|"I touch the future, I teach." Christa McAuliffe||Issue Three of FISSEA Year 2000-2001|
From the Executive Board Chair
TIPS ON TRAINING EXECUTIVES
In my experience as an Information Security Program Manager, one of the challenges is to give awareness briefings to executives. When executives are given the right information they generally will provide that information to their staff. Here are some awareness tips that I feel have worked for my organization.
First, get executives to understand that they should MANAGE RISKS. Structure your presentation so that you discuss safeguards versus risks. Discuss the statutory requirements for information security in enough detail that they understand the mandates by Congress, OMB, NIST, Agency policies, and other rulings. Discuss the senior executive's role and responsibility for managing risks by identifying risks, safeguards, liability, vulnerabilities and policy. Give them some basic information on training roles, or audience categories, levels of learning (awareness, training and education), training areas (security awareness, security basics and literacy, roles and responsibilities related to IT systems, and education and experience).If your Agency has customized training tools, this is a good time to demonstrate the tool(s) or point them to a web site, etc.
In general terms discuss system security plans by including an explanation of 1) Identifying systems, 2) Determining sensitivity categories (confidentiality, integrity and availability) that apply to the information and what level of protection may be needed (high-level 3, medium-level 2, or low-level 1).
Briefly identify mandatory controls such as general, (security officer, personnel screening, training) technical, (access controls [e.g. passwords], audit trails), and operational (backups, contingency plans, virus controls, etc.)
Other issues that are excellent to discuss include requirements of general support systems, major applications, software piracy, and computer virus protection.
Have a safe and happy holiday season! Hope to see you at the FISSEA Conference next year (March 13-15, 2001)
Pauline Bowen, FDA
CISSP, Common Body of Knowledge
everyone a safe and happy holiday.
Each year the FISSEA recognizes an individual who has made significant contributions in education and training programs for information systems security.
Nominees need not be members of FISSEA, but do need to be nominated by a member. Nominees may be involved in any aspect of information security education or training, including, but not limited to, instructors, security program managers, and practitioners who further education and training programs for information systems security in the federal community. Nominees will be judged by an ad hoc committee appointed by the Chair.
Forward your nominations by Valentine's Day, February 14, 2001. "Educators need love, too." See the FISSEA website for sample nomination letters and a listing of past recipients. Send submissions to:
National Institute of Standards and Technology (NIST)
100 Bureau Dr STOP 8930
Gaithersburg, MD. 20899-8930
Recent statistics and cases demonstrate the critical need for cyber ethics education among young people and their adult role models (parents and teachers). The 1999 Roper Reports and Current Population Survey (CPS) states the "71% of households with kids 8-17 now have computers and 67% of those households connect to the Internet [translating to] 48% of U.S. households with kids 8-17 have online connections. However, a recent Scholastic, Inc. poll of "47,235 elementary and middle school students revealed that 48% do not consider hacking a crime" (April 2000). This statistic together with the July 7, 2000 Cyber Atlas quote that "virus and computer hackers will cost businesses around the world more than $1.5 trillion in the year 2000 (according to a study by Information Week Research fielded by PricewaterhouseCoopers)" only magnifies the immediate need for educating young people and adults about ethical use of technology.
In answer to this call, approximately one hundred twenty-five individuals from academia, industry, and government assembled for the first National Conference on Cyber Ethics: Teaching Responsible Use of Technology Friday, October 6 through Sunday, October 8th organized and hosted at Marymount University in Arlington, VA in cooperation with the Cybercitizen Partnership, a joint venture of the Information Technology Association of America (ITAA) and the United States Department of Justice. The attendees came from as far as the United Kingdom, Philippines, California, Oregon, Minnesota, Florida and Vermont, and as close as the Washington, D.C., metropolitan area to discuss ethical issues related to the cyber realm and to commit to follow-on work in cyber ethics curriculum development. Michael Vatis, Director of the National Infrastructure Protection Center, located at the FBI, opened the conference Friday evening and provided the context for discussing the various facets of cyber ethics by citing many examples of recent computer crimes committed by teenagers.
Throughout the weekend, the Conference attendees listened to presentations by nationally recognized experts in government, education, and industry and participated in discussions about cyber ethics concerns and cyber ethics curriculum development. The seven general sessions and the four breakout sessions throughout the conference provided background in cyber issues from the perspectives of national and industry security experts - John Tritak, Jeffrey Hunker, Michael Daniels (Network Solutions/SAIC), John McClurg (Lucent), and others. In addition, presentations by classroom teachers, university professors, psychologists, and other individuals from industry offered a variety of current perspectives on the issue.
