From the Executive Board Chair

Greetings to FISSEA members, friends and supporters,

It is hard for me to believe that it has been four months since you elected us to be your Executive Board and to provide leadership for our organization. Although it is often a challenge, we meet monthly to carry out our responsibilities. I am pleased to report that we have developed a new operational plan for this year, and we are in the process of implementing some activities while still developing detailed action plans for other initiatives. As we continue to define our priorities, we realize it is important for us to ensure that both our plans and expectations are realistic. We are busy and productive although we simply lack the time and required resources to accomplish everything that we want to do. Let me share some of the highlights about activities currently in process.

The Board is fortunate that Dara Murray agreed to Chair the Conference Committee. The Committee is working hard to ensure that FISSEA offers you a top quality-training event next year. I am sure you will be hearing more about this in the near future. However, it is not too early for you to begin planning to attend by earmarking the funds required to register. We don't know the exact date, place or price at this point, but we do know that it will be a Tuesday through Thursday in March 2002. We also know that the price will have to increase in order for us to move to a location near a Metro station as many of you requested in your evaluation forms. We think it is important for us to be responsive to your requests, suggestions and general comments. Please continue to communicate with us regularly. It helps us to know what we are doing well and for you to share your suggestions for ways that we can improve.

Philip Sibert has agreed to lead an initiative to revise our By-laws. This is an effort that the Board has planned to undertake for at least two years so I am happy that it is being done. Hopefully, some of you will take time to review this document on our website and send any suggestions for revisions to Phil before the end of August. I am sure he would appreciate your input.

Patricia Black has taken the lead on updating the Federal Awareness compact disc. She has assembled an interagency group of educators to assist her in this important effort. They expect to complete this initiative and have the updated discs available for distribution at our next conference. Of course, the price will be the same as usual, i.e., FREE.

Louis Numkin continues to serve as our able editor of this publication. He seems to never tire of reminding us to send him our articles timely. By the way, he extends that same invitation to all of our members, supporters and other information systems security professionals and educators. Please help me to surprise Lou by showering him with an abundance of great articles so that his biggest problem will be selecting the best ones for publication. He assures the Board that he cannot meet his quarterly schedule without us.

The Board is undertaking a major redesign of our website. Falan Memmott volunteered to assist us by sharing his expertise in web design at one of our meetings. This was very helpful to us and really gave us the jump-start that we needed to tackle this significant priority. Hopefully, you will see the fruits from our labors before long.

Barbara G. Cuffie, CISSP
Social Security Administration

Go to top of page

Some New Surprises For 2002

by Dara Murray (Natl Science Foundation)
FISSEA Conference Chair

Although FISSEA's last conference was a great success, "we" want to make our next one more effective, interesting and as accommodating as possible. A great deal of feedback from last years participants emphasized the location of the conference. As you know, in previous years the conference has been held in Gaithersburg, Maryland. However, the 2002 Conference Committee in cooperation with NIST has been researching the possibility of hosting it at a hotel on the metro line in the Washington, DC metropolitan area.

In addition, the format or "flow" of the conference may be changing as well. With emphasizing FISSEA's goal-implementing effective computer security training, education and awareness, "Focus" days similar to tracks may be offered. Special sessions during the conference will include "Lessons Learned", "Birds of a Feather" and "Information Sharing" from volunteers who would like to talk about their own experiences while implementing a security awareness program in their agencies or organizations. Also, a session on a Government-wide initiative headed up by the Department of Treasury and Department of Defense with a status of the development of a "generic" Information Security Awareness training tool for "all of us" to use will be presented.

Currently, there's a lot of "high profile" activity regarding "GISRA," so the thought of providing some valuable time with training issues of how agencies worked with their individual staff's and offices to provide their responses. A "how to" session on "working through" an audit "focusing" on IT security has also been suggested.

