News and Views

Federal Information Systems Security Educators' Association

Issue Three of FISSEA Year 2004-2005
October 2004



From the Chair


The Oscars have just been announced, and the winners are:

  • Best Awareness Series = Security in the City
  • Most Enlightening Performance = Educators Among Us
  • Outstanding Mini Series = FISSEA Annual Conference
  • Best Supporting Stars of a Comedy Series = NIST Staffers: Peggy (Sue) Himes and Mark (Antonio) Wilson
  • Winner of five Golden Globe Awards = Awareness in America (soon available on a PC near you)
  • Best Musical Score = "Who Let The Dogs Out" performed by L (L) Baskerville
  • Outstanding Ensemble Cast for a Reality Program = The Leadership Team for FISSEA's 2005 Annual Conference, Curt Carver, William Suchan, Barbara Cuffie, and Patrice Boulanger
  • Best Original Screenplay Script = FISSEA News and Views

and these are just some of the awards for this Executive Board Year.

Would you like to be a FISSEA Star? Come join the cast by considering running for our Exec Board. Think about it... you could be a Scriptwriter by submitting articles to our quarterly newsletter... you could be a Director as a Committee Chair... or you could be a Producer of a Workshop.

Award Shows have nothing on us. You already have what Matt LeBlanc and Friends do not... a membership in an EMMY Award winning organization where EMMY is an acronym:

* E = Education
* M = Mentorship
* M = Multi-organization (representing Academia, Private Industry, and Government)
* Y = YOU

Screen Tests will be held during our 22-23MAR2005 Annual Conference. This show's title "Target Training" is already up in lights. For ticket pricing, check the FISSEA web site (no scalping here, its a Broadway level show at a little theatre price).

Please bring along your own sheet music in the form of an acknowledgement from your agent (management) that you may, if elected, actively participate by attending casting calls (monthly business meetings) and your energy and ingenuity to perform as a cast member and star. Inform him/her that we play to intimate audiences of our peers and improve our own repertoire by sharing knowledge in a variety of venues. In return, you'll receive accolades and ovations both from within the organization as well as from your "day job" thanks to the participation.

So, what do you say? Will we applaud your performance on our Exec Board? "This is the finest acting troupe on the Awareness, Training, and Education stage of the Computer Security Theatre. Hope to see you on the red carpet.

Louis M. Numkin, CISM
FISSEA Executive Producer

Go to top of page

horizontal bar

FISSEA Executive Board

Louis Numkin, CISM, Board Chair*

Lewis Baskerville, CISM*

LTC Curt Carver, Jr., Conference Director*

Barbara Cuffie, CISSP, Past Chair

Thomas Foss **

Tanetta Isler*

Gretchen Ann Morris, CISSP**

Jeffrey Seeman**

Mary Ann Strawn**

LTC Will Suchan, Conference Program**

Marvella Towns, Conference Contests*

Mark Wilson, CISSP, NIST Liaison, Assistant Chair*

Peggy Himes, Executive Assistant to Bd, Newsletter Editor

* Term ends March 2005
** Term ends March 2006

Go to top of page

horizontal bar

Note From the Editor

By Peggy Himes, NIST
I'd like to take this opportunity to remind everyone of some housekeeping items. If you move, please send your new information, including email address, phone number, and the snail mail address to If you retire, please suggest to your successor that they join FISSEA and drop us a note so we can correct our records.

We have many aliases set up. If you want to ask fellow members a question on IT security, send your question to the listserve using Your listserve has approximately 500 members and you are asked to respond directly to the individual rather than the entire list.

The membership voted that the listserve not be used for advertising unless you have a free event that relates to computer security awareness, training, and education. However, the "Trainia" section of the newsletter which Louis Numkin started includes fee events. Please send a brief description paragraph to or

The contest for security posters, trinkets, and websites is explained in detail in another article in this issue and on the FISSEA website, You can view the winners from last year's contest. To submit entries to this contest, please send them to by February 1, 2005.

