News and Views

Federal Information Systems Security Educators' Association

Issue Two of FISSEA Year 2005-2006
August/September 2005



From the Chair


Last time I wrote about how my car's brake job made me think of the Executive Board transition. Please bear with me as I continue the automotive maintenance theme.

Today, I am writing while awaiting the return of my car from the mechanic who is changing my oil. I can well remember my youth when crawling under a chassis was an almost daily event and skinned knuckles or grease under my nails was a badge of honor. As cars have become more and more sophisticated and computerized, just like in the world of technology, owners have increasingly become "users". How many of us have cracked open our personal CPU to add a SIMM or troubleshoot a hardware problem?

On the wall of this waiting room hangs a beautiful speed photo poster of a sleek red racecar upon which appears the slogan, "At 244 MPH, Luck's Got Nothing to do With It." Who among us "users" is lucky enough to take our personal computer apart with the self-assurance that we will be able to return it to a functioning machine? Remember as a youngster, when we took things like bikes and watches apart and when reassembled had "extra" pieces lying around which once were within?

Whenever we travel, we need to know that our vehicles are running well enough to make it to the beach, mountains, or even just to the gas station. To be successful, we must be aware of what makes a car run -- gas, oil, tire pressure, etc. Likewise, as computer security awareness/training/education practitioners, we need to know what is important to our organizations.

I have always found value in listening to the car radio. Oftentimes while riding to work I hear about a problem which is affecting computers (like a new virus or scam) and consider informing my organization or family/friends. Getting awareness ideas from news media is a good start but they must be validated before being believed. Remember, the information is often being read by a technically inexperienced or even technophobic individual. Credibility is essential, so research anything about which you are unsure.

In planning for your 2005 observance of Computer Security Awareness Day/Week/Month, please do the same. Ask management and co-workers what is of current interest? Don't just listen to the newscaster unless the report is about your own organization's technical malfeasance or abuse of the public trust. (You may know how morning coffee tastes more acidic when these reports are aired?) But, these current items will draw the most attendees and provide them the greatest bang for the buck. You are in the driver's seat so go for the gusto and instead of being left at the starting line; you and your organization will be well on the way to capturing the checkered flag of the security Awareness 500.

Hope you had a safe and enjoyable summer,

Louis Numkin, CISM
Internal Revenue Service

Go to top of page

horizontal bar

FISSEA Executive Board 2005-2006


Please NOTE: Please note when using these e-mail addresses substitute the AT with @ (minus the spaces between the words), that way the board members will not be flooded with SPAM mail from the e-mail web crawler programs that search web pages for e-mail addresses.

Louis Numkin, CISM, Board Chair**
louis.numkin AT
LTC Curt Carver, Jr., Conference Director**
curtis.carver AT
Barbara Cuffie, CISSP, Assistant Chair**
4312 AT
Thomas Foss*
tomfoss AT
Susan Hansche, CISSP-ISSEP**
susan.hansche AT
James Litchko**
jim AT
Gretchen Ann Morris, CISSP*
gretchen.a.morris AT
K Rudolph, CISSP**
kaie AT
Jeffrey Seeman*
jaseema AT
Mary Ann Strawn, Publicity*
mast AT
LTC Will Suchan, CISSP, Conference Director*
will.suchan AT
NIST Contacts (Not Elected):
Mark Wilson, CISSP, NIST Liaison

mark.wilson AT
Peggy Himes, Executive Assistant to Bd
peggy.himes AT
Patrick O'Reilly, Website
patrick.oreilly AT

* Term ends March 2006
** Term ends March 2007

Newsletter Editors:
Mark Bedell, Logical Security,
markbedell AT
Nanette Poulios, Walsh College,
npoulis AT


Go to top of page

horizontal bar

Federal Information Systems Security Educators' Association

Presented by:
U.S. Department of State, Diplomatic Security Training Center Information Assurance Training Team in collaboration with the Federal Information Systems Security Educators' Association (FISSEA)

Attendees are invited to participate in a panel discussion on the best practices for designing and implementing information systems security training specifically tailored for the executive role. We will begin the discussion with an overview of how NIST SP 800-16 defines the executive role. Panelists will then discuss their personal experiences and lessons learned with the participants. This will include both instructor-led and distance learning options that are available for agencies to consider. The final item for the workshop will be to generate a list of possible options that can be used to deliver executive-level information systems security training. Thus, participants will leave with many ideas that can be used in their own organization for implementing information systems security training for executives.