More emphasis will also be placed on "speakout" and the business meeting so that issues which affect all computer security professionals and FISSEA can be more "openly" discussed. Since Section "508"is a big factor in the area of IT development, a session on what "tools" are available to assist handicapped personnel with training regarding computer security awareness is sure to be very informative.

Lastly, the theme -- OH YES ---THE THEME......
"SPRING TRAINING IS HERE--- "with" (training, education and awareness)!
The Rest is a SURPRISE, BUT WILL SURELY BE ENTERTAINING!!!!

If you have a suggestion of what "YOU" would like to see in next years conference, please contact FISSEA at (301)975-2489.

Go to top of page

Scourge or Opportunity?

by Louis M Numkin (US NRC ), FISSEA Newsletter Editor

The recent spate of viruses and worms has given many of us larger and more frequent headaches. SirCam, Code Red, Code Red again, and Code Red II (or 2 or C or CRv2). It appears that the news media and technical services, at least as of this writing, haven't yet decided what to name the latest member of the Code Red Worm regiment. However, WE have a name for it - "More Work!"

At NRC, I research virus reports from many sources, including Federal, commercial, educational, and news purveyors. Often, I will hear about a pending virus on the morning news while shaving or driving to my office. Immediately upon arrival at my workstation, I will begin researching the item. This includes redistributing FedCIRC, CERT, CIAC, etc Alerts to our System/Network Administrators so we get a jump on developing protection needs to ensure agency systems will not be compromised or harmed. Following this, further research is conducted.

This is the point where a "Scourge" becomes an "Opportunity."

We should recognize that many of our fellow employees have also heard or read about this latest computer security problem, as we did. These folks have different levels of technical acuity - some understand bits and bytes while others may be "technophobes." How to inform and not unduly alarm this mixed audience ... this is the issue.

When deemed appropriate, I recommend to our CIO that a Network Announcement should be disseminated. This is an in-house on-line notice system which can be directed at all employees or select groups. As needed, I consult with our lead techies to determine if there might be an impact to our internal systems. Further research is used to ascertain if the virus can attack personal computers or just networks. These decisions lead to the crafting of an announcement.

Verbosity is not a hallmark, yet this probably requires more than a Hallmark greeting!

Our CIO prefers fewer words with greater explanation. This follows the old summertime adage that an explanation should be like a bikini - enough fabric to cover the subject while still short enough to be interesting. As with any written material, after checking the facts, vetting with the techies and management, and having grammar reviewed by technical editors, it goes to the CIO for approval. Usually, one or two cycles of wordsmithing and it is ready for "prime time." The operative word in the last sentence is "time" because the notice must be timely in order to be helpful. If a virus is striking as we arrive at work, response speed is essential. Likewise, it is important to dot all the "I's" and cross all the "T's" so that a hoax or minor virus does not take on a more important persona. And remember to give contact information of someone whom employees can call/email if they have further questions or concerns.

What I am trying to encourage in this article, is that you look at any virus or malicious activity as an opportunity to improve and heighten the computer security awareness of all your employees. Reality can be a wonderful teacher. And Remember... Sircam does have the ability to resurface on 16 October... So the opportunities keep on coming... and, Quality training occurs when preparation meets opportunity.

Go to top of page

FISSEA E-Mail List Serve

By Mark Wilson (NIST)

I am writing to advise you that the e-mail list for FISSEA members will be back online. I'm also taking this opportunity to pass along some guidance on how the list should and should not be used. This is for the benefit of those members who have been on the list since it went live in March of this year, and for the many new members to both FISSEA and this list.

The NIST Computer Security Division is hosting the e-mail list in support of FISSEA and the federal IT security community. The list is not moderated; any FISSEA member subscribed to the list can post a message directly to the list. However, to help ensure that this service does not become a free-for-all . . . an example of anarchism in action . . . we are asking for your help in following the guidance in this note. For example, there is a correct way to ask to be removed from the list, a way that does not result in every other member on the list hearing a "get me off this list" request, and inflaming the entire membership in the process. This issue is addressed in detail below.

