News and Views
Federal Information Systems Security Educators' Association


Issue Three of FISSEA Year 2003-2004
November 2003



Letter From the Chair

Greetings FISSEA Members,
The time always seems to fly fastest between the end of September and the end of the year for me. I can hardly believe that our 17th Annual FISSEA Conference is less than five months away. I hope you have already marked your calendars for March 9-11, 2004 and begun making plans to attend this major information security conference. Our theme is Awareness, Training, and Education - The Driving Force Behind Information Security. The good news is that we have continued to do almost the impossible by keeping the price for registration well under $400 (only $365) for this 3-day event.

We are continually updating our FISSEA website at to keep you informed about the conference and other initiatives underway. I can assure you that the Conference Program Director and Chair, Curt Carver and Chrisan Herrod respectively, are working closely with the executive Board to make this our best conference ever. I am asking you to support FISSEA by participating in the Conference while you benefit from the excellent speakers, panelists, information sharing and networking opportunities that will be provided. We have moved the conference to the beautiful Inn and Conference Center at the University of Maryland University College in Adelphi, Maryland. All the lunches and breaks are included, and the food is always scrumptious.

The time has arrived for you to begin thinking about who you would like to nominate as the FISSEA Educator of the Year. Please visit our website for the details on submitting nominations. Only FISSEA members can nominate someone, but the person nominated does not have to be a FISSEA member although we encourage you to invite persons that you think could benefit from being a member to join.

We recently sponsored our first workshop on September 25th on Developing Role-Based Training for Systems Administrators and Managers. Our own Louis Numkin was able to host the event at the Nuclear Regulatory Commission and Jeff Dektor, Susan Hansche, and Patricia Harris from the State Department were responsible for developing and conducting the training. The good news is that based on our review of the evaluations from the participants, the workshop was definitely a success. We have already begun the preliminary planning for our next workshop and are using the feedback we received to make it even better. Visit our website often to stay abreast of details for all upcoming events. In fact, I encourage you to add us to your list of favorites and see how you can get your agency to link to our website from its Intranet as well.

The Executive Board meets monthly, and we communicate with each other almost daily to always look for ways to ensure that FISSEA is beneficial to you, our members. We are always interested in hearing from you, and we welcome all volunteers who can help us. If you have suggestions, remember that they can only benefit us if you share them.

Barbara Cuffie, CISSP
Chair of the FISSEA Executive Board

Go to top of page

horizontal bar

FISSEA Executive Board

Barbara Cuffie, CISSP, Executive Board Chair*

Lewis Baskerville,**

LTC Curt Carver, Jr., Conference Program Director,**

Chrisan Herrod, Conference Director,**

Tanetta Isler,**

Dara Murray, CISSP,*

Louis Numkin, Newsletter Editor,**

LTC Daniel Ragsdale,*

Donna Robinson-Staton,*

Robert Solomon, CISSP,*

Mary Ann Strawn,*

Marvella Towns,**

Mark Wilson, CISSP, NIST Liaison, Assistant Board Chair,**

NIST Executive Assistant to the Board: Peggy Himes,

* Term ends March 2004
** Term ends March 2005

Go to top of page

horizontal bar

FISSEA Editor's Column
Policy aside...

By Louis M Numkin
US Nuclear Regulatory Commission

"What did he say?!"
"Perish the thought!!"
"'Policy Aside' in the Federal Government?!"

Uh Huh...
As computer security awareness practitioners, we need to creatively look outside the box. Get in to the mind set that not everything must be chiseled in stone. Consider unusual aspects of the "same old stuff" and bring them out in an effort to offer an interesting presentation versus a yawner.

"We need to act like metal detectors as they sweep the beach. Sometimes you'll find bottle caps, but occasionally you locate buried treasure." I heard this in a Boeing clip on the radio, this morning, and it seems to be germane here.

Look at your topic, especially if it is less than exciting to a typical audience, and think about how to hold their attention. Perhaps the really interesting part makes up only 10% of the whole but if you put on your thinking cap you may just be able to parlay it into an attention grabber that successfully finds footholds in the minds of your audience.

