Letter From the Chair

Greetings,
We hope that you are looking forward to our upcoming FISSEA Conference as much as we are. I hope you realize that your Conference Program Chair, Conference Chair, the Executive Board, key NIST personnel (without whom we would be lost) and other volunteers have been working together for many months to ensure that this year's annual conference will not only meet, but exceed our standards for excellence. Of course, we need you to attend and participate fully to receive the benefits of our combined efforts.

"Awareness, Training and Education - The Driving Force behind Information Security" is the theme for our March 9-11, 2004 annual conference. This year it will be held at the Inn and Conference Center at the University of Maryland. I promise you the following five things about our conference this year:
(1) the presentations will be interesting, relevant and informative
(2) the meals will be delicious, plentiful and free,
(3) the participants will have similar challenges and are great for networking
(4) there is not a better training opportunity for the intended audience at this price, and
(5) this event will just not be all that we want it to be without your attendance.

The business meeting will be shorter this year so that we can focus more of our time on the outstanding presentations. However, we will still take time to introduce you to the FISSEA leadership team. We will also have our annual election to fill vacancies on the Board and give you a sense of our accomplishments during the year and our plans for accomplishing even more next year. Although the Board members are all volunteers elected by the participants at the annual conference, we are always seeking greater assistance and support from the members throughout the year. You do not have to be a member of the Board to share your ideas and volunteer to assist the Board in doing the myriad of tasks required to keep FISSEA on course in fulfilling its mission effectively.

We need people on the Board who have their management's support to be FISSEA's arms, legs and all the various parts of any functioning body to operate successfully. I want to encourage you to seriously think about serving on the Board, but I also want to tell you in advance that this is a job that requires you to donate time regularly, even during your workday at times, to be a satisfactory board member. For example, I started preparing this article at home on a Sunday evening and I am completing the task during my lunch hour. It is not unusual to receive, review, process and forward email to handle FISSEA's business even when I am on vacation or at home evenings or during the weekend. In my opinion, the time a board member gives to FISSEA and his/her level of commitment to its mission will determine his/her effectiveness as a member of the board. I have found serving on the FISSEA Board rewarding, challenging and a blessing in many ways. We need you if you are willing and able to serve.

Barbara Cuffie
FISSEA Executive Board Chair

Go to top of page

Go to top of page

FISSEA Editor's Column

By Louis M Numkin, CISM, USNRC

Hello FISSEA,

We are really looking forward to seeing you at the Conference!

Providing the newsletter is a labor of love for those of us who contribute. And, since our publishing date is so close to Valentine's Day, I wanted to share the love. So, during the conference, we will invite you to contribute your thoughts for the next issue of our publication. Each attendee will wear a second hat as a "cub reporter." Being a nonprofit organization, it is important that you come prepared. In other words, bring your official reporter pen/pad/pencil/paper/PDA/laptop. Wear your hat creatively as we are looking for the flavor of the conference - what you liked or disliked (perish the thought) and anything which was really worthy of note. You are encouraged to be colorful. During a speaker where you need not take notes, just jot down a stanza or two of poetry or a paragraph of pros which covers something on your mind or that you've seen/discussed. This is not meant to be a critique sheet and attribution will be optional. If you author a masterpiece, just give it to me during the conference and we'll try to include them in the subsequent issue of FISSEA News and Views. "You have you mission, Mr. Phelps."

Also, during the conference, your Editor goes undercover, wearing the disguise of "Cruise Director." Food plays a role in any successful gathering and our conference is no different. The UofMD University College has no "mystery meat." But, they do have an excellent variety of delicious flavors which we will get to enjoy. We are also planning our traditional evening out around an Italian theme. The area near our venue has a historic and tasty restaurant where we will gather for supper. Car pools will be established at the conference for those without transportation. So, when you come to the conference, come hungry for info, food and fun!

It is hard to believe that another year has flown by. Why it was just yesterday when we gathered in Silver Spring for Awareness, Training, and Education. And, now, here we are again. Ready for another wonderful opportunity to meet peers, share experiences, and hear from leaders in our field of endeavor. Wow... I can hardly wait!

