FISSEA Logo News and Views
January 2003
Issue Four of FISSEA Year 2002-2003


IN THIS ISSUE:

 

From the Executive Board Chair

2003 has arrived! It is really difficult for me to believe that our 16th Annual FISSEA Conference is only about five weeks away. This year we will be offering our conference attendees an opportunity to participate in our best conference to date. I say that because every year we strive to make the next conference even better and to learn lessons from our last conference. We read and discuss each of your comments as we review the evaluation forms. Then we discuss the pros and cons of implementing your suggested changes. We try our best to be as responsive as possible to your feedback.

A perfect example of this was our decision to move our next conference to the Hilton in Silver Spring, MD. This will be the first time we have moved out of the Gaithersburg area where NIST is located. However, our participants kept requesting that we have the conference in a site near the Washington Metro. I understand that this location is easy to find and only about 2 blocks from the Metro station. We are hopeful that you will be pleased with this major change, which resulted in a slightly higher cost this year. Of course, we still believe that our conference is by far the best return on investment you can find. We are offering you the opportunity to participate in a superior 3-day information systems security awareness, training and education conference for only $275.00. In addition to hearing from expert presenters, you will be able to network with many other professionals, visit the exhibition hall to find out about new services and tools, meet the Educator of the Year, eat delicious food and have a lot of fun. I guarantee it!

Please visit our website often for current information about FISSEA and our next conference: http://csrc.nist.gov/fissea. I am particularly thankful to two NIST employees (i.e., Patrick O'Reilly and Peggy Himes) for keeping our website up to date, informative and interesting. Lt. Colonel Curt Carver has been doing an exceptional job as our Conference Program Manager. This is also an excellent time for me to publicly extend my gratitude to all the Board members and acknowledge their tremendous support all year. Although many of you contributed articles, it was Louis Numkin's job as editor to pull the newsletter together quarterly. Phil Sibert recently retired after many years of outstanding government service. He is a past FISSEA Board chair and continues to support FISSEA as a Board member. Phil is such a great person with whom to work and a major asset to the Board. I am so glad that he has promised to keep on working for FISSEA through our upcoming conference. There is just not enough time for me to list the individual contributions of each of the FISSEA Board members in this article, but I assure you I could easily do so.

Perhaps, I will have an opportunity to tell you more about how the current Board functions at the annual meeting during our conference. Contact me if you want to request that a specific item be added to the business agenda. Sometimes, it is difficult to find the time to complete a FISSEA task timely because of competing priorities, but somehow we have managed to amaze ourselves by getting it done -- even when it was completed at home in the wee hours of the morning. I assure you that being a Board member involves sacrifice, our management's support and our willingness to stay committed to FISSEA's mission. However, the opportunity to serve and make such a major difference for our members makes it all worthwhile. We are always looking for talented, cooperative, hard-working and friendly volunteers to help us move toward our vision. I encourage you to seriously consider joining our team if you have both the desire to work with us and your management's full support. You can find other details about being a Board member in our last newsletter and/or on our website. Like Uncle Sam, FISSEA needs YOU!
Barbara Cuffie, CISSP

Go to top of page

horizontal bar


Letter From the Editor:
During the Winter, Mama always said "Dress in Layers."

By Louis M Numkin, US NRC

Now, let me see... do I put cotton socks on first or wool? Hmmm...

We have always been taught that as far a Computer Security learning is concerned, there are three basic levels: Awareness, Training, and Education. All employees should have at least a layer of Basic Literacy and Understanding, otherwise known as Awareness. This is the cotton layer used to wick moisture away from your skin and in this case is analogous to moving awareness throughout your organization. It can be accomplished in many ways, including poster displays, "lunch and learn" sessions, and hosting an annual observance of Computer Security Awareness Day.

The next layer is usually wool or some warming material. For our purposes, this is the Training layer. Some of our employees need further understanding of select security requirements. Providing training for LINUX computer operators in system specific security features is one example.

Some individuals are in positions where they require more detailed security understanding. This third layer relates to Education and it provides the protective outer covering like a parka or snowsuit. It permits employees to do more in a safe environment because computer security lead personnel have achieved the higher level of course work, per guidance in NIST 800-16 and aligned educational opportunities and experience.