In the last issue (July04) we mentioned a contest for the redesign of the FISSEA logo. Please review the rules and submit entries to, attention "FISSEA Logo Contest".

The FISSEA Educator of the Year Award has been in existence since 1991. The following highly regarded people have received this award:

  • Jeff Recor, Walsh College
  • Patricia Black, U.S. Department of Treasury
  • LTC Daniel Ragsdale, U.S. Military Academy
  • George Bieber, Defense Information Systems Agency (DISA)
  • Dr. Roger Quane, National Security Agency
  • Louis Numkin, Nuclear Regulatory Commission
  • Dorothea de Zafra, National Institute of Health
    John B. Ippolito, Allied Technology Group, Inc
    Sadie Pitcher, U.S. Department of Commerce
    John Tressler, U.S. Department of Education
  • Joan Pohly, Defense Information Systems Agency
  • Gale Warshawsky, Dept of Energy: Lawrence Livermore National Laboratory
  • Lt. Col. E. C. "Lee" Chambers, U.S. Air Force
  • Dr. Corey Schou, Idaho State University
  • Dr. Vic Maconachy, National Security Agency
  • Dr. Gary W. Smith, Department of Defense

Nominations for the next Educator of the Year will be accepted until January 31, 2005. Complete instructions and sample letters are available on the FISSEA website.

You may want to think about running for the FISSEA Executive Board. Several members are up for reelection and a few will be retiring. The board meets monthly in Gaithersburg with the opportunity to also call-in. Planning the annual conference is one of the major projects. Other projects that board members work on include hosting various ATE workshops, submitting input to the website, writing newsletter articles, and providing outreach and publicity on behalf of FISSEA.

Lastly, the FISSEA annual conference (March 22-23) will be held in a brand new location. It's so new you may have trouble finding it in a search of hotels. But rest assured it is a real conference center and it will be ready for the March conference. It's located at the White Flint Metro.

See you in March!

Go to top of page

horizontal bar

NEW FISSEA Workshop:
NIST SP800-16 - 16Nov04

By: Mark Wilson, NIST

If you have wanted to know how to use NIST Special Publication 800-16 - "Information Technology Security Training Requirements: A Role- and Performance-Based Model" - but haven't had the time to learn on your own, FISSEA is going to help you. FISSEA will hold its third workshop - How to Use NIST Special Publication 800-16 - on Tuesday, November 16, 2004, in the NIST North building, near the main NIST campus. The workshop is free. It will begin at 9:30am and end at 12:30pm. Conducting the workshop will be FISSEA Executive Board member and the Editor of Special Publication 800-16, Mark Wilson. Prerequisite: Please be familiar with NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, at

Pre-registration for the workshop is mandatory and space is limited to 30. To register, contact Peggy Himes at (301) 975-2489 or (If you want to attend, but this date is in conflict with your schedule, let Peggy know; FISSEA may schedule another session.)

Go to top of page

horizontal bar

Security Awareness is most effective when people practice security habits daily.

By Melissa Guenther, LLC

That said, individuals and groups have established specific date(s) to provide opportunities to focus on security behaviors. The purpose of this document is to provide information to help differentiate between the multiple Security Awareness Day(s), their purpose, and links to more information on each. As stated previously - every day is security awareness day - it is not an either/or situation.

Specific days (highlighted below) are not enough to help community's awareness of cyber, personal and physical security issues and promote safe practices. Therefore, in addition to any of the time frames below, many groups are scheduling other times to participate and celebrate safe habits.

A great example can be viewed at
by Educational Technology Outreach.


Security Awareness Day - Physical, Information and Personal Security
September 10

The concept of NSAD differs in that it tries to establish a culture of security without focusing solely on computers. It also seeks the validation of a government proclamation so that less effort can go into attracting attention to the event each year leaving more energy devoted to supporting it. Once approved, I would also want to draw attention to the other awareness events to help raise awareness throughout the year.