Permit me to close by thanking each of you again for your readership and participation. Your submissions and comments have been appreciated and hopefully, you have found our recently revised newsletter format to your liking.

Have a virus free day,
Louis

Go to top of page

March Conference Update

Submitted by Curt Carver, US Military Academy

The FISSEA Conference is right around the corner and the agenda is set! Here are a couple of abstracts (one from each day) to peak your interest. This is just the tip of the iceberg as FISSEA has more speakers and presentations than ever before. You can see the agenda at
http://www.frontiernet.net/~carverc/FISSEA2004/

The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training

The Federal Information Security Management Act (FISMA) places significant requirements on Federal agencies for the protection of enterprise information and information systems-including requirements for security awareness training. The National Institute of Standards and Technology (NIST) is leading the development of key information system security standards and guidelines as part of its FISMA Implementation Project. This high priority project includes the development of security categorization standards (FIPS Publication 199), guidelines for the specification and selection of security controls for information systems (NIST Special Publication 800-53), and guidelines for the security certification and accreditation of information systems (NIST Special Publication 800-37). This session will cover the key provisions of the FISMA legislation, the publications developed by NIST in support of this legislation, and the security controls associated with security awareness training.

Pros & Cons of Contracting For Awareness & Training Work: Government Perspectives

Federal requirements for departments and agencies to conduct awareness and training as parts of their information security programs are long-standing. It is no great mystery regarding what has to be done. However, awareness and training remain near the top of the list of problem areas reported by OMB to Congress each year. One problem facing federal organizations is the effective contracting for of some or all aspects of an information security awareness and training program. These aspects can include designing the program, developing material, implementing the program, and maintaining the material.
 
A number of questions must be asked to help an organization determine if awareness and training work will be accomplished in-house or contracted out, including:
1. Do we have the in-house resources to do the job? This includes people with the right skills and enough people to do the work.
2. Is it more cost-effective to develop the material in-house versus outsourcing?
3. Is there a funding mechanism in place (budget)?
4. Do we have a person on staff that can serve as the contracting officer's technical rep (COTR) and effectively monitor contractor activity?
5. Does (or will) the organization have the necessary resources (e.g., funding and staff with the necessary expertise) to maintain the material, if it is developed by a contractor?
6. Does the course content sensitivity preclude use of a contractor?
7. Does outsourcing allow for critical awareness and/or training delivery schedules to be met?
8. Will the contractor simply develop material and turn it over to the organization for implementation, or will the contractor develop and implement? Exactly which of the aspects of the awareness and training program will the contractor accomplish?

The Panelists will consider these questions as they describe their experiences, their successes, and their setbacks. They will provide a set of lessons learned that will make others' related jobs easier.

Information Assurance Education OR Training:
Blurring Boundries

The Centers of Academic Excellence in Information Assurance Education (CAEIAE) program is an outreach program designed and operated by the National Security Agency (NSA) in the spirit of Presidential Decision Directive 63 (PDD 63), National Policy on Critical Infrastructure Protection, May 1998. Education (demonstrate understanding and apply knowledge) and training (apply knowledge) are often seen as degrees of depth and breadth, with the former being the deepest and widest. The current CAEIAE program does a great job of providing undergraduates the information (topics) and knowledge they need to become effective IA professionals, however, the program needs to evolve into one that effectively integrates training objectives-skill, ability, and proficiency-with learning objectives-conceptual understanding, active learning, and contextualized application. This paper will propose an evolutionary strategy for effectively integrating the current CAEIAE Training Standards' criteria into pedagogically viable and student-focused learning objectives and experiences.

Go to top of page

"Cyber Security Professionalization in VA:
A Model for Government

Submitted by Michael Arant, VA

As FISSEA-types, don't we often view cyber security through a different lens from the one our more technical peers use? We tend to see security and its thorny problems as human issues. Where others see solutions as technical, we see them as organizational or even individual. In short, we recognize that security is all about people. People who care about the improved services secure computers enable. People who are alert to threats to computers and can counter them. People who are trained, empowered, motivated, and authorized to implement effective security controls.