Given some thought, you may find a memory technique which helps remind your student of a concept or otherwise boring segment. You don't have to be original. Remember the old axiom "Imitation is the highest form of flattery." One example is the creation of acronyms. Feds are inoculated with the acronym gene when sworn in for public service. Take for instance the meeting guideline "Start On Time, Stay On Time, Stop On Time." This can be referenced as "SOT" which may seem cutsie but is easy to remember. It's similar to web work. As you read a web document, all the text is not on the screen - additional information may be hyper-linked and only accessed when a reader wishes to probe deeper or understand more. These techniques can be employed by the Awareness Practitioner to get out a succinct message which is: on the surface, provides a rough idea as relates to a subject, and is easy to remember/implement.

What techniques have you utilized in getting your Awareness message across to your varied minions? Please consider forwarding some illustrations of how you've succeeded so that we can share them with our readership.

I will sign off with my usual closing to computer security messages at my agency, "Have a virus free day." It is my contention that it heightens a level of awareness in the recipient and I hope that it improves their daily use of information resources as well as the agency's computer/information security.

{Editor's note on the Editor's Column: Of course, Our readers are encouraged to get and utilize the new NIST ATE publication. Questions can be directed to FISSEA Assistant Chair, Mark Wilson.}

Register for the 17th Annual FISSEA Conference
March 9-11, 2004
UMUC in Adelphi, MD

Go to top of page

horizontal bar

Reaching out to Awareness Training

By Dara G. Murray, HHS
Director, IT Security Staff
IT Service Center, Office of the Secretary

One question that computer security awareness trainers always grapple with is training methodology. How do "we" reach out to those in the regional offices and make the computer security awareness training effective and meaningful? Is live training more effective then utilizing computer based instruction tool (CBT's)? Is accountability an issue? These are the kinds of questions that always come into play as trainers and what we focused on in our awareness campaign at the Program Support Center, (PSC), Health and Human Services.

Two years ago, the PSC's computer security program was very much decentralized, much in the same way that other large government agencies have run their programs for a long time. Although PSC is one of the smaller operating divisions within the agency, it is broken apart into smaller sections known as "Services". Each of the Services ran their own security program and were responsible for training individuals about computer security awareness. However, PSC did not have a top-level computer security expert providing guidance and in most cases with the exception of two of the sections, computer security training was not conducted at all. Our statistics showed that out of 2000 PSC employees, only about 300 were trained. Once the program became implemented, PSC established an "outreach" program in which we brought computer security to the employee versus trying to bring the employees to computer security. For six solid weeks, PSC took computer security "on the road" and conducted morning and afternoon sessions within the Washington, D.C. metropolitan area and regional offices. We had a great time meeting people, employees including our contractors seemed to be very enthusiastic about the program, and it gave employees a time to ask questions. We felt really great about what we accomplished, however, the metrics were not as great as we would have liked. Although we made an excellent improvement to push our totals up to 63% of employees who attended the training, it was not the numbers we had wished for. Then we heard about a group that was headed up by Patti Black, Department of Treasury, that produced a great awareness tool that was sponsored by the Committee on National Security Systems, Education, Training and Awareness Working Group; Defense Information Systems Agency (DISA), and Federal Information Systems Security Educators' Association (FISSEA). We couldn't wait for the March 2001 FISSEA conference for it to be finally released.

The Computer Security Awareness (CBT) available CD is web-based, very graphical, and hits on the basics of overall awareness. The PSC management loved the concepts, but like other Federal agencies, wanted to have that "agency-specific" focus. Therefore, with the assistance of contractor resources (SAIC and Carnie International) and some "dinero", we made it agency-specific. The return on investment has been tremendous; and we have been able to make the tool available not only to PSC, but to other organizations within HHS. The feedback from employees is excellent. They loved the graphics and really enjoyed the ability to be interactive. Our numbers have gone up quite a bit as well---the PSC management liked the fact that our FISMA report showed 93% this year versus the 68% the year before. Next year we will strive for 100%! (It's nice to dream isn't it?) In addition, with the assistance from Human Resources, we can "reach out" to all new employees when they come on board. Therefore, computer security is right there "up in front" along with their payroll and social security forms they must sign. As I mentioned earlier, the face to face intervention was great, but the facts show, for the PSC's awareness program computers have again outrun the human!

