News and Views
Federal Information Systems Security Educators' Association |
![]() |
||
Issue One of FISSEA Year 2005-2006 |
April-May
2005
|
||
|
|||
From the ChairHello FISSEA, I am beginning to write this while my
car is having its brakes checked. A lot of things have happened since my last column. We held a very successful conference at a brand new grand location. We elected our new Executive Board. Our newsletter editor has changed. Oh, and I now have new brake pads! Hydraulic fluid is what keeps the brakes at the correct operating pressure and functioning well. Keeping FISSEA running flawlessly are our NIST liaisons, Peggy Himes and Mark Wilson. These often unseen supporters are truly the backbone of our organization. And, lest we forget, Patrick O'Reilly keeps our website up and running, and Patrice Boulanger and her organization help our conferences to run smooth. Car brakes have many parts: pads, calipers, rotors, and an assortment of connection and control devices, all designed to keep passengers safe. Our Exec Board is also made up of various pieces which work well together to keep our 18 year old vehicle (known as FISSEA) moving safely forward down the correct path. Pads wear out over time and need to be replaced. Our new FISSEA-brand pads include: K Rudolph, Susan Hansche, and Jim Litchko. My calipers just needed to be cleaned and serviced. This is like Barbara Cuffie, who returns as a full term Exec Board member after her year as ex-officio. We are also fortunate to not only bring her back on the Board but also to have her impressive abilities in our Assistant Chair position. One of my rotors did not need replacing, like our Board members in the second year of their two-year terms. Their experience and the organizational history they carry is essential to the continuation of our association. Mary Ann Strawn, Curt Carver, Gretchen Morris, Will Suchan, Tom Foss, and Jeff Seeman, are FISSEA OE (original equipment). Another rotor was a little warped, sort of like myself - being reelected both to the Board as well as its Chair. I always appreciate critiques on my writing and this time one came before publishing. Mark "Bubba" Wilson commented that he "like(d) the maintenance analogy (but) You could take it further with some mention of needing a clean windshield to see where you are going, and working mirrors to see where you have been (as well as) what might be coming up on you." Thanks Mark, you can be on my column's Pit Crew any day. Out our rear view mirror are the faces of Marvella Towns, Lewis Baskerville, and Tanetta Isler, who are waving farewell as we step on the gas. But, remember, things in the mirror "are closer than they appear" - we hope that their support will not flag as it was truly appreciated. The major near term items viewed through FISSEA's windshield are our Strategic Plan and some new and varied free workshops. Driving away from the service bay, it
is getting difficult to type... not! But I have now met Mike the Mechanic
as well as held the first new Exec Board's meeting and as FISSEA passengers
I suggest you fasten your seat belts because we're in for a wild ride!
Oh, give me a brake... I mean break! NIST Special Publication 800-53Submitted by Amy Korman,
CISSP, ISSMP/AP, CPA Introduction NIST SP 800-53: What Is It? Timeframe The FISMA Implementation Project web site at http://csrc.nist.gov/sec-cert has the latest information on FIPS 200. Currently, the schedule has been revised to include issuing the first public drafts of the SP 800-53A and FIPS 200 documents in June and April 2005, respectively. What Will Change? Difference in Old and New Documents The seventeen families per the SP 800-53 document are not a direct one-to-one mapping of the seventeen control areas and objectives of the SP 800-26 document. Some control areas are easily mapped on the surface, such as Personnel Security, which goes by the same name in both publications. However, some control areas from the 800-26 do not appear at all in SP 800-53, and the SP 800-53 has some new control objectives (families) that were not referenced in SP 800-26. Some of the new families, such as System and Information Integrity (SP 800-53) are easy to map back to SP 800-26 (Data Integrity); this is just a matter of semantics. The crux of the change is that the original control objectives from the SP 800-26 are scattered amongst multiple families in the SP 800-53, and one control objective may now be mapped to multiple control objectives. How will this affect you? A more detailed review of SP 800-53's Appendix G reveals a mapping of the SP 800-53 families to the SP 