Federal Information Systems Security Educators' Association
Issue Four of FISSEA Year 2003-2004
Training and Education - The Driving Force behind Information Security"
is the theme for our March 9-11, 2004 annual conference. This year it
will be held at the Inn and Conference Center at the University of Maryland.
I promise you the following five things about our conference this year:
The business meeting will be shorter this year so that we can focus more of our time on the outstanding presentations. However, we will still take time to introduce you to the FISSEA leadership team. We will also have our annual election to fill vacancies on the Board and give you a sense of our accomplishments during the year and our plans for accomplishing even more next year. Although the Board members are all volunteers elected by the participants at the annual conference, we are always seeking greater assistance and support from the members throughout the year. You do not have to be a member of the Board to share your ideas and volunteer to assist the Board in doing the myriad of tasks required to keep FISSEA on course in fulfilling its mission effectively.
We need people on the Board who have their management's support to be FISSEA's arms, legs and all the various parts of any functioning body to operate successfully. I want to encourage you to seriously think about serving on the Board, but I also want to tell you in advance that this is a job that requires you to donate time regularly, even during your workday at times, to be a satisfactory board member. For example, I started preparing this article at home on a Sunday evening and I am completing the task during my lunch hour. It is not unusual to receive, review, process and forward email to handle FISSEA's business even when I am on vacation or at home evenings or during the weekend. In my opinion, the time a board member gives to FISSEA and his/her level of commitment to its mission will determine his/her effectiveness as a member of the board. I have found serving on the FISSEA Board rewarding, challenging and a blessing in many ways. We need you if you are willing and able to serve.
FISSEA Editor's Column
By Louis M Numkin, CISM, USNRC
We are really looking forward to seeing you at the Conference!
Providing the newsletter is a labor of love for those of us who contribute. And, since our publishing date is so close to Valentine's Day, I wanted to share the love. So, during the conference, we will invite you to contribute your thoughts for the next issue of our publication. Each attendee will wear a second hat as a "cub reporter." Being a nonprofit organization, it is important that you come prepared. In other words, bring your official reporter pen/pad/pencil/paper/PDA/laptop. Wear your hat creatively as we are looking for the flavor of the conference - what you liked or disliked (perish the thought) and anything which was really worthy of note. You are encouraged to be colorful. During a speaker where you need not take notes, just jot down a stanza or two of poetry or a paragraph of pros which covers something on your mind or that you've seen/discussed. This is not meant to be a critique sheet and attribution will be optional. If you author a masterpiece, just give it to me during the conference and we'll try to include them in the subsequent issue of FISSEA News and Views. "You have you mission, Mr. Phelps."
Also, during the conference, your Editor goes undercover, wearing the disguise of "Cruise Director." Food plays a role in any successful gathering and our conference is no different. The UofMD University College has no "mystery meat." But, they do have an excellent variety of delicious flavors which we will get to enjoy. We are also planning our traditional evening out around an Italian theme. The area near our venue has a historic and tasty restaurant where we will gather for supper. Car pools will be established at the conference for those without transportation. So, when you come to the conference, come hungry for info, food and fun!
It is hard to believe that another year has flown by. Why it was just yesterday when we gathered in Silver Spring for Awareness, Training, and Education. And, now, here we are again. Ready for another wonderful opportunity to meet peers, share experiences, and hear from leaders in our field of endeavor. Wow... I can hardly wait!
Permit me to close by thanking each of you again for your readership and participation. Your submissions and comments have been appreciated and hopefully, you have found our recently revised newsletter format to your liking.
Have a virus free day,
Submitted by Curt Carver, US Military Academy
The FISSEA Conference is right around the corner and the agenda is set!
Here are a couple of abstracts (one from each day) to peak your interest.
This is just the tip of the iceberg as FISSEA has more speakers and
presentations than ever before. You can see the agenda at
The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training
The Federal Information Security Management Act (FISMA) places significant requirements on Federal agencies for the protection of enterprise information and information systems-including requirements for security awareness training. The National Institute of Standards and Technology (NIST) is leading the development of key information system security standards and guidelines as part of its FISMA Implementation Project. This high priority project includes the development of security categorization standards (FIPS Publication 199), guidelines for the specification and selection of security controls for information systems (NIST Special Publication 800-53), and guidelines for the security certification and accreditation of information systems (NIST Special Publication 800-37). This session will cover the key provisions of the FISMA legislation, the publications developed by NIST in support of this legislation, and the security controls associated with security awareness training.
