FISSEA Logo News and Views
August 2002
Issue Two of FISSEA Year 2002-2003



From the Executive Board Chair

This summer has been a scorcher in Baltimore. However, I have spent so much of my time inside busily trying to keep pace with an ever-expanding security workload that I did not have to deal with the hot temperatures during the workweek. I imagine that many of you can readily identify with my experience if you are significantly involved with entity-wide IT security program issues and/or assigned some of the responsibilities and tasks that resulted from the implementation of the Government Information Security Reform Act. The good news is that when you are busy the workday goes by much faster, you have an opportunity to network with more people and you usually learn a great deal.

Your FISSEA Executive Board members are very busy as well trying to find the time and resources to meet regularly, establish and implement project plans to accomplish our many objectives, and be accountable to each other and ourselves to finish all our tasks completely and timely. All of us are still employed on full-time jobs and must do our paid work well enough for our employers to allow us to voluntarily serve FISSEA too. Ensuring that our 16th Annual FISSEA Conference on March 4 through 6, 2003 meets and exceeds your expectations and ours is difficult, but still is our goal and can be done. We continue to look for outstanding presenters who are willing to volunteer their time and talent for our benefit. I am thankful that so many of you responded to my email request for volunteers to assist with our conference in some meaningful way. If the Conference Committee has not contacted you yet, expect to hear from them shortly. It is also not too late to share your ideas and suggestions with us.

Finally, I hope that you reviewed and sent your comments to Mark Wilson on the much-needed NIST draft Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program". I think this document will be very helpful to agencies who are still establishing their programs and those that are trying to enhance their existing security awareness and training program. The guide is available via the web at After reviewing the publication, I believe you will find that it provides clear guidance on ways to assess training needs and then design, develop, implement and maintain a viable IT security awareness and training program within your agency. I am hoping that we will be able to persuade Mark to do a session at our upcoming FISSEA conference on this subject.

Barbara G. Cuffie, CISSP
Social Security Administration
Chair of the FISSEA Board

* Term ends March 2003
** Term ends March 2004

*Barbara Cuffie CISSP, Executive Board Chair
*Lewis Baskerville,
*George Bieber,
*Patti Black, Assistant Chair,
**Jacqueline Bush,
*Louis Numkin, Newsletter Editor,
**LTC Daniel Ragsdale,
**Donna Robinson-Staton,
**Philip Sibert,
**Robert Solomon, CISSP,
*Mark Wilson, NIST Liaison,

FISSEA Membership/NIST Liaison (non-voting member):
Peggy Himes,

Go to top of page

horizontal bar

Cybercorps to Extend to States

By Colleen O'Hara
July 23, 2002 (Federal Computer Week)

The White House's national strategy to protect cyberspace, scheduled for release in September, will contain a provision that extends a federal scholarship-for-service program to the state level, said Richard Clarke, cybersecurity adviser to President Bush.

The Federal Cyber Service program provides scholarships to undergraduate and graduate students studying computer security in exchange for two years of federal service. The first group of students is nearly finished with their first year in the program.

Six universities - the University of Tulsa, Carnegie Mellon University, the Naval Postgraduate University, Iowa State University, the University of Idaho and Purdue University - have received scholarship money. Currently, 66 students ages 20 to 64 participate in the program.

The cybercorps is important because the government does not have enough trained experts to protect federal systems, Clarke said, speaking July 22 at the 2002 Cyber Corps Symposium at the University of Tulsa. "We will fight a future cyberwar," Clarke said. "Right now we are not in good shape." The nation is dependent on cyberspace, which opens up vulnerabilities that need to be fixed, he said.

Recognizing that state and local agencies also need trained professionals to protect their networks, the cybersecurity strategy "calls upon state governments to create a state cybercorps," Clarke said.

Clarke would not reveal additional details of the cybersecurity strategy.

The Cyber Service program is scheduled to get a boost from the emergency supplemental funding bill scheduled for a vote in Congress this week. The bill contains $19 million to expand the Cyber Service program, Clarke said. "The president thought this was an emergency."

If the provision remains in the bill, the program would be extended to four additional schools in September.

["Reproduced with permission of Federal Computer Week,Copyright, Federal Computer Week Media Group. All rights reserved."]