In Department of Veterans Affairs (VA) cyber security is a profession. This year VA's community of cyber security has undergone training and testing in cyber security. We call those who have successfully undergone the training and testing "Cyber Security Practitioners" or CSPs. The group includes facility Information Security Officers, VA's cyber security program office staff, and other folks who have interest.

It has not always been this way. Until recently, cyber security was just one extra duty and a job few had an interest in. The one thing many cyber security staff aspired to was to get into a job with a future, support, recognition, and out of security. Sound familiar?

The result? Huge turnover in cyber security staff. Awful Congressional "Report Cards." Denial of service to veterans while Internet worms ran rampant. An Office of the Inspector General report designating the VA as having a "material weakness" in cyber security. In a triumph of understatement, these are undesirable circumstances. Just ask my boss!

The Office of Cyber and Information Security (OCIS) within VA's Office of Information and Technology has changed the VA's approach to cyber security. Among other things, OCIS has implemented VA Secretary Principi's direction that a "rigorous process" be put in place to certify that people responsible for cyber security are knowledgeable and able to secure VA's information assets. What a notion! We should expect folks to actually demonstrate they know what they're about! And because VA wants to attract and retain motivated people, OCIS has implemented the certification program as part of an overall CSP Professionalization initiative.

The initiative also provides on-line training 24/7 and classroom training at VA InfoSec Conferences and at VA Information Technology Conferences (VAITC). All the training resources required are centrally funded and managed. All told, OCIS provides sixty VA contact hours of cyber security certification-related training per year. To date, over 400 VA staff have successfully taken the training and passed the CSP Certification exam. By the way, you should know that the Body of Knowledge (BOK) we use is not industry off-the-shelf, although we tapped into those sources when appropriate. The BOK is government- and VA-specific. As a VA product, it's freely available; we can even send you a copy.

In addition, the initiative provides a framework for a true career for those interested in security, complete with standard Position Descriptions and potential for professional advancement. The next steps in the program will be credentials issued by OCIS authorizing facility CSPs to act "locally in the interest of VA-wide security." After that, we take on a program of incentives so that we can retain the security "brain trust" we've cultivated and attract other good people. In fact, opportunity to attend CISSP-preparation training and to sit the exam is already one of our incentives.

Most important, improved training and skills bolster cyber security and that in turn enhances the trust our customers, America's veterans and other beneficiaries, have in VA computers and the services those computers help VA provide.

VA's OCIS is proud of this initiative, seeing it as a model for other government agencies' cyber security programs. We've already encountered, confronted, and conquered many of the issues many of you might meet in your journeys toward corporate professionalization programs. We're also glad to tell you more. If you are interested, just call me or drop me an e-mail. Ask me about our training program in general and make sure I tell you about VA InfoSec. While we're at it, there are lots of other things we're doing in cyber security in VA that we'd like to talk to you about.

Michael S. Arant, CISSP (Team Leader Training / Cyber Security Liaison)
Office of Cyber and Information Security (005S5)
Building 203A, Room 2
VA Medical Center
510 Butler Avenue
Martinsburg, WV 25401
Voice: 304-262-7326
Mobile 202-271-4230
michael.arant@mail.va.gov

Go to top of page

FISSEA Executive Board
Vacancies

Submitted By Peggy Himes, NIST

The FISSEA Executive Board consists of a total of 11 members. Nominations may be made prior to the conference and from the floor of the conference. A FISSEA member who wishes to serve on the Executive Board may nominate him/herself. Please give careful consideration to the time and commitment involved before making the decision to run. The Executive Board meets monthly in Gaithersburg, Maryland. Board members should attend the monthly meetings as well as the 3-day annual conference. You should have your management's approval prior to accepting FISSEA Board responsibilities.

The board members listed below are serving the second year of their two-year term. It is not necessary to nominate them.

• Lewis Baskerville, Small Business Administration
• LTC Curt Carver, Jr., United States Military Academy
• Tanetta Isler, Dept of Housing & Urban Development
• Louis Numkin, Nuclear Regulatory Commission
• Marvella Towns, National Security Agency
• Mark Wilson, National Institute of Standards and Technology

The term for the following board members expires in March 2004. If they want to serve another term, they will have to be nominated and elected by the membership at the annual business meeting in March.