Now that we're outfitted for winter, let's take it one step further. We can not rest on our shovels but must keep digging out from the blizzard of viruses, worms, FISMA, hackers, SPAM, espionage, and the continued forward march of technology. Remember, the other Wintertime axiom your Mom told you, "sweaty dirty socks don't protect as well as clean and dry ones." So keeping up on new security issues and solutions by attending seminars, conferences and pursuing professional certification will complete our picture of organizations which are properly protected from Winter Woes and able to go in the cyberspace snow.

After getting all bundled up with two pairs of pants, galoshes, a hood over stocking cap over earmuffs, and mittens which were attached to his zipped, velcroed, and buttoned overcoat, as dressed by his Mother, a young lad was standing next to the door which would lead him to a happy play day in the white fluffy stuff which caused educational institutions to close for the day. His Father happened by and said, "Son, it's a great day out there, you're off school, other kids are sledding and making snow angels. What are you waiting for?" From under an oversized muffler came the little guy's reply: "A push!"

Dear Readers, FISSEA can provide the push. Attend our March Conference, read our Newsletter, share questions and ideas on our listserve. Consider yourself "pushed." Now, get out there and enjoy doing it.

Go to top of page

horizontal bar


Minor Correction Made to the FISSEA Bylaws

By Phil Sibert, FISSEA Board Member

Several years ago the FISSEA Bylaws were revised to create "two-year staggered terms", as indicated in section 3.d. Members-at-Large. When this was done, making a corresponding change to section 6. Executive Board Vacancies was overlooked. Section 6., which stated "This appointment will continue until the next annual election.", has now been revised to make it consistent with section 3.d. so that a vacancy on the Board is filled by an appointment for the duration of the term that was vacated. The revised section 6 will read as follows:

6. EXECUTIVE BOARD VACANCIES:

The Chair shall appoint a replacement from the general membership in cases of unexpected Executive Board resignations or vacancies. This appointment will continue for the duration of the term of the Member-at-Large position that was vacated. At the discretion of the Executive Board Chair, FISSEA members may be appointed to serve on the Executive Board if fewer than eight members have been elected to fill the Board vacancies. The membership will be notified.

Because this is a minor change to ensure consistency throughout the Bylaws, it does not require membership approval. This is being provided to keep the membership aware of actions undertaken by the Executive Board.

Go to top of page

horizontal bar

What's All This I Hear About the CISSP?

By John Rossi, FAA

The CISSP (Certified Information Systems Security Professional) is an internationally recognized certification for ISS Professionals. If you are in the InfoSec business, this is YOUR certification. Certainly, there are many outstanding ISS professionals who choose not to pursue this certification for any number of reasons; however, the CISSP designation is often seen as a discriminator by professionals and customers within, and outside of, the ISS field.

To obtain the CISSP designation, one must pass a grueling, 6-hour written examination that consists of 250 multiple-choice questions from ten ISS "domains" (Telecommunications, Cryptography, Operations, Management, Access Control, Law/Investigations/Ethics, Applications, Operations, Business Continuity, and Architecture). A CISSP candidate must also be willing to commit to a Code of Ethics that demands a high level of professional integrity and character. The candidate must have also been working actively in the ISS field for at least 4 years (this "experience" requirement was raised from 3 to 4 years in 2002). The demands for certification are challenging and difficult, but many government and industry specialists have achieved this valuable certification. The reward is international professional recognition, increased career opportunities, and increased, recognized credibility in the ISS discipline.

Perhaps the best way to prepare to pass this examination and become a CISSP, is to commit to doing 4 things:
  1. Actually work in the ISS field. This doesn't mean simply changing your email password when it's time. Rather, it means getting involved in the advancement of information security in your organization. This will satisfy the 4-year experience requirement.
     
  2. Take a CISSP Preparation Class. The class is a full week of daytime classroom lecture, with study groups and small working sessions in the evenings. The class itself is demanding and presents a huge amount of material (more than 1500 slides) covering a comprehensive review of the 10 Domains and working on about 200 sample questions. This class gives the candidate an excellent view of the areas that require more in-depth study.
     
  3. Read books, do sets of practice examinations, and study with other CISSPs and CISSP candidates for 1-3 months to prepare for the actual examination.
     