Training professionals interested in or responsible for ensuring that role-based training requirements are met in an effective learning environment. Attendees should be familiar with NIST or other federal guidance regarding information systems security, and related policies and procedures that have been developed by their agencies.

  Stay for the 2nd ISSO Roundtable!

11:00am - 12:30pm

The ISSO Roundtable is an interagency group of IA training professionals interested in sharing ISSO training material.

Wednesday, October 12, 2005

U.S. Department of State
Diplomatic Security Training Center
2216 Gallows Road
Dunn Loring, VA (Tyson's Corner area)

9:00am - 11:00am

Free to FISSEA members!

Maximum, 40 people, first-come, first served

You must pre-register by October 6, 2005

Reservation contact:
Cydney Peyton, (703) 204-6137 or Peggy Himes, (301) 975-2489
Provide your name, agency, position title, email address, and phone number

Go to top of page

horizontal bar

FISSEA Conference 2006

By Curt Carver, USMA, FISSEA Conference Program Co-Director

It's the most wonderful time of the year! Why might you ask? Its that time of year for anticipation what is in store for the FISSEA 2006 conference? The scoop is a mix of old favorites, new favorites, and a careful consideration of the most awesome contributions of our members. The 2006 conference will return to the Bethesda North Marriott Hotel and Conference Center which proved to be overwhelmingly popular with our members. Similarly, the conference will retain its two-day format. This year the conference will run 20 and 21 March 2006. The overall structure of the conference will be similar but we will shorten the first day of the conference, increase the size of the main room so that we have a little more space, and add vendors back in to enhance your ability to network and collect logo pens. The theme for the conference is Training for a Cyber Secure Future, FISSEA 2006 that highlights the critical role of preparing well so that our future is secure. The call for papers will be released shortly and if it is like previous years, we are likely to be overwhelmed with submissions and the conference sell out again. Ah, the anticipation of the fall for a spring conference. Old favorites and new favorites and the gathering of friends sounds like FISSEA 2006.

Go to top of page

horizontal bar

Cyber Security Awareness Month

By Justin R. Ripley, US Department of State

Members of the US Department of State's "Awareness Team" recently held a month long event designed to teach, inform, and demonstrate to the domestic Department user community, i.e., IT staff, senior management, and end-users, how and why Cyber Security Awareness is important. The goal of the month was to encourage all Department personnel to be aware of their security responsibilities and their role in safeguarding information processed or stored on automated information systems used by the Department, as well as to raise the overall understanding of the current prevalent threats.

The month's activities kicked off on June 7th with an introductory speech by Deputy Assistant Secretary for Diplomatic Security, Joe Morton followed by a keynote address from the Department's acting Chief Information Officer, Mr. Jay Anania. Mr. Anania spoke of the importance of cyber security awareness at the Department and the commitment of those involved in information assurance activities.

On the following day, a roundtable discussion was held during which a number of experts from various government organizations (including representatives from FBI, NSA and DISA, spoke about their own experiences implementing awareness and training programs for their respective organizations, and the challenges that the Federal sector faces as we move forward.

Some of the best-received events took place during the month's second week, which was geared towards personal home computer use. Presenters from McAfee, Booz Allen Hamilton, CISCO Corporation, and AOL spoke to users about the unique threats associated with the wireless technologies that are becoming increasingly ubiquitous. Individuals attending this session heard a brief history of wireless technologies, but most importantly learned the specific steps needed to secure a wireless home network and achieve a minimum level of protection.

Another session held during this week demonstrated the use of strong passwords to users. Examples of effective passwords were shown, and a password cracking demonstration was conducted. Inevitably, the majority of the audience members were amazed at how easily and quickly passwords can be hacked through the use of this free technology, available on the web to anyone.

The third week of the Cyber Security Awareness Month focused on the information technology professional. Tara Manzow from CompTIA gave a presentation on the future of the IT workplace, with a specific emphasis on those who are engaged in information assurance activities.

