From the Executive Board Chair

TIPS ON TRAINING EXECUTIVES

In my experience as an Information Security Program Manager, one of the challenges is to give awareness briefings to executives. When executives are given the right information they generally will provide that information to their staff. Here are some awareness tips that I feel have worked for my organization.

First, get executives to understand that they should MANAGE RISKS. Structure your presentation so that you discuss safeguards versus risks. Discuss the statutory requirements for information security in enough detail that they understand the mandates by Congress, OMB, NIST, Agency policies, and other rulings. Discuss the senior executive's role and responsibility for managing risks by identifying risks, safeguards, liability, vulnerabilities and policy. Give them some basic information on training roles, or audience categories, levels of learning (awareness, training and education), training areas (security awareness, security basics and literacy, roles and responsibilities related to IT systems, and education and experience).If your Agency has customized training tools, this is a good time to demonstrate the tool(s) or point them to a web site, etc.

In general terms discuss system security plans by including an explanation of 1) Identifying systems, 2) Determining sensitivity categories (confidentiality, integrity and availability) that apply to the information and what level of protection may be needed (high-level 3, medium-level 2, or low-level 1).

Briefly identify mandatory controls such as general, (security officer, personnel screening, training) technical, (access controls [e.g. passwords], audit trails), and operational (backups, contingency plans, virus controls, etc.)

Other issues that are excellent to discuss include requirements of general support systems, major applications, software piracy, and computer virus protection.

Have a safe and happy holiday season! Hope to see you at the FISSEA Conference next year (March 13-15, 2001)

Pauline Bowen, FDA
FISSEA Executive Board Chair

Go to top of page

CISSP, Common Body of Knowledge
Review Seminar

Submitted by Philip Sibert (DOE) from Ray Sandwick
CISSP, Common Body of Knowledge Review
Seminar - Tysons Corner, VA -
January 9^th - 12^th and 16^th - 19^th, 2001

TechTrain Institute will again be hosting the (ISC)² CISSP CBK Review Seminar at the TechTrain Education Center in Tyson's Corner, Virginia.

The Seminar is designed to prepare students for the Certified Information Systems Security Professional examination that is next scheduled on Saturday, February 17, 2001. The Seminar topics cover the entire spectrum of the information systems security Common Body of Knowledge that makes up the CISSP program. The topics include:

• Access Control Systems and Methodology
• Cryptography
• Business Continuity & Disaster Recovery Planning
• Security Architecture and Models
• Law, Investigations and Ethics
• Security Management Practices
• Computer Operations Security
• Applications & Systems Development
• Telecommunications & Network Security
• Physical Security

In order to sit for the CISSP Examination, applicants must meet the following requirements:

• Subscribe to the (ISC)² Code of Ethics (which will be provided to all applicants)
• Have three years of work related experience in one or more of the test domains of the information systems security Common Body of Knowledge, listed above.

Typically, the CISSP CBK Review Seminars held in the greater metropolitan Washington, D.C. area are in such demand that a waiting list is the norm. If you are interested in attending / or plan to attend, you must reserve your place soon.

Registration forms must be submitted with payment to TechTrain Institute no later than 21 days prior to the start of class. (Note that registration for this special seminar is only available through TechTrain.) Applicants should call TechTrain Institute at (703) 356-4434 for information regarding this special unadvertised seminar.

TechTrain Institute is an authorized host for (ISC)2-sponsored, CISSP CBK Review Seminars and CISSP certification examinations in the Washington, D.C. Metropolitan area. If you would like to be automatically notified of upcoming seminars and examinations in the D.C. area, e-mail your complete postal address to - kejtemai@ricochet.net

Go to top of page

FISSEA Educator of the Year Award:
Nominations Due by 14Feb01
Submitted by Peggy Himes

Each year the FISSEA recognizes an individual who has made significant contributions in education and training programs for information systems security.

Nominees need not be members of FISSEA, but do need to be nominated by a member. Nominees may be involved in any aspect of information security education or training, including, but not limited to, instructors, security program managers, and practitioners who further education and training programs for information systems security in the federal community. Nominees will be judged by an ad hoc committee appointed by the Chair.

Forward your nominations by Valentine's Day, February 14, 2001. "Educators need love, too." See the FISSEA website for sample nomination letters and a listing of past recipients. Send submissions to:

Peggy Himes
National Institute of Standards and Technology (NIST)
100 Bureau Dr STOP 8930
Gaithersburg, MD. 20899-8930
peggy.himes@nist.gov
phone: 301-975-2489
fax: 301-948-0279

Go to top of page

National Conference on Cyber Ethics Initiates Curriculum Development and Educational Materials
By Dr. Cherie A. Geide
Director, National Cyber Ethics Conference

Recent statistics and cases demonstrate the critical need for cyber ethics education among young people and their adult role models (parents and teachers). The 1999 Roper Reports and Current Population Survey (CPS) states the "71% of households with kids 8-17 now have computers and 67% of those households connect to the Internet [translating to] 48% of U.S. households with kids 8-17 have online connections. However, a recent Scholastic, Inc. poll of "47,235 elementary and middle school students revealed that 48% do not consider hacking a crime" (April 2000). This statistic together with the July 7, 2000 Cyber Atlas quote that "virus and computer hackers will cost businesses around the world more than $1.5 trillion in the year 2000 (according to a study by Information Week Research fielded by PricewaterhouseCoopers)" only magnifies the immediate need for educating young people and adults about ethical use of technology.