Why A FISSEA Membership List?:

Why a list? This list will allow you to converse with other IT security professionals who have an interest in awareness, training, and education issues. Any issue related to federal IT security awareness, training, and education is fair game for this list. It can be used to ask for help from the many veterans in FISSEA who have experience designing, developing, implementing, and maintaining awareness and training programs.

Why a list? Do you have an awareness program, but need to develop a training course for a particular audience? Chances are that some other FISSEA members have already developed this for their agencies. Ask if anyone would send you their material, or an outline, if you just need to get started. Are you considering hiring a contractor to develop awareness or training material? Would you like input from people who can recommend someone? Would you like to know what material is out there for the taking? DISA (do you know who they are?), Department of Energy, and other agencies have material you can download. I'm sure you will find other reasons to use the list . . . just ask.

To Post A Message To The FISSEA List, send it to:
         fissea@nist.gov

The list is not moderated, in that neither Peggy Himes or I review each message before it is allowed to hit the list.

Controls On The FISSEA List:

Only people who have been subscribed (added) to the list by Peggy or I can post messages to the list. The upside is that we should not see spam from outside the list. The downside is that even though you are a FISSEA list member, if you attempt to send a message to the list from an address that is not on the list (e.g., your home account, a secondary work account) the e-mail list server here at NIST will not allow your message to be posted. For example, I am known to the FISSEA list as mark.wilson@nist.gov. However, if my e-mail package knows me as mwilson@nist.gov and identifies outgoing messages as such, this address will not be recognized by the FISSEA list. Make sure that the address that your e-mail package assigns to your outgoing messages is the same as the address you provided us when you joined FISSEA.

If you want to be able to send messages to the list from an account other than the one you are using now, let Peggy know. If you send a message to:
           fisseamembership@nist.gov

To Unsubscribe From The FISSEA List:

To get our attention to remove your address from the list, send a message to:
           fisseamembership@nist.gov

Do not send a message to the list asking to be removed. The last time this occurred there were so many "get me off this list" follow-up requests that we had to shut the list down for an extended period of time until we sorted through all of these requests and updated the subscriber list. Some of these requests were from members who were perfectly content with the flurry of messages on the list that dealt with awareness, training, and education, but were quickly disillusioned by the "get me off..." messages sent to the entire membership.

Your List And Attached Files:

Please do not send attached files to the list. If, during the course of corresponding to fellow list members about an awareness or training course or module that you have developed, someone asks for it, send it to them, not to the list. If there is significant interest in material that you are developing, we would encourage (beg) you to send it to us (Peggy or me) and let us post it on our Awareness, Training, and Education pages of our Computer Security Resource Center (CSRC) - http://csrc.nist.gov/ATE/. If you send a file to the list, we will provide one reminder. If you send a second file we will remove you from the list.

Your List And Replying To A Message:

If you reply to a message from someone on the list, your reply should go only to the sender, not to everyone on the list. When you begin to reply, check the address that appears in the "To:" block of your soon-to-be outgoing message; make sure it is to the sender and not the list. Keep in mind that the list has several hundred members. Determine before you send your reply if your message would be of value to many of the list members, or to just the sender to whom you are replying. If your e-mail package's default is set to "reply to sender" (the entire FISSEA list) or "reply to all" please change the default, or change the address that your mailer places in the "To:" line to the individual who should receive your reply.

Your List And "Me Too" Messages:

Please avoid sending "me too" agreement messages to the list. If you would like a copy or follow-up information related to something that a member has posted, send a message to that individual, not to the entire membership.

Your List And Advertisements:

In June, we floated a "trial balloon" message to this list, asking what you, the on-line FISSEA membership, thought of allowing member vendors to post one message a month to the list. Your responses to that query resulted in the FISSEA Executive Board and NIST Computer Security Division management making a joint decision to consider another approach. We continually welcome your ideas and feedback on how FISSEA can improve the way we serve our membership.