Watch for my next article where I will talk about methods on how to deal with employees who just don't seem to want to make the time for awareness training? (shame, shame).

(To obtain a copy of the CD, "Federal Information Systems Security Awareness," Version 2.0 February 2002 contact DISA, or email

Go to top of page

horizontal bar

FISSEA Conference
March 9-11, 2004

A Question and Answer Session with the 2004 FISSEA Program Chair
Our very own FISSEA field reporters, Ernie Smudlap and Lily Mae Squashposum sat down with the 2004 FISSEA Program Chair recently for a brief update on the conference

FISSEA Field Reporter Lily Mae:Hey Curt! How is the conference planning coming along?
Curt: It is absolutely awesome although my security administrator thinks I am the victim of a denial of service attack from all the submissions. We really did have a tremendous response from the FISSEA community and this year's conference is shaping up to be better than ever. We have an initial draft of the schedule and the executive committee is working hard to refine it now. We should have author notification of acceptance out by Thanksgiving and then start the process of building the conference proceedings, resurveying the conference location, and all those other sorts of fun things.

FISSEA Field Reporter Ernie Smudlap: Can you leak who is going to be keynote speakers?
Curt: Sure. First day keynote speakers are Jane Norris from State Department and Lance Spitzner from Sun Systems. The second day features Ray Semko (NSA's Diceman). The final day has Dan Ragsdale from West Point and Bill Nugent from Mitre. It is an great group of keynote speakers to address security awareness, training, and education.

FISSEA Field Reporter Lily Mae: How many submissions did you receive?
Curt: Not quite sure how many we received. We have forty-three presentations on the schedule right now and given the significantly improved conference facilities that we have, we will be running a number of alternate presentations so that conference attendees can pick and choose what sessions they attend.

FISSEA Field Reporter Ernie Smudlap: You mentioned themes. What common threads of presentations are you seeing in the proposals?
Curt: We have a couple of themes emerging from the conference that folks can decide to attend. There is great interest in certification and we have a number of panels discuss certification and its role from different perspectives. We have a couple of sessions that are specifically geared to the new person in information awareness and training and how to get started. Education-related sessions continue to grow as colleges figure out they have to deliver a graduate to the workplace who understands how information security works. Innovative ways to conduct training have always been popular sessions at the conference and we received a strong slate of proposals to address this topic. Finally, we have some proposals on newly available resources to support security training and awareness that should appeal to the conference attendees. There seems to be a little of everything for the conference attendee in the rapidly evolving field of computer security awareness, training and education.

FISSEA Field Reporter Lily Mae: Tell us a little something about the conference facilities?
Curt: We are having the conference at the Inn and Conference Center at the University of Maryland. Several members of the executive committee and I visited the site recently and we were very impressed. The presentation facilities are state of the art. The space available for vendors and exhibitors is greatly improved over previous years and really provide an opportunity for folks to showcase their products. The food was actually pretty decent as well. I didn't get to stay at the hotel but it is a Marriott and I don't think we are going to have any problems with the exception that we might run out of rooms. I would go ahead and reserve a room at the hotel and for the conference. If the number of submissions and inquiries from vendors are any indication, getting an early reservation would be a good idea.

FISSEA Field Reporter Ernie Smudlap:Last question. Where can I find out more about the 2004 FISSEA conference?
Curt: Check out the FISSEA website for late breaking news on the conference at ( As soon as I finish the selection process for presentations, I will get a schedule posted on the website. You can already register and get a hotel room. Thanks for coming by Ernie and Lily Mae and see you at the conference!

Go to top of page

horizontal bar

NASA Certification Program

By Robert Solomon, NASA

NASA has launched an Agency-wide program to certify all system administrators according to a consistent standard. The program was started about May 1, 2003, and has provision for up to 3000 participants. The program is being managed by the NASA Information Technology Security Awareness and Training Center at Glenn Research Center in Cleveland, OH. Project Manager is Robert Solomon.

The program utilizes skills assessment tools provided by Brainbench, Inc., located in Chantilly, VA. Their services met the criteria established by NASA headquarters. Those criteria were:

  • It must be an independent, third party assessment
  • It must measure both operating system knowledge and security knowledge
  • It must be consistent for system administrators regardless of operating system
  • It must be cost effective

The program was tested using a pilot approach to evaluate the value of the tests and whether they appropriately met NASA's needs. After the pilot program, feedback from the 44 pilot candidates was used to craft the final program.