Further presentations covered information regarding the value of certifications for IT professionals, pay incentives offered by the Department for holders of these certifications, and the perceived future of the necessity for certification. In addition, several Department employees responsible for protecting State's electronic information assets spoke of their role and mission to ensure a secure and cost effective security stance for the Department.

The final week of the month saw a demonstration on hacking techniques as well as a hands on Hacker Lab sponsored and conducted by Dr. Robert Young of National Defense University. Individuals were able to see first hand how a hacker works and subsequently learned how to protect themselves against this threat.

The entire month concluded with an "Awareness Fair" in which numerous vendors, government agencies, and State Department offices, were able to advertise their products and/or services and generally disseminate information concerning information awareness.

The Department's Chief Information Security Officer, Ms. Jane Scott Norris served as the closing keynote speaker for the event. Ms. Norris addressed the recent security events that have been reported in the media, information security's role, challenges, managing risk, and OMB's Information Systems Security Line of Business initiative.

Awareness month was a tremendous success for the Department, with approximately 1,000 unique visitors attending the various events held throughout the month. This was just the first of what we hope will become an annual fixture at the Department of State, and we hope that future Awareness Months include even greater participation and cooperation with both the private sector and other branches of the Federal government.

A number of private and Federal organizations participated in this first annual Cyber Security Awareness Month. All contributed greatly to the breadth of information that could be promulgated to a diverse workforce, and were instrumental in the overall success of the event. They include: McAfee, Inc., America On Line, CISCO Corporation, Booz Allen Hamilton, CompTIA, Verizon, Symantec, the National Security Agency, the Federal Bureau of Investigation, the Department of Defense, the National Defense University, and the US Agency for International Development.


Go to top of page

horizontal bar

Making the Cyber Security Grade

Why have so many government agencies failed at getting a passing grade for their IT security programs?

Not enough senior management support, experts, technology, trusted commercial software, resources, standards, etc. are the common answers given to this question. The real answer is they are using the wrong approach.

Wrong Approach

Yes, the wrong approach is being used. Over the past three decades, the two most common approaches that have been used are: the "Secure It" and the "Technology" approaches.

The "Secure It" approach is where the goal is to build a 100% secure system. This approach is accepted by "risk adverse", "risk avoidance" managers, who are easily persuaded by FUD (Fear, Uncertainty and Doubt) justifications or scare tactics.

The "Technology" approach's goal is to prevent all attacks on a system using technical solutions. Security justifications, using technical terms and complex explanations (i.e., SSL, Cracker, DDOS, VPN, IDS, PKI, etc.), contributes to the lack of executives understanding and supporting IT security. Also, technology's inability to make IT systems 100% secure has resulted in the scientific community's constant demand for more cyber security research and development funding.

After supporting over 100 IT security assessments, from one of the Army's most advanced command and control systems to an Internet gambling casino, I have concluded the following truths:

  • A 100% secure IT system is not affordable, nor will it meet operational requirements or be user acceptable.
  • The most successful IT system security programs are 10-30% technology and the remaining 70-90% traditional security solutions (policy, procedures, physical, personnel, etc.).
  • Using the best, complex and strongest security solutions can kill a business faster then any hacker, insider, virus, or terrorist.
  • Securing any IT system without an understanding of the business or mission, operations, and users will fail.

The Correct Approach

The correct approach is from a "Business or Mission" perspective where the goal of security is to meet an organization's goals and objectives. This approach starts with knowing the organization's business or mission, operations, flow of information, and users.

Business or Mission is about meeting the goals and objectives of the organization. What is its purpose? Examples might be: distribute grants or loans, deploy or supply troops, connect harvested vital organs to patients, provide information and/or forms to the public, sell and ship products, etc.

Operations are about how they accomplish the goals and objectives and by what structure. Some examples might be: interfaces with banks, control of shipping, partnerships with hospitals, when forms need to be submitted, vendor, agreements, etc.

The flow of information is important because it explains how things are controlled, how people are informed so they can take actions and/or make decisions, what is sensitive and what is public, how fast information has to move, etc.

