The Oscars have just been announced, and the winners are:
- Best Awareness Series
= Security in the City
- Most Enlightening Performance
= Educators Among Us
- Outstanding Mini Series
= FISSEA Annual Conference
- Best Supporting Stars
of a Comedy Series = NIST Staffers: Peggy (Sue) Himes and Mark (Antonio)
- Winner of five Golden
Globe Awards = Awareness in America (soon available on a PC near you)
- Best Musical Score = "Who
Let The Dogs Out" performed by L (L) Baskerville
- Outstanding Ensemble Cast
for a Reality Program = The Leadership Team for FISSEA's 2005 Annual
Conference, Curt Carver, William Suchan, Barbara Cuffie, and Patrice
- Best Original Screenplay
Script = FISSEA News and Views
these are just some of the awards for this Executive Board Year.
you like to be a FISSEA Star? Come join the cast by considering running
for our Exec Board. Think about it... you could be a Scriptwriter by
submitting articles to our quarterly newsletter... you could be a Director
as a Committee Chair... or you could be a Producer of a Workshop.
Award Shows have nothing on us. You already have what Matt LeBlanc and
Friends do not... a membership in an EMMY Award winning organization
where EMMY is an acronym:
* E = Education
* M = Mentorship
* M = Multi-organization (representing Academia, Private
Industry, and Government)
* Y = YOU
Screen Tests will be held during our 22-23MAR2005 Annual Conference.
This show's title "Target Training" is already up in
lights. For ticket pricing, check the FISSEA web site (no scalping here,
its a Broadway level show at a little theatre price).
Please bring along your own sheet music in the form of an acknowledgement
from your agent (management) that you may, if elected, actively participate
by attending casting calls (monthly business meetings) and your energy
and ingenuity to perform as a cast member and star. Inform him/her that
we play to intimate audiences of our peers and improve our own repertoire
by sharing knowledge in a variety of venues. In return, you'll receive
accolades and ovations both from within the organization as well as
from your "day job" thanks to the participation.
So, what do you say? Will we applaud your performance on our Exec Board?
"This is the finest acting troupe on the Awareness, Training, and
Education stage of the Computer Security Theatre. Hope to see you on
the red carpet.
Louis M. Numkin, CISM
FISSEA Executive Producer
to top of page
CISM, Board Chair*
LTC Curt Carver,
Jr., Conference Director*
CISSP, Past Chair
Thomas Foss **
Gretchen Ann Morris,
Mary Ann Strawn**
LTC Will Suchan,
Mark Wilson, CISSP,
NIST Liaison, Assistant Chair*
Peggy Himes, Executive
Assistant to Bd, Newsletter Editor
* Term ends March
** Term ends March 2006
to top of page
Note From the Editor
By Peggy Himes, NIST
I'd like to take this opportunity to remind everyone of some housekeeping
items. If you move, please send your new information, including email
address, phone number, and the snail mail address to firstname.lastname@example.org.
If you retire, please suggest to your successor that they join FISSEA
and drop us a note so we can correct our records.
We have many aliases set up. If you want
to ask fellow members a question on IT security, send your question
to the listserve using email@example.com.
Your listserve has approximately 500 members and you are asked to respond
directly to the individual rather than the entire list.
The membership voted that the listserve not be used for advertising
unless you have a free event that relates to computer security awareness,
training, and education. However, the "Trainia" section of
the newsletter which Louis Numkin started includes fee events. Please
send a brief description paragraph to firstname.lastname@example.org
The contest for security posters, trinkets,
and websites is explained in detail in another article in this issue
and on the FISSEA website, http://csrc.nist.gov/fissea.
You can view the winners from last year's contest. To submit entries
to this contest, please send them to email@example.com
by February 1, 2005.
In the last issue (July04) we mentioned a contest for the redesign
of the FISSEA logo. Please review the rules and submit entries to firstname.lastname@example.org,
attention "FISSEA Logo Contest".
The FISSEA Educator of the Year Award has been in existence since 1991.
The following highly regarded people have received this award:
- Jeff Recor, Walsh College
- Patricia Black, U.S. Department
- LTC Daniel Ragsdale, U.S.