Please support the establishment of U.S. National Security Awareness Day as an annual observance (similar to Veterans Day). The concept is simple, dedicate a day to mentoring U.S. citizens in the threats facing our country and what they can do to help address them.

There must be top down support of a national security awareness program. Cyber security is a large part of that. However businesses need to be reminded of their responsibilities to security legislation such as Sarbanes Oxley and GLBA. Businesses also need to annually renew their commitments to information security, business continuity and disaster recovery programs.

The U.S. needs to undergo a cultural change to effectively protect against the threats facing it. We need to continue to improve our security posture. The government cannot do this on its own. It needs the support of its citizens. The concept of U.S. National Security Awareness Day is a proactive approach.

Want to make a difference? Let's do it together.


Cyber Security Day - Computer Security
October 31 and April 4

First held in 2002, the semi-annual National Cyber Security Days are coordinated with daylight savings in April and October in the U.S. and are intended to raise the public's awareness of cyber-security issues and promote safe online practices. Sunday, October 31, 2004, is the next Cyber Security Day. Set some time aside this week to update your anti-virus software and scan your computer for viruses. Also, check out the Top Ten Security Tips for more information on keeping your computer safe from hackers.


Colleges and Universities Recognize Cyber
Security Day with Campus Events
April 4

Setting your clocks forward or back for Daylight Saving Time and replacing the batteries in smoke detectors are rituals repeated every spring and fall. Similarly, the National Cyber Security Alliance established April 4, 2004, as Cyber Security Day to raise awareness about Internet safety and computer security issues. Colleges and universities across the country are planning security education and awareness events between March 29 and April 2 to help promote Cyber Security Day.


International Computer Security Day
November 30 and

International Computer Security Day is a globally recognized annual event set up to inform computer users of the significance of computer security. Computer Security Day began in 1988 when the Washington, D.C., chapter of the Association for Computer Machinery (ACM) sought to bring computer-related security issues to the nation's forefront. Since that time, Computer Security Day has evolved into a worldwide event. This annual event is held around the world on November 30th although some organizations choose to have functions on the next business day if it falls on a weekend.

Go to top of page

horizontal bar

Thinking Out of the Book

By Jim Litchko, Jim Litchko & Associates, Inc.

Question: "How hard could it be to teach IT security to managers who were very interested in the subject?"

Answer: "Very, very hard when you are only using the typical IT security text book."

That answer is based on my first experience teaching computer security at Johns Hopkins University to quasi-technical managers in 1988. Like today the text books on the subject were filled with technical terms and concepts that do not relate to everyday realities. During the first class, I felt like I had just dropped my class into the pool's cold deep end and I was yelling, "STROKE, KICK, BREATH - UNDERSTAND!"

The lucky ones were only treading water. I knew there had to be a better way.

That night my father called and he said, "I just read The Readers Digest article on Cliff Stoll's book The Cuckoo's Egg and now I understand what you do." My father, who had an eight-grade education and never saw a computer, understood computer security? I had to read this book. And I did.

I was impressed with the simplicity that Cliff used to relate his story on discovering and tracking down his hacker. It reminded me of the "sea stories" that I heard in the Navy. It was then that I remembered my senior enlisted explaining that "sea stories" were not just to entertain sailors; they were to provide lessons and/or introduce them to strategies to solve problems. Entertain and inform - two key characteristics of effective training.

At the next class, I gave each student a copy of Cliff's book, provided them a description of the book to get them interested in the story, instructed them to be prepared to discuss it at the next class, and dismissed them.

At the next class, I asked them to identify what they liked about Cliff's book. By using the stories that they identified, I was able to "back" them into understanding what they had perceived to be complex subjects. An example was: by having the class first talk about Cliff printing all the traffic on borrowed printers, reviewing the print outs, and finding the hacker's tracks, made it much easier for the class to grasp concepts like audit, anti-virus, and intrusion detection and prevention.

