News and Views
|Issue Three of FISSEA Year 2002-2003|
From the Executive Board Chair
Already as I reflect back on things I have observed and heard my peers talk about since GISRA, I believe that many security program enhancements across the federal sector have resulted from GISRA. Few, if any, agencies were collecting the kinds of data requested about their security awareness and training programs before GISRA. Now many agencies have revised or are in the process of revising their security awareness and training programs to comply with GISRA and the training mandate in the Computer Security Act. Regardless of the reason for all the attention on training programs presently, an effective security awareness and training program is a critical factor in measuring the success of in any entity's overall information systems security program.
I am hoping that those of you who are planning to come to our 16th Annual FISSEA conference from March 4th - 6th, 2003 will share some of your training successes with the rest of us as we continue to overcome challenges in this area. I believe we have a common goal, which is to ensure that our training program is effective and complies with a host of governing requirements.
Please don't forget to check out our FISSEA website regularly and the CSRC site to stay abreast of great training ideas, new initiatives and excellent training opportunities at reasonable costs. Please visit the following websites often http://csrc.nist.gov/fissea/ and http://csrc.nist.gov/.
Finally, soon I will be actively soliciting nominations for the Educator of the Year. This is an excellent time to begin thinking about someone who deserves this kind of special recognition. Look on the FISSEA website for all the information you need to participate in this important opportunity to give an award to one of our own who is making significant contributions. If you are not nominating someone, but are interested in serving on the panel that will evaluate all the nominations and recommend the best candidate for the award, please contact Peggy Himes at NIST immediately and let her know.
I hope to greet you in person at our 16th
Letter From the Editor: CSA Day 2002
By Louis M. Numkin, NRC
The ACM encourages organizations to provide awareness activities on or around 30 November of each year. This program has grown from small beginnings to an international observance over many years. Information and ideas for planning of these events is provided by ACM by addressing inquiries to:
NRC Headquarters hosted its observance between the hours of 10am and 2pm on Thursday, 21NOV2002. We usually have a costumed character or visitor(s) to carry our annual theme, which this year was "football." A very good local high school's football team was invited to the event to add color as well as expose the youngsters to technology and computer security. This was a no-cost mutually-beneficial opportunity, since we have no funds with which to bring in professional team representatives. Other than this, our give-away item included a picture of NRC's computer security mascot (CyberTyger) dressed in a football uniform and included slogans like: "Kick" SPAM into the Trash, "Block" viruses by keeping definitions updated, Don't "Pass" your Password around, and Hoax messages should take a "Hike."
In the past we have had special guest speakers but this year hosted a group of fifteen vendors. NRC does not select these firms as they are coordinated by the Federal Business Council (the same organization which provides FISSEA's conference exhibitors). One nice thing which it provides is employees can ask questions to the source organizations, and/or simply share information. Also, the vendors provide useful/clever free gift items as NO sales activity is permitted. NRC Computer Security Staff is precluded from providing food as an incentive for participation but the FBC and its vendors are not so limited. Therefore, this added some extra flavor, especially during lunch hour!
This year we also included desktop computers where employees and contractors could demo our new on-line Computer Security Awareness courses. Attendees could then pick up computer security literature, anti-virus CDs for home use, and view our new awareness videotape and poster displays, as well as a 3x4' reprint of a news article reporting that NRC ranked third out of 24 Federal Agencies on the recent Computer Security Report Card... of which we are quite proud.
Close to half of our Headquarters population attended the activity - this was an increase over prior years. Overall, we kicked the awareness football through the goalposts and scored a winning 2002 CSA Day.
COMMITMENT-What's in it for YOU??
By Phil Sibert, DOE
MEMBERS OF THE FISSEA BOARD OF DIRECTORS are expected to have a commitment to the organization and it's constituency.
Generally there are two types of members in any organization - the "joiners", and the "doers". There's nothing wrong with being a joiner because organizations usually exist to provide some benefit to the joiners, and in many cases the financial support of the joiners in the form of dues, pledges, or donations are necessary to keep the organization alive (but not in the case of FISSEA). And then, there is usually a small core of doers who take on the tasks associated with running the organization and seeing that the joiners are provided with the benefits the organization promises. Doers are usually those who are strongly bound to the vision and mission of the organization, and who believe in what the organization stands for and what the organization does, or should be doing, for its members.