Pros & Cons of Contracting For Awareness & Training Work: Government Perspectives
requirements for departments and agencies to conduct awareness and training
as parts of their information security programs are long-standing. It
is no great mystery regarding what has to be done. However, awareness
and training remain near the top of the list of problem areas reported
by OMB to Congress each year. One problem facing federal organizations
is the effective contracting for of some or all aspects of an information
security awareness and training program. These aspects can include designing
the program, developing material, implementing the program, and maintaining
The Panelists will consider these questions as they describe their experiences, their successes, and their setbacks. They will provide a set of lessons learned that will make others' related jobs easier.
Assurance Education OR Training:
The Centers of Academic Excellence in Information Assurance Education (CAEIAE) program is an outreach program designed and operated by the National Security Agency (NSA) in the spirit of Presidential Decision Directive 63 (PDD 63), National Policy on Critical Infrastructure Protection, May 1998. Education (demonstrate understanding and apply knowledge) and training (apply knowledge) are often seen as degrees of depth and breadth, with the former being the deepest and widest. The current CAEIAE program does a great job of providing undergraduates the information (topics) and knowledge they need to become effective IA professionals, however, the program needs to evolve into one that effectively integrates training objectives-skill, ability, and proficiency-with learning objectives-conceptual understanding, active learning, and contextualized application. This paper will propose an evolutionary strategy for effectively integrating the current CAEIAE Training Standards' criteria into pedagogically viable and student-focused learning objectives and experiences.
Submitted by Michael Arant, VA
As FISSEA-types, don't we often view cyber security through a different lens from the one our more technical peers use? We tend to see security and its thorny problems as human issues. Where others see solutions as technical, we see them as organizational or even individual. In short, we recognize that security is all about people. People who care about the improved services secure computers enable. People who are alert to threats to computers and can counter them. People who are trained, empowered, motivated, and authorized to implement effective security controls.
In Department of Veterans Affairs (VA) cyber security is a profession. This year VA's community of cyber security has undergone training and testing in cyber security. We call those who have successfully undergone the training and testing "Cyber Security Practitioners" or CSPs. The group includes facility Information Security Officers, VA's cyber security program office staff, and other folks who have interest.
It has not always been this way. Until recently, cyber security was just one extra duty and a job few had an interest in. The one thing many cyber security staff aspired to was to get into a job with a future, support, recognition, and out of security. Sound familiar?
The result? Huge turnover in cyber security staff. Awful Congressional "Report Cards." Denial of service to veterans while Internet worms ran rampant. An Office of the Inspector General report designating the VA as having a "material weakness" in cyber security. In a triumph of understatement, these are undesirable circumstances. Just ask my boss!
The Office of Cyber and Information Security (OCIS) within VA's Office of Information and Technology has changed the VA's approach to cyber security. Among other things, OCIS has implemented VA Secretary Principi's direction that a "rigorous process" be put in place to certify that people responsible for cyber security are knowledgeable and able to secure VA's information assets. What a notion! We should expect folks to actually demonstrate they know what they're about! And because VA wants to attract and retain motivated people, OCIS has implemented the certification program as part of an overall CSP Professionalization initiative.
The initiative also provides on-line training 24/7 and classroom training at VA InfoSec Conferences and at VA Information Technology Conferences (VAITC). All the training resources required are centrally funded and managed. All told, OCIS provides sixty VA contact hours of cyber security certification-related training per year. To date, over 400 VA staff have successfully taken the training and passed the CSP Certification exam. By the way, you should know that the Body of Knowledge (BOK) we use is not industry off-the-shelf, although we tapped into those sources when appropriate. The BOK is government- and VA-specific. As a VA product, it's freely available; we can even send you a copy.
In addition, the initiative provides a framework for a true career for those interested in security, complete with standard Position Descriptions and potential for professional advancement. The next steps in the program will be credentials issued by OCIS authorizing facility CSPs to act "locally in the interest of VA-wide security." After that, we take on a program of incentives so that we can retain the security "brain trust" we've cultivated and attract other good people. In fact, opportunity to attend CISSP-preparation training and to sit the exam is already one of our incentives.
Most important, improved training and skills bolster cyber security and that in turn enhances the trust our customers, America's veterans and other beneficiaries, have in VA computers and the services those computers help VA provide.
VA's OCIS is proud of this initiative, seeing it as a model for other government agencies' cyber security programs. We've already encountered, confronted, and conquered many of the issues many of you might meet in your journeys toward corporate professionalization programs. We're also glad to tell you more. If you are interested, just call me or drop me an e-mail. Ask me about our training program in general and make sure I tell you about VA InfoSec. While we're at it, there are lots of other things we're doing in cyber security in VA that we'd like to talk to you about.