In answer to this call, approximately one hundred twenty-five individuals from academia, industry, and government assembled for the first National Conference on Cyber Ethics: Teaching Responsible Use of Technology Friday, October 6 through Sunday, October 8th organized and hosted at Marymount University in Arlington, VA in cooperation with the Cybercitizen Partnership, a joint venture of the Information Technology Association of America (ITAA) and the United States Department of Justice. The attendees came from as far as the United Kingdom, Philippines, California, Oregon, Minnesota, Florida and Vermont, and as close as the Washington, D.C., metropolitan area to discuss ethical issues related to the cyber realm and to commit to follow-on work in cyber ethics curriculum development. Michael Vatis, Director of the National Infrastructure Protection Center, located at the FBI, opened the conference Friday evening and provided the context for discussing the various facets of cyber ethics by citing many examples of recent computer crimes committed by teenagers.

Throughout the weekend, the Conference attendees listened to presentations by nationally recognized experts in government, education, and industry and participated in discussions about cyber ethics concerns and cyber ethics curriculum development. The seven general sessions and the four breakout sessions throughout the conference provided background in cyber issues from the perspectives of national and industry security experts - John Tritak, Jeffrey Hunker, Michael Daniels (Network Solutions/SAIC), John McClurg (Lucent), and others. In addition, presentations by classroom teachers, university professors, psychologists, and other individuals from industry offered a variety of current perspectives on the issue.

During the Sunday afternoon final session, the four track facilitators (for the kindergarten-5, middle/high school, higher education, and parent/community awareness tracks) presented their breakout session summaries and the 3-, 6-, and 12-month follow-on plan goals for their working groups. The four facilitators and a committed, enthusiastic working group for each track will be guided by their goals to develop core materials consisting of a comprehensive K-12 curriculum, higher education instructional materials, and parent/community awareness educational materials.

The most efficient means for teaching good cybercitizenship will be through the development of this comprehensive cyber-ethics curriculum K-16 infused throughout the content areas, and through parent and community cyber ethics awareness educational materials. This "core" program will be distributed throughout the country as a template for educational institutions and community groups (Parent-Teacher Associations, Girl Scouts, Boy Scouts, Kiwanis, and others). The K-16 curriculum will be developed as a spiral - each year building upon the next. For example, Kindergarten students will learn about being good cybercitizens in class discussions about "what it means to be a good member of the community"; high school students will explore the topic of cybercitizenship in discussions about an individual's responsibility within a global society. This "core" program will not be exhaustive. Instead, it will be an easy-to-use guide that can be adjusted to meet local needs. Although portions of the follow-on work will be released during the immediate months, the final curriculum and educational materials are to be unveiled at the 2001 Cyber Ethics Conference in October 2001. Conference proceedings and tapes will be made available within the next 45-60 days.

For complete information about this program and cyber ethics, please go to http://www.marymount.edu and click on National Conference on Cyber Ethics or contact Dr.Cherie Geide (703)526-6829 cherie.geide@marymount.edu . Additional information about the Cybercitizen Partnership can be found at http://www.cybercitizenship.org, http://www.itaa.org, http://cybercitizenpartners.org, and http://www.cybercirme.gov .

Go to top of page

Trainia/Upcoming Conferences

Marie Stella from FAA reported there are some interesting training guidelines at the following site for the Canadian Communications Security Establishment: http://www.cse.dnd.ca/cse/english/manu2.html

11-13DEC2000 - Defending Cyberspace 2000, Washington, DC, Renaissance Hotel. Sponsors: the General Services Administration, the Federal CIO Council, and the Smart Card Industry Association (SCIA). This year's theme: "Strategic Planning and Partnerships for Trusted e-Business". Website: http://www.ctst.com/events/dcs2000/attendee.htm

23-25JAN2001 is WEST 2001 at the SanDiego Convention Center - sponsored by AFCEA & US Naval Institute - entitled "Winning the Wars of the 21st Century" - for a free Exhibit Hall Pass or more info, check out www.west2001.org

7FEB2001 - Pitching Information Technology Security to Federal Executives, NIST. This course will describe the five key parts to selling security to management: selling basics, requirements, customer, resources, and timing. http://www.nist.gov/public_affairs/confpage/conffutr.htm To register contact teresa.vicente@nist.gov.

25FEB-1MAR2001 - MIS Training Institute InfoSec World 2001 in Orlando. Numerous other conferences and seminars may be found at http://www.misti.com/ .

5-6MAR2001 - Symposium on Requirements Engineering for Information Security, CERIAS, Purdue University. Contact Annie or Spaf: sreis-inf@cerias.purdue.edu

13-15MAR2001-the FISSEA 2001 Annual Conference. This year's theme is "From Y2K To T E A (Training, Education, Awareness) with FISSEA" and it will be held at the Gaithersburg Hilton Hotel in Gaithersburg, MD.

22-24MAY2001 - 5th Annual National Colloquium for Information Systems Security Education, George Mason University, Fairfax, VA. Forum to define current and emerging requirements for information security education. http://www.ncisse.org/conference2001

18-19JUL2001 - Second International Common Criteria Conference, Brighton, England. Hosted by the Communications-Electronics Security Group (CESG) at the Metropole Hotel and Conference Centre. john.doody@cesg.gov.uk More information will be available through the NIAP website niap.nist.gov.

29-31OCT2001 - 24th National Information Systems Security Conference, Baltimore, MD. Call for Papers submission due date 2FEB2001. http://csrc.nist.rip/nissc/call.htm For additional information, send an email to NissConference@dockmaster2.ncsc.mil or call 301-975-2775.

Go to top of page

Go to top of page

Conference Flyer Contents:

14th Annual Federal Information Systems Security
Educators' Association (FISSEA) Conference
March 13-15, 2001

Gaithersburg Hilton Hotel
Gaithersburg, Maryland

Go to top of page