Information recently received:
You may want to contact Miguel Hernandez, 210-805-2423 ex 502 or Cathy Robinson, ex 506, they are the OPM program managers.
Some background information may be found at

Go to top of page

horizontal bar

Statistical Persuasion

By David Sostman (Titan Systems Corporation)

What does it take to persuade individuals in the workplace to take the proper precautionary measures to mitigate information security risks? How do we change the behavior of recalcitrant employees who remain unconvinced that significant information security threats actually exist? This is a difficult task that FISSEA's members face everyday. Luckily, information technology, the source of this situation, also offers new tools that can help in the battle of persuasion.

Due to advancements in real-time monitoring, detection, and analysis technologies, accurate and verifiable information about actual intrusions can now be used to persuade workplace skeptics that information security threats actually do exist. Until recently, references regarding these threats have been largely hypothetical, hearsay, and conjecture. But all of that's changed. We can now display on a computer screen the electronic renditions of actual intrusion happening in real time. And the audit trails generated by these intrusions, analyzed with new methods of data mining, also offer unassailable evidence that the threats are indeed real.

In recent years, real-time electronic monitoring and reporting tools have become quicker and more accurate than previous generations of information security technologies. Extraordinary data mining analysis tools also allow us to identify the type of assault, where it's coming from, its nature, and whether or not it's successfully penetrating the established layers of electronic defenses.

We have entered a new age of information warfare where we can instantly detect and display detailed accounts of Internet-based intrusions, and other acts of unauthorized access. The Titan Systems Corporation has been helping the Defense Information Systems Agency perform these activities for more than half a decade, and our information security analysts have been utilizing increasingly sophisticated tools for maintaining the security of an electronic enterprise. As various civilian agencies in the Federal government move forward in establishing the next generation of 24x7 cyber network real-time monitoring, detection, and response operations, these new tools, and the reports they generate, can also be used by Information Security Officers and others tasked with communicating the need for individuals to engage in precautionary measures.

This type of information is useful because many individuals don't want to be bothered with the responsibilities associated with protecting information assets. Yet, if a convincing argument can be made, people will pay attention -- especially if they feel the threat. The old parable about putting a frog in a pot of water tells the story well. If the water's boiling hot, the frog will jump out immediately. But put him in a pot of cool water, and gradually turn up the heat, and he won't notice the rising temperature -- until it's too late.

When it comes to information security, many individuals appear to be biding their time, like frogs sitting in cool water. But unlike the boiled frogs, we have the ability to learn -- without direct negative experience. The information gleaned from intrusion detection devices and data mining analysis tools can offer confirmation that in some places the water is already boiling, and for many people, that's all the evidence they need to begin engaging in their information security responsibilities. Those tasked with communicating the importance of information security would be well?advised to utilize the persuasive statistical reports these new tools provide.

Go to top of page

horizontal bar

FISSEA 2003 Conference Update

The FISSEA 2003 Conference planning is underway! This year's conference theme is " SECURING YOUR CYBER FRONTIER THROUGH AWARENESS, TRAINING AND EDUCATION". The conference dates this coming year are March 4-6, 2003. We are moving to a"NEW" location based on numerous requests from previous conference attendees.

The conference will be held at the Hilton Hotel in Silver Spring, MD. This should be ideal for everyone as it is close to public transportation, a primary consideration of those requesting a different location. More information on registration and logistics for lodging, parking and transportation will be available in the months ahead.

The planning committee is working towards providing a 1st class conference that will not only enhance your knowledge but will provide more information sharing in the areas of awareness and training through government, industry and academia.

The committee and Executive Board have already heard from many of you regarding the FISSEA 2003 conference. We thank everyone for your continued support and commitment in making FISSEA successful year after year as we continue to strive for "excellence" in our profession. Many of your ideas and comments will be useful and helpful in developing and shaping the conference.

If you are interested in working with the committee or have any ideas on specific topics, or you have attended training seminars/workshops that provided you with good information to share, please contact me at my email address:

More information on potential and confirmed speakers and conference topics will be made available, shortly. Please visit the FISSEA website, for the most recent news. The committee is also planning to begin an advertising and public relations campaign in September to promote the conference and to gain more interest from government, industry and academia in attending.

I look forward to fulfilling the challenging, but rewarding and exciting role as the FISSEA 2003 Conference Director. The Program Director for FISSEA 2003 Conference is Curt Carver, Academy Professor with the U. S. Military Academy at West Point, New York.

On behalf of the Executive Board, Planning Committee Members, Curt Carver and myself, we are at your service to bring to you an exciting and rewarding conference for FISSEA 2003!