Users' expectations, culture, environment and capabilities (knowledge and capabilities - computer and network connections) are critical to determining what security solutions will be most effective for a system. Would an accountant and researcher accept the same authentication solution? Can a soldier in a battle complete complex manual security procedures? What personal information is considered sensitive to individuals filling out the forms? What would be the result if an online store required the buyers have a smartcard to conduct a transaction?

The Business or Mission approach allows anyone to gather the above information without asking one security question making the assessment much more comfortable for the system personnel. It also allows them to gain a better understanding of why the system is there, how it operates, what elements are critical, and what security is required. Examples:

  • The computer providing the corporate homepage only needs integrity protection to protect it from unauthorized changes. Where, the system selling products must protect customer information, so it requires confidentiality, integrity, and authentication.
  • The system providing forms can be down for days, but the system coordinating vital organs transfers must always be available 24/7

The approach will also give the owner business, mission and operational understanding, terminology, motivations and justifications that will allow them to promote the need for security to their management and users for more resources and compliance.

Finally, it will allow you to explain to the auditors and senior management why the system's residual security risks and deviations from standards are acceptable for operational reasons.


The advantages of the Business/Mission approach over the Secure and Technical approaches are obvious:

  • Makes assessment relevant and less invasive to the owner.
  • Improves owner's awareness of the system and its impact on operations.
  • Allows for the more effective use of resources and setting priorities.
  • Helps identify the most acceptable solution for operations and users.
  • Provides realistic justifications for explaining needs to executives and users.
  • Supports compliance with regulations and standards, like NIST, FISMA, etc.

These are all the right reasons to use a Business or Mission approach and why it will allow an organization to gain a passing cyber security grade.

Recently, a consultant started a security assessment by asking, "Where is your firewall?" The system owner responded, "Don't you want to know what our system supports?" The consultant answered, "No, I am here to secure your system not improve your business." The owner correctly got another consultant and so should you.

Jim Litchko, CAS, and Al Payne, CISSP, IT security experts and authors of KNOW Cyber Risk and KNOW IT Security, corporate executives and strategic advisors, and IT managers and entrepreneurs.

Go to top of page

horizontal bar

Book Review:

Managing an Information Security and Privacy Awareness and Training Program
By Rebecca Herold
Auerbach Publications (April 27, 2005)
ISBN: 0849329639

The Definitive Book on Information Security Practice, July 24, 2005
Reviewer:     Dr. Stephenson

I'll begin by saying that I have two broad comments about Ms. Herold's new book, Managing an Information Security and Privacy Awareness and Training Program. First, it may be the definitive book on the topic and seems to have enough meat to be the definitive book on the practice of information security in general. It approaches the profession in the right way: people-oriented. That is rare and important. Second, I actually read it from cover to cover - a rare thing for me. Professional books usually find their ways to my reference library and are used mostly for that purpose, not for general reading.

In the over twenty years I have been in the information security profession I have seen a lot of approaches to managing the security of organizational information. There is one common thread that ties all of those approaches together. The successful ones address the people who use and manage that information. Technology simply is a collection of tools to assist the information assurance manager with the task. It has been said that there are management solutions to technical problems but no technical issues to management problems. Ms. Herold addresses this homily head-on and does it with style, personality and skill.

Her experience shows as does the commentary from two icons in our profession, Donn Parker and Hal Tipton. If you have any questions about whether you should buy this book, read their comments in the Preface and Forward.

I have known Becky for many years and I respect her skill, experience and ability to present important issues clearly, concisely and understandably. Her latest book does all that and more.

If I was told that I was moving to a new office and could take only two boxes of books with me from my library, I would fill both with technical books but I would leave space for the only two general books on information assurance I will ever need. One is "The Computer Security Handbook" edited by my good friend and long-time colleague Dr. Mich Kabay. The other would have to be "Managing an Information Security and Privacy Awareness and Training Program". It would take more than the two boxes to cover technical issues in security, but I could put Mich's and Becky's books in my brief case. Then I would have the perfect security library.

This book is highly recommended for any information assurance professional (or aspiring professional), manager with information assurance responsibilities, or training coordinator. I'm sure there are others who need this new offering as well, but Amazon only allows so much space for these reviews. I also will be highly recommending this book to our students in the MSIA program at Norwich.