FISSEA members who want to make others aware of upcoming IT security related classes, seminars, and conferences may send the message they would like posted to this list to me, Mark Wilson at:
           mark.wilson@nist.gov

Send the information you would like posted to my e-mail address above. NIST cannot endorse or give the appearance of endorsing any particular vendor product or service. Therefore, limit the information in your message to the essentials needed for someone to take advantage of the training, seminar, conference, etc. - i.e., who, what, where, why, when, and how much. You may reinforce the reference by including a website URL "for more information." Do not send ads directly to the FISSEA list.

Omit marketing and public relations "hype" from your message. If it looks like an ad and sounds like an ad, it probably is, and you will hear from us, asking that you re-write your message if it is to be posted to the list.

One last word on advertisements - if you reply to a query sent to the list (asking for sources of training or material, for example), ensure that your reply is not a thinly veiled ad. One way to avoid this possibility is by replying directly to the individual asking for assistance, not to the entire membership. If you send such an ad to the list, you will hear from us. A second occurrence will result in removal of your e-mail address from the FISSEA e-mail list.

Thanks, and enjoy your list. Please contact me if you have any questions or concerns.
Mark Wilson
NIST/FISSEA Liaison
(301) 975-3870

Go to top of page

Federal Best Security Practices Pilot Effort

{The following item was recently circulated by Elaine Frye (NIST) to members of the inter-agency Computer Security Program Managers' Forum. It is included here to help it gain wider distribution. If you wish to find out more, contact information is at the end.}

The Federal CIO Council has recognized the success of the Federal Best Security Practices (BSP) pilot effort and is ready to see it transitioned to an operational, institutional program. They have asked NIST's Computer Security Division (CSD) to undertake this effort. NIST's plan is to create a web site known as, Federal Agencies Security Practices (FASP). The FASP will consist of three main areas:
(1) agency effective policies, procedures, and practices;
(2) the CIO pilot BSP's; and,
(3) an FAQ section.

We are streamlining the submission process and seeking a wider range of materials. This Forum web site would be available through the CSD's CSRC web site. The Forum is an excellent source to proliferate the sharing of agency information technology (IT) security information and practices desired for this site. Forum email list discussions have addressed many topics that would be useful site postings.

Request: If you have questions to include in the FAQ, please let us know. You might ask yourself, "If I were a new Federal security officer, what would help me?" We have compiled a list of suggested categories to initiate information gathering. This list is based on the categories found in many of the NIST Special Publications:

Agency Policy Manuals or Handbooks
Audit Trails
Certification and Accreditation
Contingency Planning
Data Integrity
Documentation Risk Management
Hardware and Systems Software Maintenance
Identification and Authentication
Incident Response Capability
Life Cycle
Logical Access Controls
Physical Security
Production, Input/Output Controls
Review of Security Controls
Risk Management
Security Awareness, Training, and Education
Security Program Management
System Security Plans

Request: In addition to the categories above, we are soliciting security position descriptions and statements of work for contracting security-related activities. If you only have hard copies available, please fax them to (301)926-2733, and we'll scan them for posting. If they are very long, please send them via regular mail to:

Elaine Frye
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Mail Stop 8930
Gaithersburg, MD 20899-8930

Note: except for FAQ questions, the materials posted will be available on the public web site with credit given to the submitting agency unless otherwise requested. A future web site phase will include FAQ developed/culled from the Forum email exchanges. The FAQ will contain no agency affiliations.

We appreciate your efforts in making this project a success. Our goal is to have the NIST site operational and sunset the CIO BSP pilot site by September 7, 2001. If you have questions, please feel free to contact: Elaine Frye at (301)975-2819 or elaine.frye@nist.gov Marianne Swanson at (301)975-3293 or marianne.swanson@nist.gov.

Go to top of page

Winning Organizational Buy-in for an IT Security Awareness and Training Program

By Mark Wilson (NIST)

No IT security program can be effective without senior management support and buy-in at all levels of management. Likewise, an awareness and training program must have management support and buy-in to be effective, help reduce problem areas, and mitigate risks. Several ways exist to garner and reinforce this support.