FISSEA 2003 Conference Director
Donna Robinson-Staton
Director, Enterprise Security Awareness & Training
Dept. of Housing Urban & Development

Go to top of page

horizontal bar

Federal Information Assurance
Conference 2002 (FIAC)

By Louis Numkin (Nuclear Regulatory Comm.)

FISSEA will participate in the "Federal Information Assurance Conference 2002." Training tracks and vendor exhibits will be held October 29 and 30, and special half-day workshops will be offered on October 31, 2002. All sessions will be at The Inn and Conference Center, University of Maryland University College, in College Park, MD.

This is the 2nd Annual Federal Information Assurance Conference (FIAC) which is trying to fill the void that followed demise of the much-beloved multi-year National Information Systems Security Conference, which was coordinated by NIST and NSA. FIAC is an event for the government and designed by the government. It is specifically to meet the real-world information assurance needs of the Federal Government and its workforce. The current list of participating organizations include but are not limited to: NIST, NSA, NIAP, NRC, GSA, VA, Army, DoD, HUD, and Government Computer News (GCN). Overall coordination of the conference is being handled by the Federal Business Council (FBC) which also provides the vendor exhibits for FISSEA's annual conferences.

Based on the success of last year's conference and the constantly growing need for security, you can find all the information you need at the FIAC website,

FISSEA representatives are building Track C and part of Track A so that areas are included to especially benefit computer security educators/trainers, and will also have a booth in the exhibit area.

Here are some highlights of what you can expect at FIAC 2002:

  • Richard Clarke, Special Advisor to the President for Cyberspace Security and Chairman of the President's Critical Infrastructure Protection Board, will be the Keynote Speaker on October 29, 2002.

  • Also, on October 29th, a General Session will be held to address "GISRA to FISMA - What You Need to Know."

  • The NIAP Validated Products Certificate Presentation will take place on October 30th.

  • Some of the other sessions at FIAC 2002 include: IT Product Implementation Guidelines, Security Training & Awareness, New Certification and Accreditation Initiatives, Incident Response, Biometrics, Cybercrime, Risk and Vulnerability Assessment/Penetration Tools, IT Security Testing Programs, Intrusion Detection, On-Line Privacy and Public Safety Requirements, and more.

The half-day tutorials on October 31 will address:

  1. Certification & Accreditation

  2. Common Criteria Validation and

  3. Homeland Security Threats.

{Tutorial fees are separate from the conference fee. More details will be posted on the website.}

For those who are "hungry" for knowledge, it is worth noting that food provided for the 2001 FIAC was rated very highly by those in attendance, so this event will nourish your mind as well as your body!

Last year's event had over 400 in attendance and this year it is anticipated that FIAC will sell out at 750 attendees. Registration information, updated sessions, speaker details and more can be found at

Go to top of page

horizontal bar


{This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security Awareness, Training, and Education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at }


Philip Sibert has another "Siber' Space Snippit" for you:
CISSP Changes
Last month, the Certified Information Systems Security Professional (CISSP) club became a bit more exclusive. In addition to passing the CISSP exam, candidates must receive a written endorsement from a CISSP attesting to their experience and suitability for the title. And starting in 2003, Framingham, Mass. - based International Information Systems Security Certification Consortium Inc. will require CISSPs to have four years of experience or "three years with a college degree or equivalent life experience."


10-12SEP2002 HealthSec 2002 Conference and Expo, Atlanta, GA. Now in its 8th year, HealthSec takes you beyond the basics of HIPAA, delivering in-depth information about privacy requirements and providing detailed security implementation tactics. For complete conference details, go to (Please use HS02/EB1 as your priority code when registering.) MIS Training Institute, (508)879-7999.


10-12SEP2002 The Conference on Mobile and Wireless Security, Atlanta, GA. Optional workshops Sept 9 & 13. MIS Training Institute, (508)879-7999. Go to: (Please use MWS02/EBAL as your Registration Code.)