During the Sunday afternoon final session, the four track facilitators (for the kindergarten-5, middle/high school, higher education, and parent/community awareness tracks) presented their breakout session summaries and the 3-, 6-, and 12-month follow-on plan goals for their working groups. The four facilitators and a committed, enthusiastic working group for each track will be guided by their goals to develop core materials consisting of a comprehensive K-12 curriculum, higher education instructional materials, and parent/community awareness educational materials.
The most efficient means for teaching good cybercitizenship will be through the development of this comprehensive cyber-ethics curriculum K-16 infused throughout the content areas, and through parent and community cyber ethics awareness educational materials. This "core" program will be distributed throughout the country as a template for educational institutions and community groups (Parent-Teacher Associations, Girl Scouts, Boy Scouts, Kiwanis, and others). The K-16 curriculum will be developed as a spiral - each year building upon the next. For example, Kindergarten students will learn about being good cybercitizens in class discussions about "what it means to be a good member of the community"; high school students will explore the topic of cybercitizenship in discussions about an individual's responsibility within a global society. This "core" program will not be exhaustive. Instead, it will be an easy-to-use guide that can be adjusted to meet local needs. Although portions of the follow-on work will be released during the immediate months, the final curriculum and educational materials are to be unveiled at the 2001 Cyber Ethics Conference in October 2001. Conference proceedings and tapes will be made available within the next 45-60 days.
For complete information about this program and cyber ethics, please go to http://www.marymount.edu and click on National Conference on Cyber Ethics or contact Dr.Cherie Geide (703)526-6829 email@example.com . Additional information about the Cybercitizen Partnership can be found at http://www.cybercitizenship.org, http://www.itaa.org, http://cybercitizenpartners.org, and http://www.cybercirme.gov .
Marie Stella from FAA reported there are some interesting training guidelines at the following site for the Canadian Communications Security Establishment: http://www.cse.dnd.ca/cse/english/manu2.html
11-13DEC2000 - Defending Cyberspace 2000, Washington, DC, Renaissance Hotel. Sponsors: the General Services Administration, the Federal CIO Council, and the Smart Card Industry Association (SCIA). This year's theme: "Strategic Planning and Partnerships for Trusted e-Business". Website: http://www.ctst.com/events/dcs2000/attendee.htm
23-25JAN2001 is WEST 2001 at the SanDiego Convention Center - sponsored by AFCEA & US Naval Institute - entitled "Winning the Wars of the 21st Century" - for a free Exhibit Hall Pass or more info, check out www.west2001.org
7FEB2001 - Pitching Information Technology Security to Federal Executives, NIST. This course will describe the five key parts to selling security to management: selling basics, requirements, customer, resources, and timing. http://www.nist.gov/public_affairs/confpage/conffutr.htm To register contact firstname.lastname@example.org.
25FEB-1MAR2001 - MIS Training Institute InfoSec World 2001 in Orlando. Numerous other conferences and seminars may be found at http://www.misti.com/ .
5-6MAR2001 - Symposium on Requirements Engineering for Information Security, CERIAS, Purdue University. Contact Annie or Spaf: email@example.com
13-15MAR2001-the FISSEA 2001 Annual Conference. This year's theme is "From Y2K To T E A (Training, Education, Awareness) with FISSEA" and it will be held at the Gaithersburg Hilton Hotel in Gaithersburg, MD.
22-24MAY2001 - 5th Annual National Colloquium for Information Systems Security Education, George Mason University, Fairfax, VA. Forum to define current and emerging requirements for information security education. http://www.ncisse.org/conference2001
18-19JUL2001 - Second International Common Criteria Conference, Brighton, England. Hosted by the Communications-Electronics Security Group (CESG) at the Metropole Hotel and Conference Centre. firstname.lastname@example.org More information will be available through the NIAP website niap.nist.gov.
29-31OCT2001 - 24th National Information Systems Security Conference, Baltimore, MD. Call for Papers submission due date 2FEB2001. http://csrc.nist.gov/nissc/call.htm For additional information, send an email to NissConference@dockmaster2.ncsc.mil or call 301-975-2775.
LEWIS BASKERVILLE, Conference Director
Conference Flyer Contents:
Gaithersburg Hilton Hotel
In response to budget restraints and cutbacks, we have LOWERED the price of this year's conference to $160.
Visit our web site: http://csrc.nist.gov/organizations/fissea.html
Registration contact: email@example.com
Back to FISSEA Homepage Back to Newsletter Index Back to CSRC Homepage
Please send comments or suggestions to
Last Modified: March 5, 2002.