FISSEA Logo News and Views
December 2002
Issue Three of FISSEA Year 2002-2003



From the Executive Board Chair

I can imagine that many of you who work in the federal sector were probably involved, in varying degrees, with preparing your agency's Government Information Security Reform Act (GISRA) yearly report. You may even feel, as some do, that you have not yet begun to see an adequate return on investment for the time and efforts that some security personnel had to expend on assisting in the preparation of the GISRA report.

Already as I reflect back on things I have observed and heard my peers talk about since GISRA, I believe that many security program enhancements across the federal sector have resulted from GISRA. Few, if any, agencies were collecting the kinds of data requested about their security awareness and training programs before GISRA. Now many agencies have revised or are in the process of revising their security awareness and training programs to comply with GISRA and the training mandate in the Computer Security Act. Regardless of the reason for all the attention on training programs presently, an effective security awareness and training program is a critical factor in measuring the success of in any entity's overall information systems security program.

I am hoping that those of you who are planning to come to our 16th Annual FISSEA conference from March 4th - 6th, 2003 will share some of your training successes with the rest of us as we continue to overcome challenges in this area. I believe we have a common goal, which is to ensure that our training program is effective and complies with a host of governing requirements.

Please don't forget to check out our FISSEA website regularly and the CSRC site to stay abreast of great training ideas, new initiatives and excellent training opportunities at reasonable costs. Please visit the following websites often and

Finally, soon I will be actively soliciting nominations for the Educator of the Year. This is an excellent time to begin thinking about someone who deserves this kind of special recognition. Look on the FISSEA website for all the information you need to participate in this important opportunity to give an award to one of our own who is making significant contributions. If you are not nominating someone, but are interested in serving on the panel that will evaluate all the nominations and recommend the best candidate for the award, please contact Peggy Himes at NIST immediately and let her know.

I hope to greet you in person at our 16th Annual Conference.
Barbara Cuffie, CISSP

* Term ends March 2003
** Term ends March 2004

*Barbara Cuffie CISSP, Executive Board Chair
*Lewis Baskerville,
*George Bieber,
*Patti Black, Assistant Chair,
*Louis Numkin, Newsletter Editor,
**LTC Daniel Ragsdale,
**Donna Robinson-Staton,
**Philip Sibert,
**Robert Solomon, CISSP,
**Mary Ann Strawn,
*Mark Wilson, CISSP, NIST Liaison,

FISSEA Membership/NIST Liaison (non-voting member):
Peggy Himes,

Go to top of page

horizontal bar

Letter From the Editor: CSA Day 2002

By Louis M. Numkin, NRC

The ACM encourages organizations to provide awareness activities on or around 30 November of each year. This program has grown from small beginnings to an international observance over many years. Information and ideas for planning of these events is provided by ACM by addressing inquiries to:

Association for Computer Security Day
PO Box 39110
Washington, DC 20016 USA

NRC Headquarters hosted its observance between the hours of 10am and 2pm on Thursday, 21NOV2002. We usually have a costumed character or visitor(s) to carry our annual theme, which this year was "football." A very good local high school's football team was invited to the event to add color as well as expose the youngsters to technology and computer security. This was a no-cost mutually-beneficial opportunity, since we have no funds with which to bring in professional team representatives. Other than this, our give-away item included a picture of NRC's computer security mascot (CyberTyger) dressed in a football uniform and included slogans like: "Kick" SPAM into the Trash, "Block" viruses by keeping definitions updated, Don't "Pass" your Password around, and Hoax messages should take a "Hike."

In the past we have had special guest speakers but this year hosted a group of fifteen vendors. NRC does not select these firms as they are coordinated by the Federal Business Council (the same organization which provides FISSEA's conference exhibitors). One nice thing which it provides is employees can ask questions to the source organizations, and/or simply share information. Also, the vendors provide useful/clever free gift items as NO sales activity is permitted. NRC Computer Security Staff is precluded from providing food as an incentive for participation but the FBC and its vendors are not so limited. Therefore, this added some extra flavor, especially during lunch hour!

This year we also included desktop computers where employees and contractors could demo our new on-line Computer Security Awareness courses. Attendees could then pick up computer security literature, anti-virus CDs for home use, and view our new awareness videotape and poster displays, as well as a 3x4' reprint of a news article reporting that NRC ranked third out of 24 Federal Agencies on the recent Computer Security Report Card... of which we are quite proud.