- George Bieber, Defense
Information Systems Agency (DISA)
- Dr. Roger Quane, National
- Louis Numkin, Nuclear
- Dorothea de Zafra, National
Institute of Health
John B. Ippolito, Allied Technology Group, Inc
Sadie Pitcher, U.S. Department of Commerce
John Tressler, U.S. Department of Education
- Joan Pohly, Defense Information
- Gale Warshawsky, Dept
of Energy: Lawrence Livermore National Laboratory
- Lt. Col. E. C. "Lee"
Chambers, U.S. Air Force
- Dr. Corey Schou, Idaho
- Dr. Vic Maconachy, National
- Dr. Gary W. Smith, Department
for the next Educator of the Year will be accepted until January 31,
2005. Complete instructions and sample letters are available on the
You may want to think about running for the FISSEA Executive Board.
Several members are up for reelection and a few will be retiring. The
board meets monthly in Gaithersburg with the opportunity to also call-in.
Planning the annual conference is one of the major projects. Other projects
that board members work on include hosting various ATE workshops, submitting
input to the website, writing newsletter articles, and providing outreach
and publicity on behalf of FISSEA.
Lastly, the FISSEA annual conference (March 22-23) will be held in
a brand new location. It's so new you may have trouble finding it in
a search of hotels. But rest assured it is a real conference center
and it will be ready for the March conference. It's located at the White
See you in March!
Go to top of page
NEW FISSEA Workshop:
NIST SP800-16 - 16Nov04
By: Mark Wilson, NIST
If you have wanted to know how to use NIST
Special Publication 800-16 - "Information Technology Security Training
Requirements: A Role- and Performance-Based Model" - but haven't
had the time to learn on your own, FISSEA is going to help you. FISSEA
will hold its third workshop - How to Use NIST Special Publication
800-16 - on Tuesday, November 16, 2004, in the NIST North building,
near the main NIST campus. The workshop is free. It will begin at 9:30am
and end at 12:30pm. Conducting the workshop will be FISSEA Executive
Board member and the Editor of Special Publication 800-16, Mark Wilson.
Prerequisite: Please be familiar with NIST Special Publication 800-50,
Building an Information Technology Security Awareness and Training
Program, at http://csrc.nist.gov/publications/nistpubs/index.html.
Pre-registration for the workshop is mandatory
and space is limited to 30. To register, contact Peggy Himes at (301)
975-2489 or email@example.com.
(If you want to attend, but this date is in conflict with your schedule,
let Peggy know; FISSEA may schedule another session.)
to top of page
Security Awareness is most
effective when people practice security habits daily.
By Melissa Guenther, LLC
That said, individuals and groups have
established specific date(s) to provide opportunities to focus on security
behaviors. The purpose of this document is to provide information to
help differentiate between the multiple Security Awareness Day(s), their
purpose, and links to more information on each. As stated previously
- every day is security awareness day - it is not an either/or situation.
Specific days (highlighted below) are not
enough to help community's awareness of cyber, personal and physical
security issues and promote safe practices. Therefore, in addition to
any of the time frames below, many groups are scheduling other times
to participate and celebrate safe habits.
A great example can be viewed at
by Educational Technology Outreach.
Security Awareness Day - Physical, Information
and Personal Security
The concept of NSAD differs in that it
tries to establish a culture of security without focusing solely on
computers. It also seeks the validation of a government proclamation
so that less effort can go into attracting attention to the event each
year leaving more energy devoted to supporting it. Once approved, I
would also want to draw attention to the other awareness events to help
raise awareness throughout the year.
Please support the establishment of U.S.
National Security Awareness Day as an annual observance (similar to
Veterans Day). The concept is simple, dedicate a day to mentoring U.S.
citizens in the threats facing our country and what they can do to help
There must be top down support of a national
security awareness program. Cyber security is a large part of that.
However businesses need to be reminded of their responsibilities to
security legislation such as Sarbanes Oxley and GLBA. Businesses also
need to annually renew their commitments to information security, business
continuity and disaster recovery programs.