Findings and recommendations from external or internal inspections can result in management attention; however, one-time implementation of awareness or training done to satisfy an audit recommendation will not reflect the level of buy-in necessary to run an effective program. When an organization's internal controls program is active and respected by management, identification of a lack of IT security awareness and/or training as a material weakness can be a stimulus to gain management buy-in.

Buy-in can also be achieved through various approaches employed by the IT security program office. One informal approach is the development and presentation of periodic security updates for each layer of management, working upward through the organization. If organizational culture or convention would not support this "grassroots" approach, a more formal, top-down presentation could be developed for the most senior managers or executives. Their support should sway more junior managers.

Another tactic can be periodic e-mail advisories sent to appropriate levels of management and technical staff. Occasional and timely briefings to management during their regularly scheduled meetings would also reinforce the belief that security is simply one aspect of everyone's job, as opposed to being viewed as a one-time, out of the mainstream, function. These briefings can describe the latest threat to a particular operating system and, therefore, to a system or application critical to the accomplishment of the organization's mission. Subject matter can include the latest change to public law, federal requirement, or higher-level (e.g., department) policy, and the impact that these new provisions may have on the organization.

The goal of this management-oriented awareness campaign is to make senior management more aware of the impact of internal and external threats to the business of the organization and the need to better protect itself. This awareness effort, in turn, can result in increased support and buy-in. Securing management support through an overt or covert awareness campaign can also pay dividends in the struggle for resources.

While management should be aware of the posture of an IT security program, and how (or if) the program is maturing over time, hearing and seeing evidence of "battles won" can provide the justification for increased funding and staffing. The evidence would serve as an indication that resources expended on the IT security program are showing results - a return on the organization's investment. Evidence can include statistics of virus attacks thwarted by vigilant users, system and network attacks blocked by system/network administrators, and sources of attacks identified by joint actions of administrators, security staff, and investigative personnel. Evidence can also include rapid recovery from website defacements and other incidents, in which loss of production capability or public trust is minimized by effective response and recovery.

Without an organization-wide awareness program, however, these "battles won" may be the exception, rather than the rule. An organization may suffer a significant denial of service attack, a virus attack, or some other widespread calamity. A potential disaster can be used by the IT security staff to highlight the need for an awareness and training program. For example, a few vigilant users or system administrators might have adequately protected their systems or subnets while the organization was under attack. Their efforts can be shown as examples of what the organization's incident response or system/network monitoring capability could be, if there was an effective awareness and training program. As managers are made aware of the daily efforts to protect system and network-based IT resources, they can be made more aware of the continuing and growing threats facing the organization, and therefore, become more supportive of efforts to mitigate risks to the organization.

Go to top of page

Government Information Security Reform Act
(How GISRA Affects Training)

By Ray Nunn (Drayton, Drayton & Lamar)

On October 30, 2000, President William Jefferson Clinton signed into law the FY 2001 Defense Authorization Act (P.L.106-398) including Title X, subtitle G, the "Government Information Security Reform Act". It amended the Paperwork Reduction Act (PRA) of 1995 by enacting a new subchapter on Information Security. This amendment is very important to Federal Agencies because it seeks to ensure proper management and security for the information resources supporting Federal Operations and assets. The "GISRA" as it is called, primarily addresses program management and the evaluation elements of security. One of these elements is agency reporting and review of an organization's security-training program. The act reemphasizes the agency wide security responsibility of the program official(s) to develop, implement and maintain a security program and document it in a plan. The Computer Security Act (CSA) of 1987 requires Federal agencies to provide mandatory periodic training in computer security awareness and accepted computer security practices. OMB Circular A-130 requires training of individuals before granting access to various systems or applications. This also includes all employees who are involved in the use of any operations of Federal computer systems under the supervision of that agency.