Close to half of our Headquarters population attended the activity - this was an increase over prior years. Overall, we kicked the awareness football through the goalposts and scored a winning 2002 CSA Day.

Go to top of page

horizontal bar

COMMITMENT-What's in it for YOU??

By Phil Sibert, DOE
FISSEA Exec. Board Member

MEMBERS OF THE FISSEA BOARD OF DIRECTORS are expected to have a commitment to the organization and it's constituency.

Generally there are two types of members in any organization - the "joiners", and the "doers". There's nothing wrong with being a joiner because organizations usually exist to provide some benefit to the joiners, and in many cases the financial support of the joiners in the form of dues, pledges, or donations are necessary to keep the organization alive (but not in the case of FISSEA). And then, there is usually a small core of doers who take on the tasks associated with running the organization and seeing that the joiners are provided with the benefits the organization promises. Doers are usually those who are strongly bound to the vision and mission of the organization, and who believe in what the organization stands for and what the organization does, or should be doing, for its members.

What's a commitment? According to the dictionary, it's the state of being bound emotionally or intellectually to a course of action or to another person or persons. In essence, it's nothing more than "a pledge to do". This is what is expected of those who make it to the Executive Board, or others who take on particular tasks such as the Conference Director and the Newsletter Editor, to meet the objectives of the FISSEA mission.

FISSEA has evolved to the point where we have very good liaison with, and fine administrative and technical support from NIST, but the organization cannot function without the commitment of the Executive Board and other committee members. That's why it is necessary for those who are interested in becoming Board or committee members to be sure you have approval from your management to make the commitment to help FISSEA. It's not that great a commitment, but you should figure on a minimum of a half a day each month for the Board meeting at NIST, and then probably another 8 to 10 hours each month taking care of FISSEA business from your office. And then, of course you're expected to attend and/or participate in the annual 3-day conference each March. The Conference Director, and some of the committee members, will probably spend a similar amount of time throughout the year planning for and coordinating the conference.

What's in it for you?

  • Pride in doing something to benefit others; it's that "feel good" sensation.
  • Working with others who strongly believe in "the cause".
  • The opportunity to network with other federal, university, and private enterprise professionals to address issues and solve problems associated with computer security training, education, and awareness.
  • Visibility for you in the Federal arena.
  • A chance to show your boss you have an interest in outside activities that relate to your job, and that you and your organization can benefit from participation.
  • An opportunity to show your organizational skills and leadership potential.
  • A chance to shine as an author! Everyone is encouraged to write for the FISSEA News and Views quarterly newsletter.

What's NOT in it for you?

  • A big pay raise (in fact, no pay raise at all!).
  • Free trips at the expense of the organization (in fact, even the Board and committee members have to pay the registration fee for the conference!).
  • Free lunches (we don't even get free coffee or donuts for Board meetings!)
  • A cushy position where you get the title and glory for someone else's effort.

So, here's the challenge to all FISSEA members: make a commitment to FISSEA!

Go to top of page

horizontal bar


This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security Awareness, Training, and Education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at


Phil Sibert thought the following url is of interest, Information Assurance: An Online Master of Science Degree.

Received this info from a usually realiable source: With the Homeland Security passed by the Senate yesterday, GISRA is now reauthorized as soon as the President signs the bill. E-Gov, which also contained reauthorization of GISRA, also is about to be signed by the President. OMB says that E-GOV is the preferred version, so the President will sign the Homeland Security first, and then sign E-Gov, making it the operable text for information technology. I don't have any text yet, but at any rate, GISRA is reauthorized, probably as FISMA. See CSRC's Policies page for further information:


8-10JAN03 Government Convention on Emerging Technologies "Defending America Together: The New Era", Las Vegas, NV. The purpose of the convention is to provide a forum for Intelligence, Law Enforcement, Federal, State and Local government representatives, including first responders, to interact and discuss each other's requirements and concerns regarding Homeland Security. Visit or call NCSI at 888-603-8899. Contact Marcy Pratt, (301) 596-0770 x218,


28-29JAN03 Constellation Energy Group is pleased to present the first annual Baltimore SecureWorld scheduled for January 28th & 29th at the Baltimore Convention Center. SecureWorld is a unique Regional event that for the first time in the Mid-Atlantic brings together leading security professionals from both Physical and Digital security in Business, Government and Law Enforcement. FISSEA members are offered a $50 discount off the $95 conference fee. Register on-line with discount code - EXH247 EIN #68-050-2919. Contact Chris Kokich, 503-274-0971 or for more information.