What's a commitment? According to the dictionary, it's the state of being bound emotionally or intellectually to a course of action or to another person or persons. In essence, it's nothing more than "a pledge to do". This is what is expected of those who make it to the Executive Board, or others who take on particular tasks such as the Conference Director and the Newsletter Editor, to meet the objectives of the FISSEA mission.
FISSEA has evolved to the point where we have very good liaison with, and fine administrative and technical support from NIST, but the organization cannot function without the commitment of the Executive Board and other committee members. That's why it is necessary for those who are interested in becoming Board or committee members to be sure you have approval from your management to make the commitment to help FISSEA. It's not that great a commitment, but you should figure on a minimum of a half a day each month for the Board meeting at NIST, and then probably another 8 to 10 hours each month taking care of FISSEA business from your office. And then, of course you're expected to attend and/or participate in the annual 3-day conference each March. The Conference Director, and some of the committee members, will probably spend a similar amount of time throughout the year planning for and coordinating the conference.
What's in it for you?
What's NOT in it for you?
So, here's the challenge to all FISSEA members: make a commitment to FISSEA!
This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security Awareness, Training, and Education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at email@example.com
Phil Sibert thought the following url is of interest, www3.norwich.edu/msia. Information Assurance: An Online Master of Science Degree.
Received this info from a usually realiable source: With the Homeland Security passed by the Senate yesterday, GISRA is now reauthorized as soon as the President signs the bill. E-Gov, which also contained reauthorization of GISRA, also is about to be signed by the President. OMB says that E-GOV is the preferred version, so the President will sign the Homeland Security first, and then sign E-Gov, making it the operable text for information technology. I don't have any text yet, but at any rate, GISRA is reauthorized, probably as FISMA. See CSRC's Policies page for further information: http://csrc.nist.gov/policies/
8-10JAN03 Government Convention on Emerging Technologies "Defending America Together: The New Era", Las Vegas, NV. The purpose of the convention is to provide a forum for Intelligence, Law Enforcement, Federal, State and Local government representatives, including first responders, to interact and discuss each other's requirements and concerns regarding Homeland Security. Visit www.federalevents.com or call NCSI at 888-603-8899. Contact Marcy Pratt, (301) 596-0770 x218, firstname.lastname@example.org
28-29JAN03 Constellation Energy Group is pleased to present the first annual Baltimore SecureWorld scheduled for January 28th & 29th at the Baltimore Convention Center. SecureWorld is a unique Regional event that for the first time in the Mid-Atlantic brings together leading security professionals from both Physical and Digital security in Business, Government and Law Enforcement. FISSEA members are offered a $50 discount off the $95 conference fee. Register on-line with discount code - EXH247 EIN #68-050-2919. Contact Chris Kokich, 503-274-0971 or email@example.com for more information. http://www.secureworldexpo.com/baltimore.php
Today as integration of physical and digital security converges there emerges an equally important interdependency between private security efforts, government agencies and law enforcement. SecureWorld provides a forum for security professionals, technology leaders, government and law enforcement to gather under one roof for educational tracks, keynotes, roundtables, panel discussions, etc. in an effort to build a knowledge base and relationships that serve to further secure our communities.
4-6MAR03 FISSEA Annual Conference, "Securing Your Cyber Frontier Through Awareness, Training, and Education". See your website, http://csrc.nist.gov/fissea, for the most up-to-date information and to register. SPACE is limited. Contact: Peggy Himes (301) 975-2489, firstname.lastname@example.org. New location - more convenient to Metro.
Security awareness and training are significant components of any successful security program. All agency and contract personnel must understand their responsibilities for protecting agency assets. Come to FISSEA's Conference and discover new, efficient ways to improve your security program.
You will gain:
William Knowles, C4i disseminates the ISN InfoSecNews and provided the following:
SECURITY CONFERENCES IN 2003
Are you planning to attend any security conferences in 2003? Many are already scheduled, and now is the time to put them on your calendar. This week, I present six conferences that you might want to consider attending. They're listed below in chronological order.