  4. Commit to an examination date about 2 months after you take the preparation class. Don't wait until you feel ready and prepared. That may never happen. The amount of material is so massive that virtually no one really "feels ready." Most people just study as best they can, then take the exam. Many people don't feel high confidence even after taking the examination. It is only 2 weeks later when you receive the results that your hard work pays off.

There are approximately 13000 CISSPs worldwide, and the number is growing. Less than 1% of the world's CISSPs (only about 70 worldwide) are internationally certified as CISSP instructors who are certified to prepare candidates for the examination. There are only about 40 such certified instructors in the United States.

John R. Rossi (US Federal Aviation Administration's Office of the CIO/Chief Scientist: AIO-4) is one of these 40 certified CISSP instructors. John presents a 45-minute session that discusses the CISSP. He also gives an "Exam Cram" course for candidates who have taken the CISSP preparation class. The "Exam Cram" discusses 100 sample questions and explains the highlights to know from each of the most difficult security domains.

Go to top of page

horizontal bar

FISSEA EXECUTIVE BOARD

FISSEA EXECUTIVE BOARD
* Term ends March 2003
** Term ends March 2004

*Barbara Cuffie CISSP, Executive Board Chair barbara.cuffie@ssa.gov
*Lewis Baskerville, lewis.baskerville@sba.gov
*George Bieber, george.bieber@osd.mil
 *Patti Black, Assistant Chair, patricia.black@do.treas.gov
 *Louis Numkin, Newsletter Editor, lmn@nrc.gov
 **LTC Daniel Ragsdale, dd9182@usma.edu
**Donna Robinson-Staton, donna_robinson-staton@hud.gov
**Philip Sibert, philsibert@aol.com
**Robert Solomon, CISSP, robert.f.solomon@nasa.gov
 **Mary Ann Strawn, mast@loc.gov
*Mark Wilson, CISSP, NIST Liaison, mark.wilson@nist.gov

FISSEA Membership/NIST Liaison (non-voting member):
Peggy Himes, peggy.himes@nist.gov


Interactive Session at March Conference

Lee Ohringer's Sharing of Computer Security Posters on Tuesday, March 4th at 2:00 p.m. will be an interactive session. Please bring samples of posters developed by your organization.
 

Go to top of page

horizontal bar

FISSEA 2003 Conference Update

"Securing Your Cyber Frontier Through Awareness, Training and Education"
By Curtis Carver, Program Director
U.S. Military Academy, West Point

The 2003 FISSEA conference is right around the corner and is likely to be the best security awareness, training, and education conference this year. We had so many proposals for presentations this year that we picked the very best, added an alternate track so we could schedule more presentations and allow conference attendees to choose between presentations, and then capped registration at 250 because there was no doubt the conference was going to be full. Four keynote speakers and over thirty regular speakers from over twenty-five different federal, academic, and industrial organizations provide the foundation for this year's conference and they are exceptional even by FISSEA standards. High profile keynote speakers such as Keith Rhodes (GAO), Lance Spitzner (Sun), Alan Paller (SANS), and Thornton May will provide you with insight into the important trends in the field. Invited speakers will provide the detailed and lively presentations into the best practices and research in the field. Are you interested in what CERIAS, the FBI, the Federal CERT, NIST, OMB, and the National Cryptologic School are doing in security awareness and training? These organizations are just a subset of the presentations on the first day of the conference. Imagine all the useful information, insight, and contacts you will have at the end of the conference. There will be door prizes, industry exhibits, and the "Cruise Director" will be back again to take care of your cruising needs. But don't take my word for it - check out the Conference website at:
http://csrc.nist.gov/organizations/fissea/conference/2003/index.html
for yourself and afterwards you can register at:
https://sales.nist.gov/conf/secure/CONF476/conf_register.htm .
The 2003 FISSEA conference is the conference of the year for security awareness, training and education. Don't miss out on your opportunity to attend.

Go to top of page

horizontal bar

TRAINIA

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security Awareness, Training, and Education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at lmn@nrc.gov

**************

FEB 9-11, 2003 CyberCrime 2003 Conference and Exhibition at the Foxwoods Resort in Mashantucket, Connecticut. For more info, phone 1(800) 213-4326 or visit www.cybercrime2003.com

**************

MAR 4-6, 2003 FISSEA Annual Conference. "Securing Your Cyber Frontier Through Awareness, Training, and Education". The Hilton in Silver Spring, MD. Three days only $275. SPACE is limited. Further questions, contact peggy.himes@nist.gov. Register Today! See Curt Carver's Update in this issue. Agenda and registration information available at your website, http://csrc.nist.gov/fissea.