The program requires each participant to pass an operating system test and a Network and Internet Security Test. Primary Certifications are offered in UNIX, Linux, Windows 2000 Desktop, Windows 200 Server, Windows NT4 Desktop, Windows NT4 Server, Open VMS, and Cisco Networking. A Mac OS X certification was implemented in August. All participants must pass the same Network and Internet Security test.

Candidates are given three opportunities to pass each of their two tests. If they are not successful in three attempts, they must show evidence that they have taken steps to correct knowledge gaps before they are given additional attempts to meet the requirements. The program is an assessment program only and does not provide training.

This allows the use of any training method to provide for preparation or remediation. Both Brainbench and NASA provide test outlines and topic lists for all of the tests that are required. One of the features of the Brainbench assessments that is useful to the candidates is that they get immediate results for the tests which identifies their strengths and weaknesses whether they pass or not. This identifies knowledge gaps for remediation or skills advancement.

Each successful candidate receives a certificate recognizing their certification. The certification is valid for three years. The certification is recorded at the NASA IT Security Awareness and Training Center and is reported to each participant's IT Security Manager as well as NASA Headquarters.

After the candidate achieves their Primary Certification, they are promoted to a Personal Development track which gives them access to over 400 skills assessments offered by Brainbench. They may achieve up to 17 Secondary Certifications by passing additional operating system tests.

Go to top of page

horizontal bar

Security Practices Repository

For several years, the NIST Computer Security Division has maintained a website - the Federal Agency Security Practices (FASP) - as a repository for security practices donated by federal agencies. (The URL is Now, NIST is seeking material from non-federal sources. A new website - - will house information security policies and practices that are offered by non-federal organizations. If you are a private sector FISSEA member or affiliated with an academic institution, NIST welcomes your contributions. (If you are a federal employee, NIST also continues to welcome policies and practices for the FASP site.) See the respective sites for procedures for submitting practices.

For additional information on either site, contact Marianne Swanson at (301) 975-3293 or

Go to top of page

horizontal bar

Selling Your Concepts to Classes

By Jim Litchko, Litchko and Associates, Inc.

Every time you teach, you are in fact selling concepts to your audience. When I was learning to teach, I was also selling the National Security Agency's Information Systems Security budget to the Pentagon and Congress, about half as hard as teaching the computer security class to my Johns Hopkins University graduate class. During this parallel learning of how to sell and teach, I noticed that the methods used in one effectively support achieving the goals of the other.

When I started teaching, I taught just like I was taught: lecture from behind the podium and lots of multiple question quizzes. Or as I call it "Talk and Test". I found this extremely boring, so I could only expect it was the same for the students. Result: No learning.

In the sales community, they have a similar selling style call "Show-up and throw-up". This is where you have a standard marketing presentation on your products and services and you give it to all of your potential clients. This method is equally as boring for you as it is for the clients. Result: No sale.

So how does one correct this? In sales we tailor the pitch to the customer. So in teaching you tailor each of your presentations to your students. There are three ways to do this: know them, relate to them, and engage them.

Know your students. In sales, it is critical that you know your customer's role, motivation, and needs. In teaching, you need know the same about your students. You need to understand each student's job (accountant, manager, engineer, waitress, etc.), company and its business sector (financial, manufacturing, military, entertainment, etc.), and favorite pastime (dancing, surfing (water or web), singing, charity work, bowling, etc). These key pieces of information will allow you to relate to and engage your students.

Job gives you an idea of the student's thinking processes. Accountants and engineers are into the details and quantitative, and desire structure. Budgeters, sales people, and researchers are qualitative and creative, and desire little structure. Knowing that they are executive and managers tells you nothing. You need to know what they were before they were executives and managers. I know that generalities do not apply to everyone, but they do for the majority and this provides you with more information then when you started. Try it.