24-27FEB03 BlackHat Windows Security 2003 Briefings and Training, at the Sheraton Seattle Hotel & Towers in Seattle. The briefings will cover six tracks over 2 days. Subjects include policies, deep knowledge, networking and integration, and application development, as well as Microsoft .NET, Microsoft IIS, Microsoft SQL Server, and Microsoft Internet Security and Acceleration (ISA) Server 2000. Training sessions include exposing Cisco Systems network vulnerabilities, analyzing software for security vulnerabilities, uncovering Web application vulnerabilities, using forensics tools and processes for Windows XP platforms, and securely deploying Microsoft technologies, as well as a National Security Agency (NSA) information security assessment methodology course. http://www.blackhat.com/html/win-usa-03/win-usa-03-index.html. http://www.blackhat.com/html/win-usa-03/train-bh-win-03-index.html
5-12MAR03 SANS 2003 at the Sheraton San Diego Hotel and Marina in San Diego. The SysAdmin, Audit, Network, Security (SANS) Institute's Stephen Northcutt describes the conference as "our largest conference and vendor exhibition of the year." According to Northcutt, "The defensive information community enters 2003 with a wealth of great initiatives: the Gold Standards, the Cyber Defense Initiatives, more hands-on pragmatic advanced technical training and the wide array of new tools." At SANS 2003, many special activities will emphasize ways to fight back against cyber crime and how to use these initiatives to help you secure your organization. http://www.sans.org/SANS2003
13-17APR03 RSA Conference 2003 at Moscone Center in San Francisco. The RSA conference has four main components: General Sessions, Expo, Tutorials, and Class Tracks. "The General Sessions bring everyone together for special keynote addresses, expert panels and discussions of general interest. This year's Expo will feature more than 138,000 square feet of exhibit space with more than 200 vendors demonstrating the very latest e-security products. Optional Sunday tutorials and immersion training sessions will provide the basics of e-security technology, enterprise security and security development techniques." The conference's 13 Class Tracks will feature many workshops, seminars, and talks. The 2003 conference offers a catalog of more than 200 classes. http://www.rsaconference.net/rsa2003 and http://www.rsasecurity.com/conference
27-30APR03 Techno-Security Conference at the Wyndham Myrtle Beach Resort in Myrtle Beach, South Carolina. The conference features a "blend of physical and cyber security forums ... the latest in computer forensics and related legal issues affecting federal, state and local law enforcement, as well as the Fortune 500 [companies]." Guidance Software hosts the conference. According to Robert Shields, senior director of marketing at Guidance Software, "Combining both physical and cyber security issues - Techno-Security addresses a common linkage surrounding the use of computer forensics software. With numerous sessions covering issues such as homeland defense, intrusion detection, and evidence management," the conference will serve many computer security experts and investigators. http://www.thetrainingco.com/html/Techno2003.html and http://www.thetrainingco.com/html/Conferences.html
22-27JUNE03 15th Annual Computer Security Incident Handling Conference at the Westin Hotel in Ottawa. First.Org sponsors the FIRST Conference, which "focuses on the field of computer security incident handling and response. The presentations are international in scope and include the latest in incident response and prevention, vulnerability analysis, and computer security." http://www.first.org/conference/2003
23-25JUNE03 NetSec 2003 at the Hyatt Regency New Orleans in New Orleans. Computer Security Institute's (CSI's) NetSec network security conference is "devoted exclusively to network security." NetSec 2003 will offer more than 85 sessions about subjects such as Internet/intranet, secure ecommerce, VPNs, computer crime, Denial of Service (DoS) attacks, forensic investigation, response teams, cryptography/public key infrastructure (PKI), intrusion detection, Windows NT, privacy, policies, awareness, and remote access. The exhibition will feature more than 70 network security product exhibitors. http://www.gocsi.com
FISSEA OPERATIONAL PLAN (Outline)
Serve as a professional forum for the exchange of information and improvement of information systems security training and education programs throughout the federal government.
Provide for the professional development of its members.
Back to FISSEA Homepage Back to Newsletter Index Back to CSRC Homepage
Please send comments
or suggestions to email@example.com.
Last Modified: January 10, 2003.