Since then, I have seen others use fairy tails, sea stories, news articles, and other storybooks to successfully ease my students into deep IT security topics. What they use depends on the subject and the audience's background.

So, when you are thinking about how to teach people about what they perceive is a complex subject, think out of the textbook. Think of using non-technical stories that will allow them to wade in to the shallows and slowly build their confidence before diving into some of the deep topics related to IT security.

Author is Jim Litchko, adjunct professor, professional speaker, and author of KNOW Your Life and KNOW IT Security, and co-author of KNOW Cyber Risk.
Email and website For overviews and look at the covers you can go to

Go to top of page

horizontal bar


This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to and/or


2004 FISMA Reporting Instructions. The Office of Management and Budget (OMB) released the 2004 Reporting Instructions for the Federal Information Security Management Act. A copy of the memorandum, identified as M-04-25 (Aug 23, 2004), can be obtained from the White House web site at NIST Special Publication 800-53 (Second Public Draft), Recommended Security Controls for Federal Information Systems is now available at the NIST Computer Security Division web site, Comments will be accepted at until November 31, 2004. Final publication is expected on January 31, 2005. See the NIST FISMA Implementation website, for additional FISMA-related information.


Security Posters Available Free! If you are on the FISSEA listserve, you already saw this message from a new FISSEA member, Bill Uttenweiler. Bill graciously offered the use his security posters. "I am in several security groups on the California Central Coast. Every two months we make new security awareness/education posters available on our web site. They are in PDF format, so you can click on one to download it. Hope the posters are useful for you -- and to those you forward this to. God Bless the USA! Bill Uttenweiler, 805-606-7722 DSN: 276-7722 For free downloadable security posters, go to"


October 26-27, 2004 - Federal Information Assurance Conference (FIAC), UMUC Inn & Conference Center, Adelphi, MD. The 4th Annual FIAC is designed to meet the real-world information assurance needs of the Federal Government and its workforce. This two-day event will provide useful information and educational opportunities for federal managers, acquisition and procurement officials, network and systems administrators, and information security professionals. This year's event features a FISMA Plenary Session presented by OMB and NIST. Three tracks will cover: Ensuring Agency-wide Program Awareness; Developing an Enterprise Security Culture and; Deploying Successful Programs and Solutions. CPE credits are available for CISSP and SSCP certified attendees. The cost to attend FIAC 2004 is $495 for Government Employees and $595 for industry. For more information and to register on-line go to The day tutorials are on the 28th. Contact information: Bob Jeffers, FBC, (800) 878-2940, x226,


October 28-29, 2004 - Disaster Preparedness and Continuity of Operations (COOP) - Optimizing Your COOP Program Under FPC 65. Ronald Reagan Building, Washington, DC. This two-day workshop will give you practical experience in applying Federal Preparedness Circular 65 guidance in developing a program and writing your department's or agency's Continuity of Operations (COOP) Plan and/or developing or managing an improved Disaster Preparedness Program. Call 703-683-5561,


November 1-4, 2004 - Back to the Future: Find the Future of Information Security in New Orleans SANS CDI South. That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four topics important to your security program, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference.


November 8-10, 2004 - 31st Annual CSI Computer Security Conference & Exhibition. Marriott Wardman Park, Washington, DC. Featuring the largest and most comprehensive conference program anywhere-14 tracks and 160 sessions on: Introduction to Computer Security, Management and Governance, Awareness Training & Education, Risk and Audit, Wireless Technology & Security, Attacks and Countermeasures, Legal, Compliance and Privacy, Continuity, Response & Recovery, Forensics, Technology (Double Track), Government, Critical Issues, Infrastructure ...and much more. The Exhibition November 7-9 features 175 exhibitors displaying the latest security products and technologies. Join over 2500 security pros in Washington, D.C. this November and get the knowledge and skills you need to succeed in the year ahead. For more information on attending call Computer Security Institute at (415) 947-6320 or email,


November 16, 2004 - Third FREE FISSEA Workshop! NIST Special Publication 800-16. NIST North, Gaithersburg, MD, Lecture Room 152, 9:30-12:30. Space is limited and preregistration is necessary. Contact Mark Wilson, for technical questions and for registration. See page 3 for details.