18-19SEP2002 E-Learning 2002 Conference at the Ronald Reagan Building in Washington, DC. Building Advanced Information Environments. Designed by a Program Advisory Board comprised of government and industry leaders, this second annual conference is the one place you can get advice, ask questions, and talk to the people who are implementing and developing E?Learning strategies today. Go to:


26SEP2002 An Information Security Workshop Designed for the Small Business or Organization. Email, payroll, proprietary information, client or employee data - information is essential to a business's success. A computer failure or other system breach could cost a business anything from its reputation to its competitive advantage. NIST develops guidelines to increase secure IT planning, implementation, management and operation in sensitive federal government systems. These guidelines are used throughout public and private sectors around the world. Now NIST has partnered with the Small Business Administration (SBA) and the National Infrastructure Protection Center (NIPC) to offer a workshop to help small businesses and other organizations across America to increase the security of THEIR information systems. At this workshop, a small business owner can learn how to define information security for his/her business, how to identify IT threats and vulnerabilities, and how to select cost effective, business appropriate solutions. The next workshop will be held in Chicago, IL: Sept 26th 8:30am - 4pm. For an agenda, registration materials and other workshop details, visit: Contact Dr. Alicia Clay at


18-25OCT2002 SANS Network Security. By far the largest security conference in Washington is Network Security 2002 (NS2002) in late October -- and this year it includes the National Information Assurance Leadership Conference at which the Army, Navy, Air Force, Marines and Coast Guard will all be running their separate Service-Wide IA Leadership programs and the Internet Threat Update and Dick Clarke's keynote will be available to all five services. Full explanation of NS2002 is at Or contact Alan Paller, 301-951-0102 x108,


29-30OCT2002 Internet Security Tools & Techniques, Gaithersburg, MD.
31OCT-1NOV Intrusion Detection, Attacks & Countermeasures, Gaithersburg, MD.
14-15NOV2002 How to Create and Sustain a Quality Security Awareness Program, Chicago, IL. For more information on the Computer Security Institute classes, go to, or call (415)947-6320.


29-31OCT2002 Federal Information Assurance Conference (FIAC). (See column on page 4.) Visit the FIAC website at Register through Federal Business Council, Bob Jeffers (


11-13NOV2002 CSI 29th Annual Computer Security Conference and Exhibition. Computer Security Institute (CSI) is a leading membership organization specifically dedicated to serving and training the information, computer and network security professional. Since 1974, CSI has been providing education and aggressively advocating the critical importance of protecting information assets. CSI sponsors two conference and exhibitions each year, NetSec in June and the CSI Annual in November, and seminars on encryption, intrusion management, Internet, firewalls, awareness, Windows and more. E-mail, telephone 415-947-6320 or visit the website at


30NOV2002 Computer Security Day For more information contact Lee Ohringer: 301-229-2346


Hawaii International Conference on System Sciences - Call for Papers for the minitrack Secure and Survivable Software Systems part of the Software Technology Track of the Hawaii International Conference on System Sciences, January 6-9, 2003, Hilton Waikoloa Village, Big Island, Hawaii. Contact Axel Krings, Ph.D., Assoc. Prof. Computer Science, University of Idaho, Moscow, ID 83844-1010. Phone 208-885-4078,


Securing Windows 2000 - One day Course.Hands on. Stephen Northcutt of The SANS Institute announced this new course and reported you will receive the training needed to build both the skills and confidence to use the new standards. For more information on the Standard Operating Environment (SOE) in the USA for Windows 2000 called the Gold Standard, go to

Put your requests in now, plan to attend...
FISSEA 16th Annual Conference -
March 4, 5, 6, 2003

New Location: The Hilton in Silver Spring, MD
Conference Director: Donna Robinson-Staton
Program Director: Curt Carver
Three days only $275

Go to top of page


horizontal bar

FISSEA Conference 2003

March 4-6, 2003
The Hilton in Silver Spring, Maryland
16th Annual Federal Information Systems Security Educators' Association Conference

"Securing Your Cyber Frontier Through Awareness, Training and Education"


FISSEA 2003 is the national forum for information technology systems security awareness, training, and education. The conference will include birds of a feather (new), papers (new), tutorials, panels, presentations, demos, and exhibitions. We invite you to participate by submitting an abstract and joining us in Silver Spring. If you need to learn more about the latest security awareness, training, and education practices and research, this is the conference for you.

Submission deadline for conference:
September 30, 2002

Submission Details
Birds of a feather proposals, papers, tutorials, panels, presentations, demos, and exhibition proposals related to security awareness, training and education are welcome. Each submission consists of two parts:

  1. A separate title page with:
    • The title or topic;
    • A contact author with postal address and electronic mail address;
    • The name(s) of the authors, organizational affiliation(s), telephone and FAX numbers; and,
  2. An abstract of no more than 300 words.

Submit abstracts and proposals (ASCII, postscript, or PDF only) NLT 30 September to

For additional questions, send email to:

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: September 16, 2002.