S. Arant, CISSP (Team Leader Training / Cyber Security Liaison)
Submitted By Peggy Himes, NIST
The FISSEA Executive Board consists of a total of 11 members. Nominations may be made prior to the conference and from the floor of the conference. A FISSEA member who wishes to serve on the Executive Board may nominate him/herself. Please give careful consideration to the time and commitment involved before making the decision to run. The Executive Board meets monthly in Gaithersburg, Maryland. Board members should attend the monthly meetings as well as the 3-day annual conference. You should have your management's approval prior to accepting FISSEA Board responsibilities.
The board members listed below are serving the second year of their two-year term. It is not necessary to nominate them.
The term for the following board members expires in March 2004. If they want to serve another term, they will have to be nominated and elected by the membership at the annual business meeting in March.
Barbara Cuffie, Social Security Administration, will continue to serve on the Board as Past Chair allowing for one additional Board slot. Robert Solomon retired from NASA and will not continue his level of support for FISSEA on the Board.
E-mail the name of the nominee, employing organization, position or title, phone number, email address to Peggy Himes, firstname.lastname@example.org.
Also, provide a Qualification Statement: (You must have the permission of the nominee to submit his/her name. What has the nominee done to warrant this nomination?)
Finally, provide the name of the person making this nomination with an E-mail address and/or Phone Number.
This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at email@example.com
From the Sunday, 18JAN2004
Washington Post Comics Section:
For any of FISSEA's budding
columnists, please don't get "Cosmoitis." We look forward
to receiving your article(s) for our next issue which will come out
after the Annual Conference. Any questions, please contact our Newsletter
3-4MAR2004 The third
annual Mid-Atlantic Network Security Forum - Washington, DC - The Forum
is an intimate gathering of experienced network security professionals
from government, education and the Fortune 2000 who share technical
insights in a confidential environment. It is based on the Harvard Business
School teaching method of interactive discussions led by expert faculty.
Peer-to-peer briefings further enable participants to hear live accounts
of security challenges and deployments. The all-new curriculum for 2004
includes the topics of patch management, wireless security, application
IDS and firewalls, as well as perimeter security and managing a security
operation. Faculty will include Becky Bace, Marcus Ranum, Eric Cole,
Fred Avolio and Greg Shipley. Other sessions around the country:
9-11MAR2004 - 17th Annual FISSEA Conference, "Awareness, Training, and Education - The Driving Force Behind Information Security", will be held at The Inn and Conference Center, University of Maryland University College (UMUC), Adelphi, Maryland. Electronic registration available at www.nist.gov/conferences until February 27th. For other questions contact Peggy Himes, NIST, firstname.lastname@example.org. Please see the preliminary agenda under "2004 Conference" on your FISSEA website, http://csrc.nist.gov/fissea. Walk-in registration is accepted.
World Conference and Expo/2004 - Orlando, FL - The Rosen Centre Hotel
- Optional Workshops: March 20, 21, 24, 25 & 26-Vendor Expo:March
22&23. 80 in-depth sessions on timely topics, panel discussions,
23-25MAR2004 FOSE will be held at the Washington, DC, Convention Center. Admission is free for Government employees. Over 400 exhibitors, various pavilions (including Wireless, DoD, and a Homeland Security Center), CIO Showcase of Excellence, free seminars and Keynotes. More info at www.Fose.com or phone 1(800)791-FOSE.
Information Resources Management
"Process Improvement and Management, Process-Centered Organizational Transformation and Process Change Programs - Strategies for Process Improvement Course" - The course examines strategies, management processes and resources for process improvement within and across federal agencies. An executive-level perspective is provided on the tools, techniques, and technologies that enable process-centric performance improvements in how federal agencies achieve their missions. Also examines the management and information resource issues of transforming industrial age organizations into information age process-centric enterprises and broader process-centered partnerships, coalitions, alliances, Quality Improvement Programs and strategies, and leadership challenges of initiation, collaboration, design, implementation and portfolio management of process-centric improvements within and across agencies. It examines key issues of concern to the DoD's Business Management Modernization Program initiative, the Federal Government's Enterprise Architecture initiatives, the President's Management Agenda on e-Government for example. Attendance by higher-level managers in civilian grades GS/GM 13 to 15 and military grades 0-5 to 0-6 is particularly encouraged.