• Dara Murray, Health and Human Services
• Col Daniel Ragsdale, U.S. Military Academy
• Donna Robinson-Staton, Dept. of Housing & Urban Development
• Mary Ann Strawn, Library of Congress

Barbara Cuffie, Social Security Administration, will continue to serve on the Board as Past Chair allowing for one additional Board slot. Robert Solomon retired from NASA and will not continue his level of support for FISSEA on the Board.

E-mail the name of the nominee, employing organization, position or title, phone number, email address to Peggy Himes, peggy.himes@nist.gov.

Also, provide a Qualification Statement: (You must have the permission of the nominee to submit his/her name. What has the nominee done to warrant this nomination?)

Finally, provide the name of the person making this nomination with an E-mail address and/or Phone Number.

Go to top of page

TRAINIA

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at lmn@nrc.gov

********************

From the Sunday, 18JAN2004 Washington Post Comics Section:
SHOE by Chris Cassatt and Gary Brookins
{Skylar is a youngster who is talking with his Uncle Cosmo}
Skylar: "Uncle Cosmo? Did you always want to be a writer?"
Cosmo: "You bet, Skyler. for as long as I can remember... at six I wrote my first poem... at seven, I wrote a short story... at eight, I started a novel... and at eight-fifteen, I got writers' block."

For any of FISSEA's budding columnists, please don't get "Cosmoitis." We look forward to receiving your article(s) for our next issue which will come out after the Annual Conference. Any questions, please contact our Newsletter Editor.

********************

3-4MAR2004 The third annual Mid-Atlantic Network Security Forum - Washington, DC - The Forum is an intimate gathering of experienced network security professionals from government, education and the Fortune 2000 who share technical insights in a confidential environment. It is based on the Harvard Business School teaching method of interactive discussions led by expert faculty. Peer-to-peer briefings further enable participants to hear live accounts of security challenges and deployments. The all-new curriculum for 2004 includes the topics of patch management, wireless security, application IDS and firewalls, as well as perimeter security and managing a security operation. Faculty will include Becky Bace, Marcus Ranum, Eric Cole, Fred Avolio and Greg Shipley. Other sessions around the country:
19-20MAY2004 - Southeast Network Security Forum - Atlanta, GA
14-15JUL2004 - Midwest Network Security Forum - Chicago, IL
Sponsored by The Institute for Applied Network Security, 30 Rowes Wharf, Suite 530, Boston, MA 02110, phone (617)399-8100, FAX (617)399-8101, web page www.ianetsec.com

********************

9-11MAR2004 - 17th Annual FISSEA Conference, "Awareness, Training, and Education - The Driving Force Behind Information Security", will be held at The Inn and Conference Center, University of Maryland University College (UMUC), Adelphi, Maryland. Electronic registration available at www.nist.gov/conferences until February 27th. For other questions contact Peggy Himes, NIST, peggy.himes@nist.gov. Please see the preliminary agenda under "2004 Conference" on your FISSEA website, http://csrc.nist.gov/fissea. Walk-in registration is accepted.

********************

22-24MAR2004 InfoSec World Conference and Expo/2004 - Orlando, FL - The Rosen Centre Hotel - Optional Workshops: March 20, 21, 24, 25 & 26-Vendor Expo:March 22&23. 80 in-depth sessions on timely topics, panel discussions, demos, and
* A dynamic keynote address by William Boni, Vice President and CISO, Motorola
* An uncensored interview with notorious hacker Kevin Mitnick, by G. Mark Hardy, President of the National Security Corporation.
* Bonus Session: Security Certifications - Which Are Best for You?
For complete event information, go to: (by clicking this link, you will be leaving NIST and the FISSEA website): http://pull.xmr3.com/p/11908-35A8/54489727/clickto1_i.com-12-os04eb7_infosecworld.html
Sponsored by MIS Training Institute, 498 Concord St., Framingham, MA 01702-2357, Tel: (508) 879-7999, Fax: (508) 872-1153, E-mail: mis@misti.com

********************

23-25MAR2004 FOSE will be held at the Washington, DC, Convention Center. Admission is free for Government employees. Over 400 exhibitors, various pavilions (including Wireless, DoD, and a Homeland Security Center), CIO Showcase of Excellence, free seminars and Keynotes. More info at www.Fose.com or phone 1(800)791-FOSE.