The U.S. needs to undergo a cultural change
to effectively protect against the threats facing it. We need to continue
to improve our security posture. The government cannot do this on its
own. It needs the support of its citizens. The concept of U.S. National
Security Awareness Day is a proactive approach.
Want to make a difference? Let's do it
Cyber Security Day - Computer Security
October 31 and April 4
First held in 2002, the semi-annual National
Cyber Security Days are coordinated with daylight savings in April and
October in the U.S. and are intended to raise the public's awareness
of cyber-security issues and promote safe online practices. Sunday,
October 31, 2004, is the next Cyber Security Day. Set some time aside
this week to update your anti-virus software and scan your computer
for viruses. Also, check out the Top Ten Security Tips for more
information on keeping your computer safe from hackers.
Colleges and Universities Recognize
Security Day with Campus Events
Setting your clocks forward or back for
Daylight Saving Time and replacing the batteries in smoke detectors
are rituals repeated every spring and fall. Similarly, the National
Cyber Security Alliance established April 4, 2004, as Cyber Security
Day to raise awareness about Internet safety and computer security issues.
Colleges and universities across the country are planning security education
and awareness events between March 29 and April 2 to help promote Cyber
International Computer Security Day
International Computer Security Day is
a globally recognized annual event set up to inform computer users of
the significance of computer security. Computer Security Day began in
1988 when the Washington, D.C., chapter of the Association for Computer
Machinery (ACM) sought to bring computer-related security issues to
the nation's forefront. Since that time, Computer Security Day has evolved
into a worldwide event. This annual event is held around the world on
November 30th although some organizations choose to have functions on
the next business day if it falls on a weekend.
to top of page
Thinking Out of the Book
By Jim Litchko, Jim Litchko & Associates, Inc.
Question: "How hard could it be to
teach IT security to managers who were very interested in the subject?"
Answer: "Very, very hard when you
are only using the typical IT security text book."
That answer is based on my first experience
teaching computer security at Johns Hopkins University to quasi-technical
managers in 1988. Like today the text books on the subject were filled
with technical terms and concepts that do not relate to everyday realities.
During the first class, I felt like I had just dropped my class into
the pool's cold deep end and I was yelling, "STROKE, KICK, BREATH
The lucky ones were only treading water.
I knew there had to be a better way.
That night my father called and he said,
"I just read The Readers Digest article on Cliff Stoll's
book The Cuckoo's Egg and now I understand what you do."
My father, who had an eight-grade education and never saw a computer,
understood computer security? I had to read this book. And I did.
I was impressed with the simplicity that
Cliff used to relate his story on discovering and tracking down his
hacker. It reminded me of the "sea stories" that I heard in
the Navy. It was then that I remembered my senior enlisted explaining
that "sea stories" were not just to entertain sailors; they
were to provide lessons and/or introduce them to strategies to solve
problems. Entertain and inform - two key characteristics of effective
At the next class, I gave each student
a copy of Cliff's book, provided them a description of the book to get
them interested in the story, instructed them to be prepared to discuss
it at the next class, and dismissed them.
At the next class, I asked them to identify
what they liked about Cliff's book. By using the stories that they identified,
I was able to "back" them into understanding what they had
perceived to be complex subjects. An example was: by having the class
first talk about Cliff printing all the traffic on borrowed printers,
reviewing the print outs, and finding the hacker's tracks, made it much
easier for the class to grasp concepts like audit, anti-virus, and intrusion
detection and prevention.
Since then, I have seen others use fairy
tails, sea stories, news articles, and other storybooks to successfully
ease my students into deep IT security topics. What they use depends
on the subject and the audience's background.
So, when you are thinking about how to
teach people about what they perceive is a complex subject, think out
of the textbook. Think of using non-technical stories that will allow
them to wade in to the shallows and slowly build their confidence before
diving into some of the deep topics related to IT security.
Author is Jim Litchko, adjunct professor,
professional speaker, and author of KNOW Your Life and KNOW IT Security,
and co-author of KNOW Cyber Risk.
and website www.litchko.com.