Peter R. Stephenson, PhD, CISSP, CISM, FICAF
Associate Program Director, MSIA
Norwich University

Go to top of page

horizontal bar

Security Awareness Day

By Melissa Guenther

Security Awareness is everyday - individuals and groups have established specific date(s) to provide opportunities to focus on security behaviors. The purpose of this document is to provide information to help differentiate between the multiple Security Awareness Day(s), their purpose, and links to more information on each. As stated previously - every day is security awareness day - it is not an either/or situation.

Security Awareness is most effective when people practice security habits daily

That said, individuals and groups have established specific date(s) to provide opportunities to focus on security behaviors. The purpose of this document is to provide information to help differentiate between the multiple Security Awareness Day(s), their purpose, and links to more information on each. As stated previously - every day is security awareness day - it is not an either/or situation.

Specific days (highlighted below) are not enough to help community's awareness of cyber, personal and physical security issues and promote safe practices. Therefore, in addition to any of the time frames below, many groups are scheduling other times to participate and celebrate safe habits.

A great example can be viewed at
by Educational Technology Outreach.

Security Awareness Day - Physical, Information and Personal Security
September 10th

The concept of National Security Awareness Day (NSAD) differs in that it tries to establish a culture of security without focusing solely on computers. It also seeks the validation of a government proclamation so that less effort can go into attracting attention to the event each year leaving more energy devoted to supporting it. Once approved, I would also want to draw attention to the other awareness events to help raise awareness throughout the year.

Please support the establishment of U.S. National Security Awareness Day as an annual observance (similar to Veterans Day). The concept is simple, dedicate a day to mentoring U.S. citizens in the threats facing our country and what they can do to help address them.

There must be top down support of a national security awareness program. Cyber security is a large part of that. However businesses need to be reminded of their responsibilities to security legislation such as Sarbanes Oxley and GLBA. Businesses also need to annually renew their commitments to information security, business continuity and disaster recovery programs.

The U.S. needs to undergo a cultural change to effectively protect against the threats facing it. We need to continue to improve our security posture. The government cannot do this on its own. It needs the support of its citizens. The concept of U.S. National Security Awareness Day is a proactive approach. Want to make a difference?

Let's do it together.

Cyber Security Day - Computer security
October 31 and April 4

First held in 2002, the semi-annual National Cyber Security Days are coordinated with daylight savings in April and October in the U.S. and are intended to raise the public's awareness of cyber-security issues and promote safe online practices. Sunday, October 31, 2004, is the next Cyber Security Day. Set some time aside this week to update your anti-virus software and scan your computer for viruses. Also, check out the Top Ten Security Tips for more information on keeping your computer safe from hackers.

Colleges and Universities Recognize Cyber Security Day with Campus Events

Setting your clocks forward or back for Daylight Saving Time and replacing the batteries in smoke detectors are rituals repeated every spring and fall. Similarly, the National Cyber Security Alliance established April 4, 2004, as Cyber Security Day to raise awareness about Internet safety and computer security issues. Colleges and universities across the country are planning security education and awareness events between March 29 and April 2 to help promote Cyber Security Day.

International Computer Security Day
Nov. 30

International Computer Security Day is a globally recognized annual event set up to inform computer users of the significance of computer security. Computer Security Day began in 1988 when the Washington, D.C., chapter of the Association for Computer Machinery (ACM) sought to bring computer-related security issues to the nation's forefront. Since that time, Computer Security Day has evolved into a worldwide event. This annual event is held around the world on November 30th although some organizations choose to have functions on the next business day if it falls on a weekend.

Security Awareness Day Useful References

Go to top of page

horizontal bar


This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to and/or


How would you like to have a new-hire that could walk into the office on the first day, talk knowledgeably about technical security issues, FISMA, Privacy, Certification and Accreditation, Risk, Threat, A-130, Computer Forensics, CNSS standards, NIST standards, and even prepare a security plan, SSAA or NIACAP documentation? Not only could this new-hire talk about any of these but also they can do it, explain it and teach it to others. Well, that is what you can expect from Cyber Corps ( graduates.