November 16, 2004 - Homeland Defense Training Conference. GIS in Homeland Security: Creating the Common Operational Picture (COP) to Improve Situational Awareness. Location: Executive Conference Center, NRECA Headquarters Building, 4301 Wilson Boulevard, Arlington, VA. Further information, call 703-807-2753 and speak to Maurice Martin.


November 18-19, 2004 - CSI Security Awareness Peer Group, in Washington, DC for the first time, hosted by International Finance Corporation (IFC). CSI's Security Awareness Peer Group is a friendly idea exchange for people specializing in the security awareness function at their organization. Registrants will plan the agenda based on their own needs. Come and compare your awareness program activities with sophisticated programs from corporate America. $1895 for first person, second at $745. Meals included. Call or email Pam Salaway for more details (631.878.2205, or visit CSI's website at


April 4-6, 2005 - InfoSec World Conference and Expo 2005, Disneys Coronado Springs Resort/Orlando, FL http://www.misticom/09/os05eb1_infosecworld.html INFOSEC WORLD: 360 Security. For more than a decade, MIS Training Institutes InfoSec World Conference & Expo has been the one event that top information security pros have attended to get up-to-date information, real-world strategies, and cutting-edge techniques for mitigating risk, securing critical data, and strengthening the enterprise. In 2005, InfoSec World will reach new heights in education and offer you the full spectrum of information security like never before! MIS Training Institute, 498 Concord St., Framingham, MA 01702-2357. Tel: (508) 879-7999. E-mail: Web:


March 22-23, 2005 - Federal Information Systems Security Educators' Association (FISSEA) Annual Conference, "Target Training in 2005" to be held at the new Bethesda North Marriott Hotel and Conference Center on Marinelli Road in North Bethesda (White Flint Metro Stop). Please save the date and plan to attend. Emerging details will be announced on the FISSEA website at At the FISSEA conference you will discover new ways to improve your security program, enjoy high quality relevant presentations, gain awareness and training ideas, resources, and contacts. Please see the Call for Participation in this issue.

Go to top of page


horizontal bar

Federal Information System's Security Educators' Association (FISSEA) Security Poster, Trinket & Website Contest

By: Contest Coordinator

If you failed to participate in FISSEA's first Security Poster, Trinket and Website Contest, you are being afforded another opportunity to do so. This contest has been and will be an intricate part of the FISSEA Conference. This venue affords organizations an opportunity to showcase their security paraphernalia that educates via the security themes or messages presented in each poster, trinket or website submitted.

This contest affords organizations an opportunity to not re-invent. If the security message articulated in an item submitted, these items may be shared among the FISSEA community. Below are the rules for the contest:

Rules and Guidelines
This contest includes Awareness, Training and Education posters, trinkets (pens, sewing kits, stress relief items, t-shirts, etc.) and websites. Each category of the competition will be judged separately. A winner will be selected from each category and awarded a certificate at the annual FISSEA conference.


  1. Only one item in each category may be submitted (1 poster, 1 website, and/or 1 trinket). However, an individual or organization may enter in all three categories.
  2. The entries must be submitted by a FISSEA member prior to the deadline of February 1, 2005.
  3. Entries must have a security education theme and be part of the organization's current security awareness program. All entries must be original and wholly unclassified.
  4. A Contest Entry Form must accompany all entries and is available on the FISSEA website Each submission automatically agrees to allow FISSEA to publish, however, only the winning entries will be published on the FISSEA web page.
  5. PowerPoint will be used to prepare each entry. One slide will be designated the Entry Form for the category followed by the entry for that category. All slides should be e-mailed to:
  6. Any item not adhering to the rules and entry guidelines will be ineligible. The decision of the contest supervisor is final.