800-26 control objectives. This nicely shows the mapping between the new organization of controls with the old, well-known controls and their layout. Appendix G shows, for example, that the new family, Audit and Accountability, maps to two of the SP 800-26 categories of Audit Trails and Logical Access Controls. It does not easily show that questions (controls) from section 17, Audit Trails, from the SP 800-26 are now contained within the SP 800-53 Maintenance family, as well as within the Access Control and Audit & Accountability families. A reverse mapping to better explain this area is currently being worked on. Training (The author, Amy Korman, CISSP, ISSMP/AP, CPA may be contacted at amy.korman@pec.com) The Beginnings of FISSEA and Then SomeSubmitted by Peggy Himes, NIST (The "History of FISSEA" was first printed in the January 1999 newsletter. While some newer members may not be aware of FISSEA's beginnings the earlier article is repeated below.) "The Federal Information Systems Security Educators' Association (FISSEA) is a volunteer organization for federal information systems security professionals, contractors of federal agencies and faculty members of accredited educational institutions. The concept of such an organization originated in 1984 at a meeting held in the Fort Meade Officers' Club. Over the years interest in computer security awareness, training, and education grew. In 1989, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) Subcommittee on Automated Information Systems Security (SAISS) approved the charter for the "EDUCATORS." NSA's Larry Martin, Harold Segal, and Horace Peele were founding members of the working group. Later, when the group formalized in direct support of the Education, Training and Awareness Working Group of AIS, the Educator's Subgroup became known as the National Computer Security Educators (NCSE). During this time, the organization was under the sponsorship of the National Security Agency. The enactment of P.L. 100-235 (the Computer Security Act of 1987) was a motivating factor for moving the sponsorship of FISSEA from NSA to NIST as classified and unclassified information was divided between the two agencies. In 1991, the name, National Computer Security Educators (NCSE), was changed to the Federal Information Systems Security Educators' Association (FISSEA). Emphasis was placed on the federal community, but membership and interests also included academic institutions and others interested in computer security education. To name names, early Executive Board members from 1991-1993 included Jon Arneson, Joan Capel-Pohly, Patricia Ciuffreda, James Colburn, Richard Costello, Barbara Cuffie, Dorothea de Zafra, Joseph Easley, Kathie Everhart, Duane Fagg, Janet Jelen, Delmar Kerr, Charles Kellerman, Ray Letter, Geoffrey Lewis, Vic Maconachy, Victor Marshall, Harold McConnell, Dennis Poindexter, Roger Quane, Gary Smith, Lauresa Stillwell, and Althea Whieldon. The first NCSE seminar was held in 1989 with the theme Trainer's response to the training requirements of the Computer Security Act of 1987. The NCSE seminars have evolved into an annual FISSEA conference. A complete listing of past conference themes can be found on the FISSEA website. At the conference each year, an award is presented to a candidate selected as Educator of the Year, honoring distinguished accomplishments in information systems security training programs. The first award, given in 1991, was presented to Gary W. Smith. Other recipients include: Vic Maconachy (1992), Corey Schou (1993), Lt. Col. E. C. Chambers (1994), Gale Warshawsky (1995), and Joan Pohly (1996). The 1997 Educator of the Year was awarded to a group of individuals: Dorothea de Zafria, John Ippolito, Sadie Pitcher, and John Tressler. The 1998 EOY Award will be presented at the March conference. The FISSEA website has information on nominating a candidate for the Educator of the Year award. The deadline for submission is mid-February and the award is given at the annual conference held in March. Today, FISSEA is growing and thriving. Its program of work remains focused on computer security education, a more vitally important agenda now than in 1984 when FISSEA was conceived. FISSEA's 290 members are encouraged to serve on task groups, to contribute to the newsletter, to network with other members and to foster the goals of FISSEA in their own organizations. Then, we will have more good news to write in the next chapter of FISSEA's history." Next Chapter: To bring this article up-to-date since it was originally written in 1999 FISSEA continues to hold annual conferences, now offers