All these students understand the national information infrastructure and they are expected to work across a broad spectrum of government jobs. These students all graduate from selected DHS/NSA Centers of Academic Excellence programs. This hand full of schools provides students with two-year full scholarships in exchange for a two-year commitment to federal employment. Between their first and second years, they serve an internship in a federal agency.

As an example, one of these schools is Idaho State University. Their program develops students not only through coursework but direct mentoring of their learning in a live laboratory environment. These students have developed security plans and acceptable use policies while also developing training for ISSOs. Each is expected to be technically qualified as well. No program can claim to be good unless it is externally validated. To ensure technical skills, all students are required to take the Security+ examination at the end of their first semester. At the end of the second semester, they are required to take the (ISC)2 SSCP examination and upon graduation, they take the CISSP examination. So far the program has a 100% pass rate on these examinations. As an added bonus, all ISU Cyber Corps students are Infraguard members so they have had at least an National Agency Check and understand the importance of clearances. This year students from this program have worked in computer security and information assurance roles at the Department of Education, Defense Intelligence Agency, National Security Agency, Governmental Accountability Agency, and Federal Reserve Bank Board among others.

Of course, all Cyber Corps programs are different; however, all have high standards and will provide your agency with outstanding employees. You can find out more about the ISU program at or you can contact Corey Schou if you need help in locating other Scholarship for Service schools.


Florence Olson of FCW provided us with this information.
On July 12, OPM awarded fifty contracts for e-training to support the Office of Personnel Management's GoLearn online training program. While the potential values for the contracts were not announced each of them is worth at least $25,00 and could go for a total of five years, according to the General Services Administration's FedBizOpps Web site where the notice was published. A variety of businesses of different sizes were awarded the contacts, including Plateau Systems, IBM Business Consulting Services, the Apollo Group, GeoLearning, and Pearson Government Solutions.


September 22, 2005 BSU Fraud ID Theft Conference. This conference is free and open to the pubic!
September 21, 2005 A second, free event that you should absolutely MUST attend is the IOSS OPSEC Brief, 21 Sept 05 - please see details below.

The various themes of consideration for the BSU Fraud & ID Theft conference include:

  • Identity theft and consumer fraud, such as telemarketing boiler rooms, Internet pyramid schemes, and business and franchise scams
  • Privacy and ethical issues such as the collection and analysis of consumer-related data
  • Corporate Fraud, such as Intellectual Property theft, financial statement fraud, falsified invoicing, retail loss prevention etc.
  • Insurance, Health and Charities fraud
  • Mortgage, leading and banking fraud
  • Academic settings: cheating, file sharing etc...
  • Use of technology in commission of fraud and in the discovery, audit and internal control of illegal activities: COSO, COBIT, SOX, HIPPA

Perhaps the most exciting item to bring to your attention is the availability of participating in the Operations Security (OPSEC) briefing, graciously brought to us by C.Rick Estberg: Chief, Training & Customer Outreach from the National Security Agency at the Interagency OPSEC Support Staff Greenbelt, MD.

They will be conducting a training at Gowen Field, 21 Sept 05 for the Air Force, Army National Guard, Navy Reserves, and various state and city agencies, such as police, EMS and investigators that have a need to protect sensitive information about current and future activities.

Please do NOT miss this extraordinary and engaging opportunity to partake in this training from the very BEST in the business!

What is OPSEC?
Operations Security (OPSEC) is an analytic process used to deny adversary information - generally unclassified - concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.

Contact for BSU Fraud & ID Theft conference: Timothy O Neill Web page


September 30, 2005, CISA and CISM December 2005 Certification Exam Final Registration Deadline. The online registration process accepts payments and is the preferred method for submitting exam registrations. Due to very heavy registration volume as the early deadline approaches, they ask for patience when registering. Register at Contact the certification department at 1-(847) 253-1545, ext. 471 or 474.