Company and business sector gives you the information that you need to relate your class examples to. If a class is from one or two business sectors, your examples need to relate to those sectors to make the material relate to the students' perspectives and needs. If the students are from multiple business sectors, you use ones that relate to various sectors and ask the students if they have examples from the other sectors. This is a very good way of building your examples for future presentations. Another good way is to ask that the students use business examples in the essay questions of your tests and in their term papers.

Favorite pastime tells you more about the individual's character and motivations. Also provides you with leverage for connecting with the students. When concepts for a common class pastime are similar to the concepts that you are presenting, you can start the discussion with telling a story about a situation in that pastime, ending with, "And that is the same as…."

How do you get this information about your students? You ask them. In the beginning of the first class you ask them to introduce themselves, by telling you what their job is, who do they work for, and what is their "favorite pastime activity"? Like many of you, I used to think that this kind of introduction was so the students could pick who they would like to work with on the class projects. True for them, but for you it is to gain the information necessary to relate and engage them. Take notes or have them start by writing the responses on a 3x5 card that you collect.

What if I am talking to a large group of people? Before the presentation, talk with various people in the audience, say 3 or 5 attendees. Ask them, "What is your job?", "What is the business sector?", and "Why are you interested in this topic?" Talk to attendees in the front, middle and back of the room. Now when you give your presentation, you can adjust your examples to the business sectors that are in your sampling. You can also use one of the attendees' comments and with the contributor's first name. For example: point to Tom and say, "Before this presentation, Tom asked me, 'How often should I backup my data?' This is a very good question, that I am sure that many of you are asking yourselves." In this example, notice that we physically connected by pointing, verbally identified that you are on first name basis with one of their peers, complemented them on having a good question, and related it to all of them. You can further the relationship by engaging them with the question, "Who has the answer?" and wait for their responses.

Wait for their responses! This is very key concept because, the final thing that I learned from selling was, "The temptation to fill silence is deadly." When you put a deal on the table, stop talking and wait for the customer to respond. If it takes 27 minutes, wait! Why do you wait, because people have to process what was presented, the question and their answer before they can provide you with intelligent responses. Note the two words in the last sentence: "intelligent responses". Did you ever wonder why that student in the front row, who puts up his hand immediately after you ask the question always has the worst answers. It is because they did not take the time to process the information, question or response. Teaching is not a "who is first" activity, it is a great response event. Ask your question and wait for several hands to rise. I once asked a teacher how long do you wait and her response was, "Until it hurts." For a speaker, 15 seconds of silence is more then "hurts" it is "please put me out of my misery" pain. No matter how tempting it is to fill the void, "Wait!" Trust me, you asked the question and the hands will come.

27 minutes of waiting was not a joke it actually happened to me once. Result: I closed the deal.

Know them, relate to them, engage them, and wait for them. Sales concepts that can support many areas of your life, these suggestions should help you when teaching students. Remember: DON'T TELL THEM, SELL THEM.

Go to top of page

horizontal bar

NIST SP 800-50

In October, NIST announced the release of Special Publication 800-50, Building an Information Technology Security Awareness and Training Program. The publication provides detailed guidance on designing, developing, implementing, and maintaining an agency security awareness and training program. It can be found at .

The new document is a companion publication to NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model. The two publications are complementary: SP 800-50 works at a higher strategic level, discussing how to build an IT security awareness and training program, while SP 800-16 is at a lower tactical level, describing an approach to role-based IT security training.

Mark Wilson, CISSP
IT Specialist (Information Security)
Computer Security Division
NIST Information Technology Laboratory
(301) 975-3870

Go to top of page

horizontal bar

NIST SP 800-53

NIST has completed its first draft of Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This draft guideline provides a recommended set of controls for low and moderate impact systems (based upon the security categorization definitions in FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems [in final pre-publication]). This guideline will stand as NIST interim guidance until 2005, which is the statutory deadline to publish minimum standards for all non-national security systems. It is our intention that by first publishing this as a guideline, agencies can gain practical experience with it and provide NIST with appropriate feedback.

The draft of 800-53 is available at We invite your comments on this important new guideline by February 2, 2004. Comments may be sent to . To learn more about the Information System Security Project and draft SP 800-53, go to the Information System Security Project home page on CSRC.

Go to top of page

horizontal bar

Calling all Artists, Web Designer Enthusiasts and Creative Individuals!