free workshops, encourages people to submit articles for the newsletter, maintains a website and a list serve for members to communicate with each other. In 1999, there were 290 members. Today, there are 1,140. However, the list serve has less than half the members in it, if you would like your email address included, please send an email to fisseamembership@nist.gov. You can view complete guidance on the website under On-Line Email List Rules and Guidance. The Educator of the Year award was presented to Louis Numkin (1998), Dr. Roger Quane (1999), George Bieber (2000), LTC Daniel Ragsdale (2001), Patricia Black (2002), and Jeff Recor (2003). Most recently, congratulations go to Dr. Gail-Joon Ahn, University of North Carolina, who was presented with the 2004 Educator of the Year Award at this year's conference. In the last two years, a contest has been held for the best Website, Trinket, and Poster Contest. Marvella Towns coordinated this popular contest and announced the winners at the annual conference. The winning entries are shown on the website. In 2004, Diane Coleman, IRS, won the trinket portion; Melissa Guenther, University of Arizona won for the poster, and Capt. Cheryl Seaman, HHS, won the website portion. The 2005 FISSEA Poster, Trinket, and
Website Contest winning entries were presented to: FISSEA conferences are relatively small in attendance but the networking opportunities are giant-sized. The computer security professional can discover new ways to improve their security program as the program focuses on awareness, training, and education. For the past few years, LTC Curt Carver and LTC Will Suchan have done an awesome job on the program and have agreed to do it again for 2006. Please check the website for an announcement on next year's date and the Call for Presentations. The newsletter will have new editors for future issues. Volunteers were asked to take over this role at the March conference and Nanette Poulios, Walsh College; Shon Harris, Logical Security, and Diane Maier, RS Information Systems came forward. Please continue to submit articles to either peggy.himes@nist.gov or louis.numkin@irs.gov until further instructions are given. You are encouraged to bookmark the FISSEA website, http://csrc.nist.gov/fissea and check it often. The website and list serve will be used to announce future workshops. You may find the summaries from past workshops presented by Susan Hansche and Mark Wilson helpful. Individuals that have contributed greatly to FISSEA's evolvement are Phil Sibert (retired from DOE), Barbara Cuffie (retired from SSA), Louis Numkin (now with IRS), and Mark Wilson (NIST). FISSEA continues to be a great networking opportunity for members and continues its purpose to assist federal agencies in meeting their computer security training responsibilities. FISSEA Executive Board:
TRAINIAThis column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to peggy.himes@nist.gov and/or louis.numkin@irs.gov. *************************************************** MAY 17-19, 2005, Risk Assessment and Management for Security Professionals at the University of Maryland University College in College Park, MD. This is the first of a new series of seminars developed and presented in conjunction with the University of Maryland University College (UMUC) by the U.S. Professional Development Institute (USPDI). The seminar is taught by Prof. Randall Nichols, author of Defending Your Digital Assets and Wireless Security. Prof. Nichols has been nominated for the Stanley J. Drazek Teaching Excellence Award. Content focuses on: identifying and critically assessing issues and concepts related to the protection of information and information systems; using risk management principles to assess threats, vulnerabilities, countermeasures; performing a risk analysis; and creating a management plan for security. The final exercise is completing a theoretical and practical risk assessment and management scenario where students apply what they have learned to dealing with a credible terrorist threat. For more information, visit www.USPDI.org or call Jeff Erlichman at 301-891-1880. To register call 1-866-99USPDI (1-866-988-7734). *************************************************** MAY 17-19, 2005, AFCEA TechNet International
2005, New DC Convention Center - 801 Mount Vernon Place, NW Washington,
DC 20001, Phone: 800.368.9000, Web Site for info: http://www.technet2005.org/