********************

Information Resources Management College
National Defense University offering two new courses!!!!!

29MAR-02APR2004 (PRI 0403: in-resident)
07JUN-27AUG2004 (PRI 0404: distributed)
28JUN-02JUL2004 (PRI 0405: in-resident)

"Process Improvement and Management, Process-Centered Organizational Transformation and Process Change Programs - Strategies for Process Improvement Course" - The course examines strategies, management processes and resources for process improvement within and across federal agencies. An executive-level perspective is provided on the tools, techniques, and technologies that enable process-centric performance improvements in how federal agencies achieve their missions. Also examines the management and information resource issues of transforming industrial age organizations into information age process-centric enterprises and broader process-centered partnerships, coalitions, alliances, Quality Improvement Programs and strategies, and leadership challenges of initiation, collaboration, design, implementation and portfolio management of process-centric improvements within and across agencies. It examines key issues of concern to the DoD's Business Management Modernization Program initiative, the Federal Government's Enterprise Architecture initiatives, the President's Management Agenda on e-Government for example. Attendance by higher-level managers in civilian grades GS/GM 13 to 15 and military grades 0-5 to 0-6 is particularly encouraged.

"Enterprise Architecture" - Examines EA as a management tool to facilitate implementation of strategic direction, explores the integration of EA with strategic and resource planning, information assurance, and acquisition management. and introduces the use of EA frameworks to improve the capability maturity level of the EA to meet its intended purpose. Other topics include the role of the CIO in EA management, the use of models and standards, implementation issues, and an overview of enterprise information assurance/security architecture. Strategies are also addressed for using EA to address enterprise problems such as interoperability and information sharing with the intent of improving enterprise performance of mission or business operations - details on this course offering can be found at ndu.edu/irmc

28JUN-2JUL2004 - "Information Operations and National Security (ION)" - Critically analyzes the role that information and information technology play as strategic elements of the information component of national power. The course examines the current and emerging concepts affecting those charged with executing national security strategy and those who shape the global environment to meet national security objectives. Selected technical and management topics are discussed, to include the nation's intelligence sharing initiatives, interagency coordination, and the role of senior leaders in protecting and exploiting the global information infrastructure. Recent legislation and policy initiatives related to shaping the use of information as an element of national power are also discussed. It is designed for military grades O-5 to O-6 and civilian grades GS/GM 13-15 or equivalent. The goal of the course is to enable students to evaluate, analyze, and develop an understanding of the strategic implications of information operations and the information component of national power relating to the national security strategy of the United States.

National Defense University, Information Resources Management College, Fort McNair, Washington, D.C. To register, go to www.ndu.edu/irmc. POC: LTC Craig Kaucher, 202-685-4734, kaucherc@ndu.edu..

********************

Computer Security Institute's upcoming training classes. For more information, contact Computer Security Institute, 600 Harrison Street, SanFrancisco, CA 94107, phone (415)947-6320, or e-mail csi@cmp.com, online www.GoCSI.com/training

24-25FEB04    Facilitated Risk Analysis for Business and Security, Gaithersburg, MD, Tom Peltier
26-27FEB04    CISM Prep-to-Pass Workshop, Gaithersburg, MD, Tom Peltier and Justin Peltier - designed to provide CISM candidates with areas to be tested in core competencies.
2-3MAR04        How to Be an Effective Information Security Professional, Washington DC, John O'Leary
4-5MAR04        Defense Against Social Engineering, Washington DC, John O'Leary
25-26MAR04   Hands-on Wireless Security - Miami Beach, FL - Instructor Justin Peltier.
14-16JUN04    NetSec2004 Building the Secure Enterprise - Hyatt Regency Embarcadero in San Francisco, CA