The GISRA reaffirms policy stated in the CSA and OMB Circular A-130 as it relates to mandatory training and awareness. It also establishes that agencies must provide reports relating to their security training and awareness programs. Along with other areas of reporting and evaluations, agency officials such as the Chief Information Officer and other program officials, must submit to the OMB a brief executive summary based on the results of their work. The executive summary will consist of two separate components, one prepared by the Inspector General (IG) characterizing the results of an independent evaluation and the other by the CIO/agency officials. These executive summaries serve as the primary basis for OMB's summary report to Congress. What makes GISRA so unique is that the executive summaries are sent up at the same time as the Fiscal Budget but under a separate cover from the agency's budget materials. The GISRA measures the performance of an agencies training along with other reports and compares this to budget cost. GISRA also helps federal officials look at milestones in an agency to see if strategic plans have been implemented.

There's a new piece of legislation in town and its name is GISRA!

FISSEA Members Know How to Write!

{No, this is not just another plea for newsletter articles. K Rudolph, CISSP, and two of FISSEA's Educators of the Year Gale Warshawsky and Louis Numkin have collaborated to create a Security Awareness Chapter (#29) for the soon to be published Computer Security Handbook, edited by FISSEA's friend Mich Kabay, PhD. Here is the opening segment as well as one of the subsections of the chapter for your reading pleasure.}

1 Awareness as a Survival Technique

An organization's staff is the most cost-effective countermeasure against security violations. They are generally the first to be impacted by security incidents, and their compliance with security policy can make or break a security program. A staff that is aware of security concerns can prevent incidents and mitigate damage when incidents do occur. Given the importance of the staff as a security control, awareness is therefore the most important part of an organization's security program.

Experts recommend that 40 percent of an organization's security budget be spent on awareness1 measures. In the animal kingdom, awareness - being alert to danger signals and responding quickly - can be the difference between surviving and not. This is also true for organizations. Bats and dolphins use sonar to detect and avoid dangers, and cats use whiskers and keen senses of hearing, smell, and night-vision to probe their environments. Personnel who have developed an awareness of danger signals can function as an organization's sensitive detection instruments. Recognition of events that could indicate a security incident should be a reflex. Awareness activities can build this reflexive behavior.

This chapter provides information on security awareness programs. It addresses:

• Critical success factors
• An approach for developing an awareness program
• Principles of awareness
• Content
• Techniques
• Tools
• Measurement and evaluation Resources.

2 Critical Success Factors

An organization's security awareness program needs a successful launch for maximum impact. An Awareness Program Pre-flight Checklist can help ensure a successful launch. The Checklist makes sure that the critical program elements listed below are not overlooked:

• Information security policy
• Senior level management support and buy-in
• Awareness program focus that security, at its core, is a people problem
• Goals (short term, intermediate, and long range)
• Audience profiles
• Incorporation of motivational techniques.

2.6 The Art of Motivation

An awareness program may seek to change attitudes and behaviors that are ingrained habits or that have emotional significance that makes them hard to change. To overcome this resistance, an awareness program must appeal to other attitudes or preferences. For example, a person who believes that it is acceptable to share another individual's personal data with a coworker, or a password with a new hire who has not been approved for system access, must be shown that people are respected and recognized in the organization for protecting confidential data rather than sharing it.

As long as people associate hackers with being "cool," an awareness program is not likely to impress them with anti-hacker messages. Instead, the message should emphasize something that will appeal to the audience, for example, the damage done when a person's identity or personal data is stolen and that person cannot get a loan or health insurance five years later. An awareness program should deglamorize hackers by focusing on the victims and the harmful results of their activities. People need to be made aware that hackers hurt people, whether they intend to or not.

Messages that call for controls that result in inconvenience, or that require a sacrifice by the audience may not be perceived well. A hostile environment for security can result from people having to comply with cumbersome controls while management is demanding greater productivity.