Today as integration of physical and digital security converges there emerges an equally important interdependency between private security efforts, government agencies and law enforcement. SecureWorld provides a forum for security professionals, technology leaders, government and law enforcement to gather under one roof for educational tracks, keynotes, roundtables, panel discussions, etc. in an effort to build a knowledge base and relationships that serve to further secure our communities.


4-6MAR03 FISSEA Annual Conference, "Securing Your Cyber Frontier Through Awareness, Training, and Education". See your website,, for the most up-to-date information and to register. SPACE is limited. Contact: Peggy Himes (301) 975-2489, New location - more convenient to Metro.

Security awareness and training are significant components of any successful security program. All agency and contract personnel must understand their responsibilities for protecting agency assets. Come to FISSEA's Conference and discover new, efficient ways to improve your security program.

You will gain:

  • Awareness and training ideas, resources, contacts
  • New techniques for developing/conducting training
  • Professional development
  • Networking opportunities


Go to top of page

horizontal bar

Educator of the Year Award

Don't wait another day to think about who you will nominate to be FISSEA's next Educator of the Year (EOY). This is your opportunity to do all you can to see that someone that you believe is a major contributor to FISSEA's mission and merits our highest level of recognition is honored. It's so easy to procrastinate by telling yourself that you are too busy to do it today, but you will find time to prepare an EOY nomination application tomorrow. Please stop and review the specific instructions for EOY nominations on our FISSEA website NOW! Then, I beg you to take time and nominate our next potential FISSEA Educator of the Year! Who knows, someone may even be nominating you. Thanks for making this a priority. Nominations must be submitted by the January 31, 2003. Check out our website at fissea/educator.html

Go to top of page

horizontal bar

William Knowles, C4i disseminates the ISN InfoSecNews and provided the following:


Are you planning to attend any security conferences in 2003? Many are already scheduled, and now is the time to put them on your calendar. This week, I present six conferences that you might want to consider attending. They're listed below in chronological order.

24-27FEB03 BlackHat Windows Security 2003 Briefings and Training, at the Sheraton Seattle Hotel & Towers in Seattle. The briefings will cover six tracks over 2 days. Subjects include policies, deep knowledge, networking and integration, and application development, as well as Microsoft .NET, Microsoft IIS, Microsoft SQL Server, and Microsoft Internet Security and Acceleration (ISA) Server 2000. Training sessions include exposing Cisco Systems network vulnerabilities, analyzing software for security vulnerabilities, uncovering Web application vulnerabilities, using forensics tools and processes for Windows XP platforms, and securely deploying Microsoft technologies, as well as a National Security Agency (NSA) information security assessment methodology course.

5-12MAR03 SANS 2003 at the Sheraton San Diego Hotel and Marina in San Diego. The SysAdmin, Audit, Network, Security (SANS) Institute's Stephen Northcutt describes the conference as "our largest conference and vendor exhibition of the year." According to Northcutt, "The defensive information community enters 2003 with a wealth of great initiatives: the Gold Standards, the Cyber Defense Initiatives, more hands-on pragmatic advanced technical training and the wide array of new tools." At SANS 2003, many special activities will emphasize ways to fight back against cyber crime and how to use these initiatives to help you secure your organization.

13-17APR03 RSA Conference 2003 at Moscone Center in San Francisco. The RSA conference has four main components: General Sessions, Expo, Tutorials, and Class Tracks. "The General Sessions bring everyone together for special keynote addresses, expert panels and discussions of general interest. This year's Expo will feature more than 138,000 square feet of exhibit space with more than 200 vendors demonstrating the very latest e-security products. Optional Sunday tutorials and immersion training sessions will provide the basics of e-security technology, enterprise security and security development techniques." The conference's 13 Class Tracks will feature many workshops, seminars, and talks. The 2003 conference offers a catalog of more than 200 classes. and