For overviews and look at the covers you can go to www.knowbookpublishing.com.
to top of page
This column's name is
a contraction of the words "Training" and "Trivia." It includes information
on upcoming conferences, book reviews, and even humor. The purpose is
to provide readers with places to go and things to use in pursuing and/or
providing Computer Security awareness, training, and education. However,
FISSEA does not warrant nor determine the value of any inclusions. Readers
are encouraged to do their own checking before utilizing any of this
data. If readers have items to submit to this column, please forward
them to firstname.lastname@example.org
2004 FISMA Reporting Instructions.
The Office of Management and Budget (OMB) released the 2004 Reporting
Instructions for the Federal Information Security Management Act. A
copy of the memorandum, identified as M-04-25 (Aug 23, 2004), can be
obtained from the White House web site at http://www.whitehouse.gov/omb/memoranda/index.html.
NIST Special Publication 800-53 (Second Public Draft), Recommended
Security Controls for Federal Information Systems is now available
at the NIST Computer Security Division web site, http://csrc.nist.gov/publications/drafts.html.
Comments will be accepted at email@example.com
until November 31, 2004. Final publication is expected on January 31,
2005. See the NIST FISMA Implementation website, http://csrc.nist.gov/sec-cert
for additional FISMA-related information.
Security Posters Available Free!
If you are on the FISSEA listserve, you already saw this message from
a new FISSEA member, Bill Uttenweiler. Bill graciously offered the use
his security posters. "I am in several security groups on the California
Central Coast. Every two months we make new security awareness/education
posters available on our web site. They are in PDF format, so you can
click on one to download it. Hope the posters are useful for you --
and to those you forward this to. God Bless the USA! Bill Uttenweiler,
805-606-7722 DSN: 276-7722 For free downloadable security posters, go
October 26-27, 2004 - Federal Information
Assurance Conference (FIAC), UMUC Inn & Conference Center, Adelphi,
MD. The 4th Annual FIAC is designed to meet the real-world information
assurance needs of the Federal Government and its workforce. This two-day
event will provide useful information and educational opportunities
for federal managers, acquisition and procurement officials, network
and systems administrators, and information security professionals.
This year's event features a FISMA Plenary Session presented by OMB
and NIST. Three tracks will cover: Ensuring Agency-wide Program Awareness;
Developing an Enterprise Security Culture and; Deploying Successful
Programs and Solutions. CPE credits are available for CISSP and SSCP
certified attendees. The cost to attend FIAC 2004 is $495 for Government
Employees and $595 for industry. For more information and to register
on-line go to www.fbcinc.com/fiac.
The day tutorials are on the 28th. Contact information: Bob Jeffers,
FBC, (800) 878-2940, x226, firstname.lastname@example.org
October 28-29, 2004 - Disaster Preparedness
and Continuity of Operations (COOP) - Optimizing Your COOP Program
Under FPC 65. Ronald Reagan Building, Washington, DC. This two-day workshop
will give you practical experience in applying Federal Preparedness
Circular 65 guidance in developing a program and writing your department's
or agency's Continuity of Operations (COOP) Plan and/or developing or
managing an improved Disaster Preparedness Program. Call 703-683-5561,
November 1-4, 2004 - Back to
the Future: Find the Future of Information Security in New Orleans SANS
CDI South. That's where SANS will introduce a program of one and
two day intensive technology courses on topics ranging from Cutting
Edge Hacking Techniques to Ethics, from Business Law and Computer Security
to Auditing Wireless Security. If you cannot afford the time for a full
week of training, or if you want to focus on two to four topics important
to your security program, you won't find a better security conference
anywhere. In particular, if you were thinking about attending one of
the twenty or thirty old security conferences run by other organizations,
compare the faculty they offer against SANS teachers, the timelines
and practicality of the information, and the value you will bring back
to your employer (not to mention the weather) and we think it will be
easy to choose SANS CDI South in New Orleans over any other security
November 8-10, 2004 - 31st Annual
CSI Computer Security Conference & Exhibition. Marriott Wardman
Park, Washington, DC. Featuring the largest and most comprehensive conference
program anywhere-14 tracks and 160 sessions on: Introduction to Computer
Security, Management and Governance, Awareness Training & Education,
Risk and Audit, Wireless Technology & Security, Attacks and Countermeasures,
Legal, Compliance and Privacy, Continuity, Response & Recovery, Forensics,
Technology (Double Track), Government, Critical Issues, Infrastructure
...and much more. The Exhibition November 7-9 features 175 exhibitors
displaying the latest security products and technologies. Join over
2500 security pros in Washington, D.C. this November and get the knowledge
and skills you need to succeed in the year ahead. For more information
on attending call Computer Security Institute at (415) 947-6320 or email
November 16, 2004 - Third FREE FISSEA
Workshop! NIST Special Publication 800-16. NIST North, Gaithersburg,
MD, Lecture Room 152, 9:30-12:30. Space is limited and preregistration
is necessary. Contact Mark Wilson, email@example.com
for technical questions and firstname.lastname@example.org
for registration. See page 3 for details.