***************

MAR 7-12, 2003 SANS Institute's 2003 Annual Conference with 12 separate tracks will be held in the Sheraton San Diego Hotel and Marina in California. More information is available at www.sans.org/register4SANS

**************

MAR 19-20, 2003 THE INSTITUTE FOR APPLIED NETWORK SECURITY is hosting the Mid-Atlantic Network Security conference, focusing on Intrusion Detection and Enterprise Security Management at the National Conference Center in Leesburg, Virginia. This gathering of experienced network security professional from government, industry and academia is to share technical and business insights in a "sheltered" environment. Faculty leading this event includes Becky Bace, Eric Cole, Ron Gula, Chris Petersen, Marcus Ranum and Robin Roberts. Positions at the Forum are LIMITED. To register or to learn more, please contact Amanda O'Donnell at the Institute at (617) 399-8100 or visit www.ianetsec.com

**************

APR 22-24, 2003 MISTI is sponsoring "The FORUM on Information Security in Government" which will be held at the Hilton Alexandria Old Town in Virginia.There will be additional workshops on either side of the conference. For information, please contact MIS Training Institute at (508) 879-7999x346 or e-mail mis@misti.com

**************

MAR 27-28, 2003 European Organisation for Conformity Assessment (EOTC) News reports that a major conference will be held in Nice, France, examining how the establishment of standards can help to widen access to a variety of modern products, services and environments for young, old and people with disabilities or special needs. The event, entitled 'Accessibility for All', is being organized by the three European Standardization Organizations (ESOs) - the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC) and the European Telecommunications Standards Institute (ETSI). Details of the conference workshops and a registration form is available at: www.etsi.org/cce

**************

European Organisation for Conformity Assessment (EOTC) has informed us that the ConformityAssessment.org Web-Portal has launched a new Certification Category which includes references to Training. This new category currently features over 384 websites and 110,520 web-pages dealing specifically with Certification. (ISO/IEC Guide 2:1996). Organizations may submit their websites through the following link: http://www.conformityassessment.org/directory/addsite for possible inclusion. Contact: Fred.Werner@eotc.be

**************

MAY 12-15, 2003 The CardTech SecurTech annual conference will be held at the Orange County Convention Center in Orlando, Florida. This year, a track is being devoted to "Security Technology Applications." For info, call 1-(800) 442-CTST or check www.ctst.com

**************

JUN 2-5, 2003 The Colloquium for Information Systems Security Education will be held at the Washington (DC) Marriott Hotel. Papers are called for - send them to www.ncisse.org/papers.htm Registration info is available at www.ncisse.org/registration.htm

**************

AUG 5-7, 2003 NEbraskaCert - 5th annual Computer Security and Information Assurance Conference, Omaha, NE. They're looking for qualified presenters! To inquire about speaking and sponsor opportunities, email info@certconf.org. For additional information, visit: http:www.certconf.org. Keynote speakers include: Jim Christy, Defense Cyber Crime Center; Rich Pethia, Carnegie Mellon University; Ray Semko, Diceman, of the Interagency OPSEC Support Staff.

**************

Note, see the FISSEA News and Views, December 2002 issue for previously noted 2003 security conferences.

**************

Computer Security Institute's catalog of 2003 Information Security Seminars is now available. If you haven't yet received a copy, contact (415) 947-6320 or e-mail csi@cmp.com

**************

MIS Training Institute's annual Course Catalog is available and if you haven't received your copy, please go to their website: www.misti.com

**************

InfoSec News reported that Symantec Corp. will provide up to $50,000 to cover the full tuition costs and a stipend for one student for two years in launching a fellowship program at Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS). The student must be degree-seeking, enrolled at Purdue, and maintain a grade point average of 3.0 in his or her field of study. Symantec said the application deadline is March 1. The fellowship program's goal is to increase awareness within the Internet security industry as well as increase students' knowledge, said Teresa Bennett, director of strategic relations at CERIAS. The fellowship recipient will be announced April 8 at the annual CERIAS Spring Symposium held on the West Lafayette, Ind., campus of Purdue University. The Symantec fellowship will begin during the 2003-2004 school year and will be expanded to include a second student beginning in the fall of 2004.