27-30APR03 Techno-Security Conference at the Wyndham Myrtle Beach Resort in Myrtle Beach, South Carolina. The conference features a "blend of physical and cyber security forums ... the latest in computer forensics and related legal issues affecting federal, state and local law enforcement, as well as the Fortune 500 [companies]." Guidance Software hosts the conference. According to Robert Shields, senior director of marketing at Guidance Software, "Combining both physical and cyber security issues - Techno-Security addresses a common linkage surrounding the use of computer forensics software. With numerous sessions covering issues such as homeland defense, intrusion detection, and evidence management," the conference will serve many computer security experts and investigators. and

22-27JUNE03 15th Annual Computer Security Incident Handling Conference at the Westin Hotel in Ottawa. First.Org sponsors the FIRST Conference, which "focuses on the field of computer security incident handling and response. The presentations are international in scope and include the latest in incident response and prevention, vulnerability analysis, and computer security."

23-25JUNE03 NetSec 2003 at the Hyatt Regency New Orleans in New Orleans. Computer Security Institute's (CSI's) NetSec network security conference is "devoted exclusively to network security." NetSec 2003 will offer more than 85 sessions about subjects such as Internet/intranet, secure ecommerce, VPNs, computer crime, Denial of Service (DoS) attacks, forensic investigation, response teams, cryptography/public key infrastructure (PKI), intrusion detection, Windows NT, privacy, policies, awareness, and remote access. The exhibition will feature more than 70 network security product exhibitors.

Put your requests in now, plan to attend.....

16th Annual FISSEA Conference
March 4, 5, 6, 2003

"Securing Your Cyber Frontier Through Awareness, Training and Education"

The Hilton in Silver Spring, Maryland
Three days only $275!

Keynote speakers:
Keith Rhodes, GAO, Allan Paller, SANS
Thornton May

Register through the FISSEA website,
Details under 2003 Conference

Go to top of page


horizontal bar


I. Purpose
Elevate the general level of information systems security knowledge for the federal government and federally-related workforce.

Serve as a professional forum for the exchange of information and improvement of information systems security training and education programs throughout the federal government.

Provide for the professional development of its members.

II. Vision
Be a national forum in information technology systems security awareness, training, and education.

III. Mission
Encourage the professional development of members to result in an elevated level of information systems security awareness, training, and education; and, facilitate a meaningful exchange of related information.

Objective #1

Establish and maintain effective communication with membership.

Task #1 - Newsletter
Improve the quality, format, layout and design
Increase distribution (e.g., CIO Council and other entities)
Increase participation in the production of the newsletter and increase
member participation in article production
Survey membership to improve content and delivery

Task #2 - Website
Develop a method to ensure that the website is current (fresh).
Conduct log file analysis to determine if website is effective, easy to navigate, and if visitors are actually downloading information.
Ensure that every Board member's website links to FISSEA. Add "contact FISSEA" feature to the website.

Task #3 - List serve
Continue to ensure that the list is current.
Monitor list serve for proper usage and to periodically determine benefits.
Determine how list serve can be used for awareness, training, and education purposes.
Ensure that Board members use the list serve to communicate with all members.

Task #4 - Database
Use database information for:
     o Membership records.
     o Demographic analysis.
     o Conference planning purposes.
Board should determine types of reports and frequency.

Task #5 - Survey
Develop Survey.
Have Board members review/approve.
Distribute to membership using list serve.
Analyze/report on results.

Objective #2
Increase the "value" and credibility of membership.

Task #1 - Identify customer and membership needs through:
Survey(s) Product usage trend analysis
Log analysis on website
Trends in customer/membership requests

Task #2 - Ensure that FISSEA provides tools, techniques, awareness materials, and information about training and education opportunities.

Task #3 - Increase the awareness of the value of FISSEA membership.

Task #4 - Effectively market FISSEA products/ resources/capabilities.

Objective #3
Conduct an annual conference.

Task #1 - Review and evaluate feedback and lessons learned to improve conference.

Task #2 - Maximize FISSEA's use of Federal Business Council services.

Task #3 - Update conference planning "time-line" to include preparation of paper on lessons learned from previous conference and other relevant items that can improve the process.

Objective #4
Establish an effective relationship between FISSEA and other security-related organizations.

Task #1 - Identify security-related organizations for establishing collaborative relationships

Task #2 - Establish a collaborative method of working with other security-related organizations.

Task #3 - At least annually, evaluate the effectiveness of these relationships.

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: January 10, 2003.