Another factor in motivation is, "How sensitive are the audience members to the opinions of others?" If the audience is mostly new hires and young people, the message can capitalize on the idea that young people often want to belong. People pass chain letters on because they are superstitious or want the acceptance of being part of the group that has seen the latest Internet humor. If someone receives an e-mail attachment with an interesting subject, there is pressure to open it and respond. The awareness program needs to establish a value in belonging to a group that shuns such harmful activity.

The right message will have a positive spin. Instead of glamorizing the independence of the hackers, the message should emphasize the courage and independence it takes to resist appeals from friends and co-workers to share copyrighted software. Withstanding peer pressure to make unethical or risky choices can be shown in a positive light, so that the people who follow the rules are seen as praiseworthy and not as wimps.

Fear can be an effective motivator, but the primary value of scare tactics is to get the user community to start thinking about security in a new way. Fear-based messages are most effective for motivation when the message includes information on how to avoid or protect oneself from danger.

Potential pitfalls of awareness programs that are not carefully designed include the dangers of:

• Losing the audience's attention,
• Alienating the audience,and
• Over-doing it.

An awareness program is like an exercise program. If the audience is bombarded with everything in the awareness arsenal at once, they may become overwhelmed and will not stick with the program. It is important that management understand that effective awareness programs are long-term activities that bring gradual improvement.
{That's all for this installment - - Ed.}

Go to top of page

Trainia

{This column is a compendium of info on upcoming conferences/seminars, courses, books which may be worth your reading time, and more. That is why it is named TRAINIA, a contraction of the words TRAINing and trivIA. Hope you find it useful... Ed.}

September 12-13, 2001 - E-Gov E-Learning Conference at the Ronald Reagan Building and International Trade Center in Washington, DC. E-Learning at all levels of government is transforming from small programs to agency- and department-wide efforts that have real impact on how employees attain skills and learn new concepts. Both Government and industry practitioners will discuss how they use theory and tools of E-Learning to create virtual classroom experiences that improve employee performance. For more info call (800)746-0099 or go to www.e-gov.com

---------------
September 24-25, 2001 - The Conference on Mobile and Wireless Security Sponsored by MIS Training Institute and being held in Atlanta, GA.The focus of this event is straightforward: wireless security - how important it is and the strategies you can use to protect your systems. TO EXPRESS REGISTER, go to: http://www.misti.com/ (Please use MWS/EB4 as your priority code when registering online.) FOR COMPLETE DETAILS, go to: http://www.misti.com/

---------------
October 8-12, 2001 - The International Conference Information Technologies & Security will be held in Crimea, Partenit on Ukraine. {Received this info from Professor Vladimir Golubev email = golubev@timax.net.ua}Crimea, Partenit is the fine resort on a coast of the Black Sea with climate like Miami (Florida).Threats to the growth of this new technology and its democratizing impact will be examined, as well as creative solutions and preventative strategies for business, public sector and international organizations. You may receive more detailed information at http://www.crime-research.org/ibt/

---------------
October 24- 25, 2001 Cryptographic Module Validation Program 2001 Conference will be held on at the Washington Plaza Hotel in Washington, DC. It will be sponsored by NIST and the Canadian Security Establishment (CSE). It will include presentations and discussions on the new FIPS 140- 2 standard, Security Requirements for Cryptographic Modules, differences between FIPS 140-1 and FIPS 140-2, algorithm testing suites, Common Criteria and the CMVP, a number of panel discussions from Federal and user agencies and a laboratory panel discussion. Information on registration, hotel accommodations and the draft agenda can be found at http://www.nist.gov/cmvp2001

---------------
October 31 & November 1, 2001 Federal Information Assurance Conference (FIAC) 2001 will be held at The Inn & Conference Center of the University of Maryland University College in College Park, MD. With the end of an era for the National Information Systems Security Conference (NISSC) which filled the calendars of many IA professionals in October each year, the time has arrived for a new annual conference with a new mission to guide the Information Security of the Federal government. While NISSC sought to raise the awareness of government, industry and academia of the need for computer security and the related disciplines that followed, the FIAC will go far beyond this by bringing together those responsible for IA to create solutions and drive the future of IA in the Federal government. Visit the conference website at http://www.fbcinc.com/FIAC/main.htm for a conference abstract. For more information please contact Bob Jeffers at Federal Business Council (800)878-2940, x226 or email bj1@fbcdb.com.