October 4, 2005 If you're located on the US West Coast, there is no faster or more cost effective way to enlighten yourself on the requirements of FISMA and the security governance framework created by NIST than to attend The Facts of FISMA, a one-day intensive seminar presented by the Center for Information Security. This seminar is designed for both technical and management staff who have accountability for Information Security-related activities. After setting the foundation of the objectives of FISMA and the approach taken by NIST, we review the process for Security Categorization and Security Control Selection, Refinement, Documentation, Implementation and Assessment. These well defined activities lead directly to System Certification (a technical act) and System Accreditation (a management act), both necessary inputs for System Authorization, the cornerstone of security assurance and the manifestation of due diligence.

The Center for Information Security ( is an initiative of the Regional Training Institute in Walnut Creek California, a non-profit part of the Contra Costa Community College District. The Center's mission is to improve the level of security education and awareness across the community by exploring new and more cost-effective ways to deliver the kind of security training the community needs. You won't find this kind of government-focused information security training anywhere else outside the DC beltway. And at only $199, you can't beat the investment in education, whether you're subject to FISMA compliance or not.

The next Facts of FISMA course will be on October 4, 2005. Visit or for the course outline, instructor bio and registration information.


October 12, 2005 FISSEA Workshop, "Best Practices for Executive-Level Training: A Panel Discussion". Presented by the US Department of State, Diplomatic Security Training Center, Information Assurance Training Team in collaboration with FISSEA. See the one-page flyer for a complete description at the beginning of this newsletter. Technical contact: Susan Hansche (e-mail), CISSP-ISSEP, or Susan Hansche (2nd e-mail address). Registration contact: Cydney Peyton (e-mail), (703) 204-6137 or Peggy Himes (e-mail), 301-975-2489.


October 25-26, 2005 FIAC Conference, "Building Your Government Security Culture" at the University of Maryland University College Inn and Conference Center. The 5th Annual FIAC will present a unique perspective on Information Assurance in the Federal Government. Revolving around this year's theme "Building Your Government Security Culture", the conference will bring together a variety of resources from government, industry, and academia to present and discuss information which will shape the information security steps already taken at your agency and throughout the government. FIAC 2005 will provide Information Assurance Policy Updates that are crucial to maintaining security at your agency, the available technologies you can use at your agency to support these policies, and the training programs you can utilize to both create and enhance the security program at your agency. Contact: Federal Business Council, Inc., 8975 Henkels Lane, Suite 700, Annapolis Junction, MD 20701, (800) 878-2940, (301) 206-2950 (fax)


November 30, 2005, Computer Security Day. Readers can get a free poster by writing to ACSD; PO Box 39110; Washington, DC 20016. The website can be located at


December 5-9, 2005, Annual Computer Security Applications Conference (ACSAC), Tucson, Arizona, Christoph Schuba, Pierangela Samarati, Charlie Payne, 2005 ACSAC program chairs, ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation.


February 13-17, 2006, RSA Conference, San Jose, California, will be held at the McEnery Convention Center. If you have interest in booth space or becoming an exhibitor: Companies that begin with letters A-N please contact: Don Rosette (e-mail) at +1-617-848-8766 . Companies that begin with letters O-Z please contact: Wendy Anderson at +1-617-848-8756.


March 20-21, 2006 Annual FISSEA Conference at the Bethesda North Marriott Hotel and Conference Center. Theme: "'Training for a Cyber Secure Future". Please plan ahead, mark your calendars, and join your fellow FISSEA members at your annual conference.


April 3-5, 2006, MIS Training Institute, InfoSec World Conference & Expo 2006, Orlando, FL, More than 2000 information security professionals will be attending this event. Email:, website


January 30-February 2, 2006 The 10th Annual DoD Information Assurance Workshop has been scheduled. The Workshop will run 30 January - 2 February 2006 at the Philadelphia Marriott. Registration will begin late October, go to for more details. This year the Workshop will have a registration fee.