*************************************************** MAY 25-26, 2005, Government IT Security Summit presented by The Performance Institute at the Performance Institute Conference Center in Arlington, VA. Featuring comprehensive coverage of the latest IT security mandates. Acquire new methodologies to raise your FISMA score. Implement a verifiable stream-lined and cost-efficient C&A process. Evaluate, navigate, and mitigate security risk. Integrate IT security with budget justifications to secure IT funding. Align IT security to the Federal enterprise architecture to achieve mission goals. Acquire the latest updates on NIST and DITSCAP requirements. Register by calling 703-894-0481 or visit http://www.performanceweb.org/itsecurity for complete details. A 50% discount pass for use by FISSEA members has been authorized if you email Louis Numkin at louis.numkin@irs.gov. *************************************************** JUNE 1-2, 2005, Computer Security Institute
(CSI) course. John O'Leary is presenting a "How to Create and
Sustain a Quality Security Awareness Program" session in Montreal,
Canada. The website which also includes links to other courses, their
FBI study, and their 2005 Training Catalog, is at: http://www.gocsi.com/training/erc/hcsqsap.jhtml *************************************************** JUNE 7-8, 2005 MISTI Forum. One of local interest is "The Forum on Information Security in Government" on 7-8JUN2005, in Washington, DC. Their general info web site is http://www.misti.com/ *************************************************** JUNE 22-23, 2005, 5th Annual Kansas City Security Symposium. The Kansas City Security Coalition (KCSC), founded in 2000, is an organization run by and for Federal security professionals. KCSC brings together Federal government organizations for the purpose of elevating the general knowledge of the security community on systems security, fraud detection, physical security, and to promote security awareness in member organizations. The 5th Annual Security Symposium will be held at the Hartman Conference Center at Hilton Garden Inn, Independence, MO. Website: http://kcfeb.gsa.gov/kcsc/ For further information, contact Dorothy Reed, Center for Security and Integrity, (816) 936-5559. *************************************************** JULY 27-28, 2005, Black Hat Briefings USA 2005 at Las Vegas, Caesars Palace. Visit www.blackhat.com for track descriptions, training schedule and complete details. "The Black Hat Briefings was created to fill the need for computer security professionals to better understand the security risks to information infrastructures and computer systems. Black Hat accomplishes this by assembling a group of vendor-neutral security professionals and having them speak candidly about the problems businesses face and the solutions to those problems. No gimmicks- just straight talk by people who make it their business to know the information security space." If you are interested in registering 6 or more persons, please contact ping at blackhat.com. Early Bird Registration rates will close May 15, 2005. Regular Registration rates will close July 1, 2005. Late Registration rates will close July 22, 2005. Onsite Registration rates will apply July 23-28, 2005. *************************************************** November 30 - Computer Security Day. Readers can get a free poster by writing to ACSD; PO Box 39110; Wash, DC 20016. Website is http://www.geocities.com/a4csd *************************************************** DECEMBER 5-9, 2005, Annual Computer Security Applications Conference (ACSAC), Tucson, Arizona, http://www.acsac.org. There are now four weeks left to submit papers in the technical track to ACSAC 2005. Please note the dates below and submit your papers! Important dates: We look forward to receiving your submissions! Christoph Schuba, Pierangela Samarati, Charlie Payne, 2005 ACSAC program chairs, program_chair@acsac.org. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation. Our postal address is 2906 Covington Road, Silver Spring, MD 20910-1206. *************************************************** FISSEA member, William Uttenweiler, made the offer: The California Central Coast security groups have released another dozen new free downloadable security awareness/motivation posters as of May 1, 2005. This brings the total to 149 different designs! Point your browser to http://members.impulse.net/~sate/posters.html You are welcome to download the posters and use them in your security awareness/motivation program. However, you may NOT modify them without permission. *************************************************** |
Back to FISSEA Homepage
Back to Newsletter Index
Back to CSRC Homepage
Please send comments
or suggestions to webmaster-csrc@nist.gov.
Last Modified: May 4, 2005.