---------------
November 13-14, 2001 - InfoSecurity University at COMDEX Fall 2001! MIS Training Institute and Information Security Institute will present the highly acclaimed InfoSecurity University at COMDEX. 11 cutting-edge sessions in two focused tracks (E-Business Security and Infrastructure Security) over two days will teach tested techniques for protecting your mission-critical data and systems while making the most of their business potential. Some included topics are: enterprise infosecurity, biometrics and smart cards, vulnerability testing, hacker attacks, wireless applications, handhelds, VPNs, and more. The rest of the conference will include Keynote Addresses by Bill Gates of Microsoft Corporation, John Chambers of Cisco Systems, and Larry Ellison of Oracle Corporation. Exhibit floor will be divided into nine technology zones: Software Platforms and Solutions, Information Appliances, Networking, Digital Imaging and Publishing, WebWorks, IT Services, eMobility, OEM, and New World Service Provider. TO REGISTER go to: http://www.webeventregistration.com/ registration/register0?v_event_id=507 ( Important: When registering, please enter SECE as your priority code.) Questions: phone (508)879-7999, FAX (508)872-1153, E-mail mis@misti.com

---------------
December 3-6, 2001 MIS Training Institute's The Conference on PKI Interoperability: Making It Work in Your Organization is coming to Boston on December 4-5, 2001.Register by September 28, 2001, and SAVE $100 on the conference registration fee! FOR COMPLETE CONFERENCE DETAILS, go to: http://www.misti.com/

---------------
December 11-12, 2001 The Brookings Center for Public Policy Education for Corporate and Government Leaders session on US National Security Policy Issues. During these off-the-record discussions with Member of Congress, military leaders, foreign embassy officials, administration officials, and Brookings scholars, participants will learn about emerging national security issues and discuss their likely impact. Issues addressed include information warfare, defense downsizing and readiness, innovations in military technology, and new threats to world stability. Government/Nonprofit = $1,275 Corporate = $1,575. For more information call (800)925-5730 or go to www.brookings.edu/execed

---------------
SANS Institute is offering the SANS Securing IIS 5.0 course as follows:
     - Chicago, IL - September 13
     - New York City, NY - September 17
     - San Jose, CA - September 19
     - Washington, DC - September 22
Instructed by Jason Fossen, it will focus on IIS 5.0 and have a special Code Red section. For further information or to register please go to http://www.sans.org/sec_IIS.htm The cost of the course will be $229.00. If you can not attend one of these courses, check at www.sans.org for an online version of this course.

---------------
CSI Information Security Seminars 2001 Training Schedule Nancy Baer, Senior Marketing Manager for the Computer Security Institute sent along course information, just a few have been highlighted. To get complete info, PHONE 415/947-6364 FAX 415/947-6023 EMAIL nbaer@cmp.com or check out www.gocsi.com
Sept 19-21 CISSP Prep for Success, San Antonio, TX
Nov 1-2 How to Develop Information Security Standards and Procedures, Washington DC
Nov14-15 How to Develop Information Security Standards and Procedures, San Francisco CA

---------------
Oct 29-31 The 28th CSI Annual Computer Security Conference and Exhibition, Washington, D.C. http://www.responsetrack.net/lnk/gocsi0/?1l96COATUET Call 415-947-6320 or email csi@cmp.com

---------------
Learning Tree International is offering a collection of classes on "Web Development, XML, JavaScript, Java and Security Courses" Six Security Classes are listed in the current brochure. Course subjects include: VPNs, Internet, Intranet, Web, Firewalls, Intrusion Detection, and PKI in the Enterprise. For info call (800)843-8733 or go to www.learningtree.com

Go to top of page