November 16, 2004 - Homeland Defense
Training Conference. GIS in Homeland Security: Creating the Common
Operational Picture (COP) to Improve Situational Awareness. Location:
Executive Conference Center, NRECA Headquarters Building, 4301 Wilson
Boulevard, Arlington, VA. Further information, call 703-807-2753 and
speak to Maurice Martin. www.homelanddefensejournal.com
November 18-19, 2004 - CSI Security
Awareness Peer Group, in Washington, DC for the first time, hosted
by International Finance Corporation (IFC). CSI's Security Awareness
Peer Group is a friendly idea exchange for people specializing in the
security awareness function at their organization. Registrants will
plan the agenda based on their own needs. Come and compare your awareness
program activities with sophisticated programs from corporate America.
$1895 for first person, second at $745. Meals included. Call or email
Pam Salaway for more details (631.878.2205, email@example.com)
or visit CSI's website at www.gocsi.com/peers/peer.jhtml
April 4-6, 2005 - InfoSec World Conference
and Expo 2005, Disneys Coronado Springs Resort/Orlando, FL http://www.misticom/09/os05eb1_infosecworld.html
INFOSEC WORLD: 360 Security. For more than a decade, MIS Training Institutes
InfoSec World Conference & Expo has been the one event that top information
security pros have attended to get up-to-date information, real-world
strategies, and cutting-edge techniques for mitigating risk, securing
critical data, and strengthening the enterprise. In 2005, InfoSec World
will reach new heights in education and offer you the full spectrum
of information security like never before! MIS Training Institute, 498
Concord St., Framingham, MA 01702-2357. Tel: (508) 879-7999. E-mail:
March 22-23, 2005 - Federal Information
Systems Security Educators' Association (FISSEA) Annual Conference,
"Target Training in 2005" to be held at the new Bethesda North
Marriott Hotel and Conference Center on Marinelli Road in North Bethesda
(White Flint Metro Stop). Please save the date and plan to attend. Emerging
details will be announced on the FISSEA website at http://csrc.nist.gov/fissea.
At the FISSEA conference you will discover new ways to improve your
security program, enjoy high quality relevant presentations, gain awareness
and training ideas, resources, and contacts. Please see the Call for
Participation in this issue.
to top of page
System's Security Educators' Association (FISSEA) Security Poster, Trinket
& Website Contest
By: Contest Coordinator
If you failed to participate in FISSEA's
first Security Poster, Trinket and Website Contest, you are being afforded
another opportunity to do so. This contest has been and will be an intricate
part of the FISSEA Conference. This venue affords organizations an opportunity
to showcase their security paraphernalia that educates via the security
themes or messages presented in each poster, trinket or website submitted.
This contest affords organizations an
opportunity to not re-invent. If the security message articulated in
an item submitted, these items may be shared among the FISSEA community.
Below are the rules for the contest:
Rules and Guidelines
This contest includes Awareness, Training and Education posters, trinkets
(pens, sewing kits, stress relief items, t-shirts, etc.) and websites.
Each category of the competition will be judged separately. A winner
will be selected from each category and awarded a certificate at the
annual FISSEA conference.
- Only one item in each category may be submitted (1 poster, 1 website,
and/or 1 trinket). However, an individual or organization may enter
in all three categories.
- The entries must be submitted by a FISSEA member prior to the deadline
of February 1, 2005.
- Entries must have a security education theme and be part of the
organization's current security awareness program. All entries must
be original and wholly unclassified.
