc.nist.gov/gits for the proof-of-concept site). The work group has an ambitious agenda and is off to a great start.
To volunteer for the work group, to contribute training materials, or for further information, contact:
Fran Nielsen, 301/975-3669, e-mail: email@example.com
Fran Nielsen works in the Computer Security Division of the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST). She is a member of the FISSEA Executive Board.
Dates to Mark on Your Calendars
October 5-9, 1998
National Information Systems Security Conference Crystal City Hyatt Regency
November 5, 1998
Federal CSPM Forum Meeting NIST Main Campus
December 11, 1998
Deadline for submitting Papers for Presentations at 1998 FISSEA Conference
January 12, 1999
Articles for FISSEA News and Views submitted to Lou Numkin, Editor
February 19, 1999
Deadline for submitting Nominations to FISSEA for Educator of the Year
March 9-11, 1999
FISSEA Annual Conference Gaithersburg Hilton Hotel
Back to FISSEA Homepage Back to Newsletter Index Back to CSRC Homepage
Please send comments or suggestions to
Last Modified: July 25, 2001.