The Federal Computer Security Program Managers' Forum is open to federal government employees only who participate in the management of their organization's computer security program. The Forum hosts the Federal Agency Security Practices web site, maintains an extensive e-mail list, and holds bi-monthly meetings to discuss current issues and developments of interest to those responsible for protecting non-national security systems. Marianne Swanson of NIST serves as the Chairperson. NIST serves as the secretariat of the Forum, providing necessary administrative and logistical support. To join the Forum, please provide your name, title, federal agency, mailing address, telephone, fax and e-mail to Kelly Watkins . Forum url:


NIST has released its new vulnerability management product called the National Vulnerability Database (NVD). NVD is sponsored by the Department of Homeland Security's National Cyber Security Division. It is available at

NIST Draft Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, the Initial Public Draft of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and Initial Public Draft of FIPS 800-53A, Guide for Assessing the Security Controls in Federal Information Systems are available for review on the Computer Security Resource Center web site,


Go to top of page

horizontal bar

March 20-21, 2006
Bethesda North Marriott Hotel & Conference Center
Bethesda, Maryland

19th Annual Federal Information Systems Security Educators' Association Conference

"Training for a Cyber Secure Future"
Awareness, Training, and Education


You are cordially invited to participate in and attend the 2006 Federal Information Systems Security Educators' Association (FISSEA) Conference to be held March 20-21, 2006 at the Bethesda North Marriott Hotel and Conference Center. Now in its 19th year, FISSEA 2006 is the national forum for government, industry, and academic managers, educators, and researchers involved with information systems security awareness, training, and education. As in previous years, the conference will include papers, tutorials, panels, presentations, networking opportunities, demos, and exhibits. Topics will transcend the entire spectrum and may include: management of information systems security programs and personnel, conducting security training, information security and assurance curriculums, supporting technologies (network, wireless, encryption, vulnerability tools, educational tools), security labs, intrusion response programs, organizational behavior, certification, regulations, and emerging technologies.

We invite you to participate by submitting an abstract and joining us at this exciting conference location. If you need to learn more about the latest security awareness, training, and education practices, tools, and research, this is the conference for you.

Submission Details
Keynote Speakers
Keynote speakers for this year's conference have already been coordinated. If you are interested in being a keynote speaker for future FISSEA conferences, please contact Curt Carver (e-mail).

Papers and presentations are allocated 25-50 minutes and cover the range of conference topics. Each submission consists of two parts:

  1.   A separate title page with:
          o The title or topic;
          o A contact author with postal address and electronic mail address;
          o The name(s) of the authors, organizational affiliation(s), telephone and FAX numbers; and,
  2.   An abstract of no more than 300 words. The abstract (acceptable in ASCII, Word, postscript, or PDF format) is due no later than (NLT) October 28 to Will Suchan (e-mail).

Papers and presentations will be due NLT January 27, 2006. They will be published in the conference proceedings.

The conference will also offer tutorials (50 minute) on the state-of-the-art topics in information systems security training. Each tutorial proposal should provide a title, topics to be covered (in less than 300 words), targeted audience, prerequisites, how it would be of value to the FISSEA audience, and a brief biography and qualifications of the instructor. Proposals should be submitted by October 28, 2005 to Will Suchan (e-mail).

Demos and experiential showcases of interactive security awareness and educational environments are highly encouraged. These may include any of the themes outlined in the conference's topics. Each demonstration should provide a title, targeted audience, brief persuasive abstract of why this demonstration is appropriate to FISSEA conference attendees (300 words or less), prerequisites, and a brief biography and qualifications of the instructor. Proposals should be submitted by October 28, 2005 to Will Suchan (e-mail).

A panel session will examine innovative, promising, or controversial issues related to information security awareness, training, and education from a governmental, academic, or industrial point of view. The panel will also address challenges and future prospects. Audience participation will be welcomed. Proposals should be submitted by October 28, 2005 to Will Suchan (e-mail).

For those whom have a topic of interest to the attendees that requires less than twenty-five minutes, there is a speak-out session scheduled for this purpose. Please contact Curt Carver (e-mail) to schedule time.

Important Dates
October 28, 2005         Deadline for abstract submission
November 18, 2005     Notification of Acceptance
January 27, 2006         Papers & presentations due (including slides &/or transcripts)
March 20-21, 2006      2006 FISSEA Conference!

These dates are critically important as we habitually receive many more papers and presentations than we can possibly publish and present.

For More Information
Visit the FISSEA website:

Contact the program chair:
Curtis A, Carver Jr
Phone 845-938-3933
Will Suchan
Phone: 845-938-2407

Go to top of page

horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: September 22, 2005.