"Enterprise Architecture" - Examines EA as a management tool to facilitate implementation of strategic direction, explores the integration of EA with strategic and resource planning, information assurance, and acquisition management. and introduces the use of EA frameworks to improve the capability maturity level of the EA to meet its intended purpose. Other topics include the role of the CIO in EA management, the use of models and standards, implementation issues, and an overview of enterprise information assurance/security architecture. Strategies are also addressed for using EA to address enterprise problems such as interoperability and information sharing with the intent of improving enterprise performance of mission or business operations - details on this course offering can be found at ndu.edu/irmc
28JUN-2JUL2004 - "Information Operations and National Security (ION)" - Critically analyzes the role that information and information technology play as strategic elements of the information component of national power. The course examines the current and emerging concepts affecting those charged with executing national security strategy and those who shape the global environment to meet national security objectives. Selected technical and management topics are discussed, to include the nation's intelligence sharing initiatives, interagency coordination, and the role of senior leaders in protecting and exploiting the global information infrastructure. Recent legislation and policy initiatives related to shaping the use of information as an element of national power are also discussed. It is designed for military grades O-5 to O-6 and civilian grades GS/GM 13-15 or equivalent. The goal of the course is to enable students to evaluate, analyze, and develop an understanding of the strategic implications of information operations and the information component of national power relating to the national security strategy of the United States.
Computer Security Institute's upcoming training classes. For more information, contact Computer Security Institute, 600 Harrison Street, SanFrancisco, CA 94107, phone (415)947-6320, or e-mail email@example.com, online www.GoCSI.com/training
Facilitated Risk Analysis for Business and Security, Gaithersburg, MD,
SANS Institute is demonstrating
its commitment to cooperative research and education. 2004 marked the
Grand Opening of the SANS Press Room at www.sans.org/press.
A wide array of easy to use resources put together to assist you in
covering Information Security for your upcoming articles. All of the
resources, press releases, sound bites, and other information in the
Press Room are there for you to use immediately without the need to
request prior permission.
5-8APR2004 Storage Networking World - JW Marriott Desert Ridge Resort in Phoenix, AZ - IT executives and leaders of storage intensive user-organizations will be presenting. To see the agenda or register, visit http://www.snwusa.com?s=reg
ISACA upcoming events: EuroCACS
- 21-24 March 2004 - Zurich, Switzerland - contact Sandy Arens at 1(847)253-1545,
ext. 485, e-mail firstname.lastname@example.org
, or check the web page http://www.isaca.org/eurocacs2004
. Considered a leading conference for IS audit, control, assurance and
"Wireless Security Essentials" by Russell Dean Vines, copyright 2002 was recently reviewed by Robert M. Slade, who can be reached at: email@example.com, firstname.lastname@example.org, email@example.com. Mr Slade's comments are positive in stating that "Although not perfect, this book is an extremely useful guide to the security issues surrounding the use of wireless devices. Of the various books reviewed on the topic of wireless LANs and security, it is the best work seen to date...Part one deals with the foundational aspects of the technology and Part two covers security essentials."
Karta offers a web-based information security training product which addresses the FISMA reporting requirement for specialized training for those with significant security responsibilities, as well as agency-wide Security Awareness. The library of 65+ courses covers four different tracks: Network Security, Data Security, Security Policy and Guidelines, and Security Planning. Each course is mapped to a variety of roles and created 18 different training plans based on the roles and their corresponding responsibilities as outlined in NIST SP 800-16. The IT Security Library is a web-based training suite certified by the NSA/CNSS for mapping to NSTISSI standard No. 4013. Students are able to earn NSA/CNSS approved certifications for completing 50 pre-mapped course hours. For those who currently hold or plan to hold a CISSP or SSCP, CPE credit can be earned for every completed course hour. For more information, please contact George Soltys, at 703-309-3038 or firstname.lastname@example.org.
nCircle and CISCO are offering free Vulnerability Assessment seminars, titled "Tackle Your Security Flaws Before Someone Else Does" in many areas of the country. You receive a free Gartner Report and White Paper when you register. For information, call (888)464-2900 or write to nCircle, 101 Second Street, Suite 400, San Francisco, CA 94105
in Government Conference from Government Executive Magazine is accepting
proposal submissions for their DC Convention Center conference. Deadline
for submissions is 3MAR2004 and they must be submitted electronically.
This year's five tracks are:
Back to FISSEA Homepage Back to Newsletter Index Back to CSRC Homepage
Please send comments
or suggestions to email@example.com.
Last Modified: February 26, 2004.