Do you have a computer security awareness web site, poster, or trinket that you or your agency would like to showcase? Marvella Towns, NSA and Dara Murray, HHS, will be hosting a contest at the 2004 FISSEA conference. See the rules and guidelines (MS Word format) in this issue.

Go to top of page

horizontal bar

Nominate the Next FISSEA Educator of the Year

On the second day of the annual FISSEA conference an individual is recognized as FISSEA Educator of the Year. This past year Patricia Black, of the Department of Treasury was chosen for her noteworthy accomplishments in information systems security awareness, training, and education. Now is the time to submit your nominations for the next Educator of the Year.

Nominees need not be members of FISSEA, but do need to be nominated by a member. Nominees may be involved in any aspect of information systems security awareness, training, or education, including, but not limited to, instructors, security program managers, and practitioners who further education and training programs for information systems security in the public, private sector, or federal community. An ad hoc committee appointed by the Executive Board Chair will judge nominees. Nominations are due by January 31, 2004.

Previous nomination letters are available on the FISSEA website, in the Educator of the Year Award Recipient section. Justification guidance and judging information is also included on the website.

E-mail your nominations to: or call 301-975-2489.

Go to top of page

horizontal bar


One of the goals of your Executive Board is to better serve you, the FISSEA membership. One way we can do this is to better understand what you value that we do now, and what you think we should do, or do better. Please complete the survey at the end of the newsletter and mail it to:

FISSEA Membership Survey
Attn: Steve Willett
100 Bureau Drive, Mail Stop 3220
Gaithersburg, MD 20899-3220

NOTE: If you completed a similar survey during the March 2003 FISSEA Conference, please do not complete the accompanying survey. We will compile the surveys we receive with those received at the last Conference.

Go to top of page

horizontal bar


By Mary Ann Strawn

The FISSEA Conference of '03 was an overwhelming success. I'm sure everyone who attended was pleased with the roster of presenters as well as the wide variety of information and inspiration. Adding even more sparkle to the package, there were door prizes!!

As a representative of the Library of Congress, I won the prize presented by CSI. And a grand prize indeed, a year's subscription to the CSI publication, FRONTLINE. Distributed quarterly, it is sharply written and smartly presented. In addition to the material developed by CSI, each issue features a Library of Congress article concerning computer security written by our staff to add a "local flavor.

Our publication was delivered electronically, but it is available in hardcopy as well. We have received favorable comments from throughout the Library about this computer security effort. What an unexpected, special bonus for attending the FISSEA conference!!!

Go to top of page

horizontal bar


This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at


MARCH 9-11, 2004 - 17th Annual FISSEA Conference, "Awareness, Training, and Education - The Driving Force Behind Information Security", will be held at The Inn and Conference Center, University of Maryland University College (UMUC), Adelphi, Maryland. Thank you for making your reservations now!

Reasons to attend: (1) Discover new ways to improve your security program, (2) Dual tracks, high quality relevant presentations, (3) All lunches/breaks are included in the $365 registration fee, (4) Gain awareness and training ideas, resources, contacts, (5) CISSP Conference participants earn CPEs, (6) Obtain practical solutions to training problems.

Contacts: Curtis Carver, Jr., Program Chair, United States Military Academy, Chrisan Herrod, Conference Director, National Defense University, Liz Hood, Exhibitor Information, Federal Business Council, Registration contact: Teresa Vicente, NIST, (301) 975-3883. For other questions contact Peggy Himes, NIST, Please see complete details under "2004 Conference" on your FISSEA website,


Dec 2-3, 2003 E-GOV's HOMELAND SECURITY CONFERENCE & EXHIBITION. Two Years of Progress: What's Better and What Needs Work? Free Exhibition: Dec2. Ronald Reagan Building, Washington, DC REGISTER TODAY! Reference Priority Code HLSEM1


The Forum on Information Warfare
December 3-4, 2003, Washington, DC
Optional Workshops December 2 & 5 E-Z Access IW03
InfoSec World Conference and Expo/2004
March 22-24, 2004, Orlando, FL
Optional Workshops March 20, 21, 25 & 26

Contact MIS Training Institute, (508) 879-7999, for information.
Use IW03/EB9 as your Registration Code.