  1. A committee of at least three FISSEA members will judge the contest. The judges will evaluate each category (poster, website and/or trinket) on the basis of originality, security message, and graphic concept.
  2. The winners in each category will be announced at the FISSEA Conference. A certificate will be awarded to each winner with a congratulatory letter signed by the FISSEA Executive Board Chairperson.

Go to top of page


horizontal bar

Call for Participation -- "Target Training in 2005"
FISSEA Conference, March 2005

You are cordially invited to participate in and attend the Federal Information Systems Security Educators' Association Conference (FISSEA 2005) to be held March 22-23, 2005 at the new Bethesda North Marriott Hotel and Conference Center. Now in its 18th year, FISSEA 2005 is the national forum for government, industry, and academic managers, educators, and researchers involved with security awareness, training, and education. As in previous years, the conference will include birds-of-a-feather, papers, tutorials, panels, presentations, demos, and exhibitions. Topics range the entire spectrum to include: management of information security programs and personnel, conducting security training, information security and assurance curriculums, supporting technologies (network, wireless, encryption, vulnerability tools, educational tools), security labs, intrusion response programs, organizational behavior, certification, regulations, and emerging technologies.

We invite you to participate by submitting an abstract and joining us at this new exciting conference location. If you need to learn more about the latest security awareness, training, and education practices, tools, and research, this is the conference for you.

Submission Details
Keynote Speakers
Keynote speakers for this year's conference have already been coordinated. If you are interested in being a keynote speaker for future FISSEA conferences, please contact Curt Carver at

Papers and presentations are allocated 25-50 minutes and cover the range of conference topics. Each submission consists of two parts:

  1. A separate title page with:
    • The title or topic;
    • A contact author with postal address and electronic mail address;
    • The name(s) of the authors, organizational affiliation(s), telephone and FAX numbers; and,
  2. An abstract of no more than 300 words. The abstract is acceptable in ASCII, postscript, or PDF format only) NLT 29 October to Will Suchan at
  3. Papers and presentations will be due NLT 28 January 2005. They will be published in the conference proceedings.

The conference will also offer tutorials (one hour) on the state-of-the-art topics in information security. Each tutorial proposal should provide a title, topics to be covered (in less than 300 words), targeted audience, prerequisites, and a brief biography and qualifications of the instructor. Proposals should be submitted by October 29, 2004 to Will Suchan at

Demos and experiential showcases of interactive security awareness and educational environments are highly encouraged. These may include any of the themes outlined in the conference's topics. Each demonstration should provide a title, targeted audience, brief persuasive abstract of why this demonstration is appropriate to FISSEA conference attendees (300 words or less), prerequisites, and a brief biography and qualifications of the instructor. Proposals should be submitted by October 29, 2004 to Will Suchan at

A panel session will examine innovative, promising, or controversial issues related to information security awareness, training, and education from a governmental, academic, or industrial point of view. The panel will also address challenges and future prospects. Audience participation will be welcomed. Proposals should be submitted by October 29, 2004 to Will Suchan at

Speak out
For those whom have a topic of interest to the attendees that requires less than twenty-five minutes, there is a speak-out session scheduled for this purpose. Please contact Curt Carver at to schedule time.

Important Dates

October 29, 2004 Deadline for abstract submission
November 19, 2004 Notification of Acceptance
January 28, 2005 Papers and presentations due
March 22-23, 2005 2005 FISSEA Conference!

For More Information
Visit the FISSEA website:

Contact the program chair:

Curtis A. Carver Jr.

Will Suchan


Go to top of page


horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: October 20, 2004.