********************

SANS Institute is demonstrating its commitment to cooperative research and education. 2004 marked the Grand Opening of the SANS Press Room at www.sans.org/press. A wide array of easy to use resources put together to assist you in covering Information Security for your upcoming articles. All of the resources, press releases, sound bites, and other information in the Press Room are there for you to use immediately without the need to request prior permission.
Other resources available from the Press Room include:
- Information Security news items
- Announcements about new Information Security Resources/Products
- Invitations to media events
- Interviews with SANS faculty
- Downloadable photos and bios of SANS faculty
- Soundbites for writing articles (coming soon)
- Schedule of upcoming SANS conferences

********************

5-8APR2004 Storage Networking World - JW Marriott Desert Ridge Resort in Phoenix, AZ - IT executives and leaders of storage intensive user-organizations will be presenting. To see the agenda or register, visit http://www.snwusa.com?s=reg

********************

ISACA upcoming events: EuroCACS - 21-24 March 2004 - Zurich, Switzerland - contact Sandy Arens at 1(847)253-1545, ext. 485, e-mail conference@isaca.org , or check the web page http://www.isaca.org/eurocacs2004 . Considered a leading conference for IS audit, control, assurance and security.

North America CACS - 9-13 May 2004 - Chicago, Illinois, USA - contact Sandy Arens at 1(847)253-1545, ext. 485, e-mail conference@isaca.org , or check the web page http://www.isaca.org/nacacs2004 . This five-day event offers pre- and post-conference workshops, seven educational tracks and a variety of technical sessions for users at every level.

International Conference - 27-30 June 2004 - Cambridge, Massachusetts, USA - contact Sandy Arens at 1(847)253-1545, ext. 485, e-mail conference@isaca.org , or check the web page http://www.isaca.org/international2004 . Educational tracks focused on managerial and business issues of IT audit, control and security, and a new track dedicated to discussing leading industry issues.
The 2004 CISA and CISM Exam Dates:
Final registration deadline: 31 March 2004 Exams given worldwide on: 12 June 2004 For more exam specific information, go to web page www.isaca.org/examreg

********************

"Wireless Security Essentials" by Russell Dean Vines, copyright 2002 was recently reviewed by Robert M. Slade, who can be reached at: rslade@vcn.bc.ca, slade@victoria.tc.ca, rslade@sun.soci.niu.edu. Mr Slade's comments are positive in stating that "Although not perfect, this book is an extremely useful guide to the security issues surrounding the use of wireless devices. Of the various books reviewed on the topic of wireless LANs and security, it is the best work seen to date...Part one deals with the foundational aspects of the technology and Part two covers security essentials."

********************

Karta offers a web-based information security training product which addresses the FISMA reporting requirement for specialized training for those with significant security responsibilities, as well as agency-wide Security Awareness. The library of 65+ courses covers four different tracks: Network Security, Data Security, Security Policy and Guidelines, and Security Planning. Each course is mapped to a variety of roles and created 18 different training plans based on the roles and their corresponding responsibilities as outlined in NIST SP 800-16. The IT Security Library is a web-based training suite certified by the NSA/CNSS for mapping to NSTISSI standard No. 4013. Students are able to earn NSA/CNSS approved certifications for completing 50 pre-mapped course hours. For those who currently hold or plan to hold a CISSP or SSCP, CPE credit can be earned for every completed course hour. For more information, please contact George Soltys, at 703-309-3038 or gsoltys@karta.com.

********************

nCircle and CISCO are offering free Vulnerability Assessment seminars, titled "Tackle Your Security Flaws Before Someone Else Does" in many areas of the country. You receive a free Gartner Report and White Paper when you register. For information, call (888)464-2900 or write to nCircle, 101 Second Street, Suite 400, San Francisco, CA 94105

********************

27-29JUL2004 Excellence in Government Conference from Government Executive Magazine is accepting proposal submissions for their DC Convention Center conference. Deadline for submissions is 3MAR2004 and they must be submitted electronically. This year's five tracks are:
* YOUniversity: Enhance your personal ability . . . and your professional visibility.
* The Management Institute: These sessions provide the know-how to develop skill and instinct.
* The Leadership Edge: Leadership "essentials" for today's (and tomorrow's) federal manager.
* The Transformation Generation: "Change is good" but only if it means real results for customers.
* The Rules and Tools of Results: Real world rules and first hand experience tools shared by public sector "result-getters."
For more info check web page http://www.govexec.com/

********************

Go to top of page