April 1- 7, 2004 SANS 04 - Orlando The conference is at the Dolphin, and that makes it the only security conference right on the Disney property. SANS 04 is an Information Security Mega Conference, offering over 700 hours of training, in more than 14 tracks and offers a GIAC certification.

SANS Security Awareness Program is available. It is about securing your IT resources - one user at a time. You can deliver Awareness training to your organization four ways, online training, via webcast with a SANS instructor so your people can ask questions, live training at your site via our Local Mentor Program or you can buy the GIAC Prep Teaching Kit and deliver the material yourself. Using real life stories to illustrate the do's and don'ts of basic security awareness with quiz questions integrated to reinforce key concepts. To purchase, or to receive more information: See their website for webcasts on important information security topics.


Computer Security Institute's upcoming local training classes (note, two are available on-line). For more information, contact CSI at 415-947-6320 or go online

2-3Dec03 How to Perform a Technical Network Vulnerability Assessment,
      Gaithersburg, MD, Justin Peltier
4-5Dec03 Advanced Secure CISCO PIX Firewalls,
      Gaithersburg, MD, Justin Peltier
8Dec03 How to Be an Effective Information Security Professional,
      On-Line Training, JohnO'Leary
15Dec03 How to Develop Information Security Policies,
      On-Line Training, Tom Peltier
24-25Feb04 Facilitated Risk Analysis for Business and Security,
      Gaithersburg, MD, Tom Peltier
26-27Feb04 CISM Prep-to-Pass Workshop,
      Gaithersburg, MD, Tom Peltier and Justin Peltier
2-3Mar04 How to Be an Effective Information Security Professional,
      Washington DC, John O'Leary
4-5Mar04 Defense Against Social Engineering,
      Washington DC, John O'Leary


June 8-10, 2004 Cryptographic Module Validation Program (CMVP) Conference 2004 in Rockville, Maryland. Complete details will be listed on


Army Reserve Readiness Training Center, Ft. McCoy WI, opens up Computer Security courses to ALL Federal Government System and Network Administrators beginning fiscal year 2004. Technically challenging, intermediate and advanced level, computer security courses initially designed for Department of Defense personnel, have been modified and opened up to all Federal Government System and Network Administrators. The decision to offer the courses to organizations outside the Department of Defense is part of a distributed defense strategy to protect our country's automated information systems from the growing threat of cyber terrorism. The System Administrator Network Manager Security Course (SA/NMSC). Those from DOD or Federal Agencies should contact MSG VanVliet, (678)-364-8256 for Course Dates for FY04 Course length 2 weeks.


This quick note is to draw your attention to the revised fall schedule of certified COOP training classes, to be held in the DC area. Done under license from DRI International, they have now taught students from more than a dozen federal agencies, as well as state governments. Spaces are limited. Don't wait to call. For more details, go to their Web site at To book the classes, contact as follows: Vicki Alvord, COOP Consulting LLC, 12096 Kinsley Place, Reston, VA 20190 703.467.0574 phone, 703.467.8485 fax,


Finally, Earn Your Executive Ph.D./M.S. in InfoSec While You Work Full-Time. The University of Fairfax offers a graduate program for senior executives.

The University of Fairfax actually cares about addressing the shortage of (DOD) cleared information assurance/security (IA) professionals. Simultaneously it enables mid-career professionals to gain access to more senior IA positions. The University of Fairfax does this by providing it executive students with technical, research, business development and project management capabilities--professionals prepared to advance their IA careers. As a result, it offers employers a reliable source of IA professionals as well as a method for upgrading their employees. These executive students at the University of Fairfax embark on a sophisticated, but practical graduate curriculum. By utilizing projects at work, they complete a "project focused" graduate curriculum that helps them to rapidly gain access to more senior IA professional opportunities in the federal and private sectors. This graduate curriculum enables these IA professionals to learn how to "do the work" (IA analytical capabilities), "manage the work" (project management) and "sell" the work (business development/change management).For more information concerning the University of Fairfax, please call 703-534-3400. If you want to learn more about the University of Fairfax, please feel free to call Jo-Anne King at 703-534-3400 ( visit their web site at

Go to top of page

horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: November 26, 2003.