**************

Book Review by Debra S. Herrmann
debra.ctr.herrmann@faa.gov
Using the Common Criteria for IT Security Evaluation
ISBN: 0849314046 December 2002 Auerbach Publications
This book is a user's guide for the Common Criteria for IT Security Evaluation, the first such book to be published. It explains how to understand, interpret, apply, and employ the Common Criteria throughout the life of a system, including the acquisition and certification and accreditation (C&A) processes. December 1999 ISO/IEC 15408 Parts 1-3, the Criteria for IT Security Evaluation, was approved as an international standard. The Common Criteria, considered the international standard for IT security, provide a complete methodology, notation, and syntax for specifying security requirements, designing a security architecture, and verifying the security integrity of a product, system, or network. In the U.S. NSTISSP #11, National Information Assurance Acquisition Policy, mandated the use of CC evaluated IT security products in national security and critical infrastructure systems starting in July 2002. Like ISO 9000, the Common Criteria have a mutual recognition agreement so that products certified in one country are recognized in another. As of December 2002, sixteen countries have signed the mutual recognition agreement: Austria, Australia, Canada, Finland, France, Germany, Greece, Israel, Italy, Netherlands, New Zealand, Norway, Spain, Sweden, U.K., and U.S.

**************

An interview with training pioneer Tom Kelly, head of training for Cisco Systems, which discusses many of the innovative approaches Cisco has taken to training that has expanded its training methodologies and delivery options, making it a model for tech companies that want to upgrade their training materials. The interview was with ComputerUser's James Mathewson and may be found at http://www.computeruser.com/articles/2201,2,1,1,0101,03.html

Go to top of page

horizontal bar

* NOMINATION  FORM * NOMINATION  FORM * NOMINATION  FORM *

FEDERAL INFORMATION SYSTEMS SECURITY EDUCATORS' ASSOCIATION

EXECUTIVE BOARD ELECTION - 2003

The Board consists of a total of 11 members. These current Board Members are serving the second year of their two-year terms. Do not nominate any of them.

  1. LTC Daniel Ragsdale, U.S. Military Academy
  2. Donna Robinson-Staton, Dept. of Housing & Urban Development
  3. Mary Ann Strawn, Library of Congress (appointed after J. Bush resigned)
  4. Robert Solomon, NASA - John Glenn Research Center
  5. Philip Sibert, Department of Energy

The term for the following board members expires in March 2003. They will have to be nominated and elected by the membership at the annual business meeting in March 2003.

  1. Lewis Baskerville, Small Business Administration
  2. George Bieber, Defense-wide IA Program
  3. Patricia Black, Dept. of Treasury
  4. Barbara Cuffie, Social Security Administration
  5. Louis Numkin, Nuclear Regulatory Commission
  6. Mark Wilson, National Institute of Standards and Technology

Nominations may be made prior to the conference and from the floor of the conference. A FISSEA member who wishes to serve on the Executive Board may nominate him/herself. Please give careful consideration to the time and commitment involved before making the decision to run. The Executive Board meets monthly in Gaithersburg, Maryland. It is desired that all board members attend the monthly meetings as well as the 3-day annual conference. It is urged to have prior management approval of your FISSEA Board responsibilities.

Send the information below to Peggy Himes, Nat'l Inst of Stds and Tech, 100 Bureau Dr Stop 8930, Gaithersburg, MD 20899-8930 or e-mail the information to peggy.himes@nist.gov.

Name of Nominee: ___________________________________________________
Employing Organization: ______________________________________________
Position or Title: ________________ Phone Number: _____________________
E-mail Address: _____________________________________________________

Qualification Statement: (You must have the permission of the nominee to submit his/her name. What has the nominee done to warrant this nomination?)

__________________________________________________
__________________________________________________
__________________________________________________
__________________________________________________

_______________________        ___________     _____________________________
(Person making this nomination)    (Date)                  (E-mail address and/or Phone Number)

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: January 11, 2003.