- A Contest Entry Form must accompany all entries and is available
on the FISSEA website http://csrc.nist.gov/fissea.
Each submission automatically agrees to allow FISSEA to publish, however,
only the winning entries will be published on the FISSEA web page.
- PowerPoint will be used to prepare each entry. One slide will be
designated the Entry Form for the category followed by the entry for
that category. All slides should be e-mailed to: firstname.lastname@example.org.
- Any item not adhering to the rules and entry guidelines will be
ineligible. The decision of the contest supervisor is final.
- A committee of at least three FISSEA members will judge the contest.
The judges will evaluate each category (poster, website and/or trinket)
on the basis of originality, security message, and graphic concept.
- The winners in each category will be announced at the FISSEA Conference.
A certificate will be awarded to each winner with a congratulatory
letter signed by the FISSEA Executive Board Chairperson.
to top of page
Call for Participation --
"Target Training in 2005"
FISSEA Conference, March 2005
are cordially invited to participate in and attend the Federal Information
Systems Security Educators' Association Conference (FISSEA 2005) to
be held March 22-23, 2005 at the new Bethesda North Marriott
Hotel and Conference Center. Now in its 18th year, FISSEA 2005 is the
national forum for government, industry, and academic managers, educators,
and researchers involved with security awareness, training, and education.
As in previous years, the conference will include birds-of-a-feather,
papers, tutorials, panels, presentations, demos, and exhibitions. Topics
range the entire spectrum to include: management of information security
programs and personnel, conducting security training, information security
and assurance curriculums, supporting technologies (network, wireless,
encryption, vulnerability tools, educational tools), security labs,
intrusion response programs, organizational behavior, certification,
regulations, and emerging technologies.
invite you to participate by submitting an abstract and joining us at
this new exciting conference location. If you need to learn more about
the latest security awareness, training, and education practices, tools,
and research, this is the conference for you.
Keynote speakers for this year's conference have already been coordinated.
If you are interested in being a keynote speaker for future FISSEA conferences,
please contact Curt Carver at email@example.com.
Papers and presentations are allocated 25-50 minutes and cover the range
of conference topics. Each submission consists of two parts:
- A separate title page
- The title or topic;
- A contact author with postal address and electronic mail address;
- The name(s) of the authors, organizational affiliation(s), telephone
and FAX numbers; and,
- An abstract of no more than 300 words. The abstract is acceptable
in ASCII, postscript, or PDF format only) NLT 29 October to Will Suchan
- Papers and presentations will be due NLT 28 January 2005. They
will be published in the conference proceedings.
The conference will also offer tutorials (one hour) on the state-of-the-art
topics in information security. Each tutorial proposal should provide
a title, topics to be covered (in less than 300 words), targeted audience,
prerequisites, and a brief biography and qualifications of the instructor.
Proposals should be submitted by October 29, 2004 to Will Suchan at
Demos and experiential showcases of interactive security awareness and
educational environments are highly encouraged. These may include any
of the themes outlined in the conference's topics. Each demonstration
should provide a title, targeted audience, brief persuasive abstract
of why this demonstration is appropriate to FISSEA conference attendees
(300 words or less), prerequisites, and a brief biography and qualifications
of the instructor. Proposals should be submitted by October 29, 2004
to Will Suchan at firstname.lastname@example.org.
A panel session will examine innovative, promising, or controversial
issues related to information security awareness, training, and education
from a governmental, academic, or industrial point of view. The panel
will also address challenges and future prospects. Audience participation
will be welcomed. Proposals should be submitted by October 29, 2004
to Will Suchan at email@example.com.
For those whom have a topic of interest to the attendees that requires
less than twenty-five minutes, there is a speak-out session scheduled
for this purpose. Please contact Curt Carver at firstname.lastname@example.org
to schedule time.
|October 29, 2004
||Deadline for abstract
|November 19, 2004
||Notification of Acceptance
|January 28, 2005
||Papers and presentations
|March 22-23, 2005
||2005 FISSEA Conference!
Visit the FISSEA website: http://csrc.nist.gov/fissea
Contact the program chair:
to top of page